Read more introduction the wassenaar arrangement has been established in order to contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dualuse goods and technologies, thus preventing destabilising accumulations. Cybersecurity and the wassenaar arrangement what needs. The international fight against spyware needs a level. Software specially designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures, of a computer or network capable device, and performing any of the. Google, security firms warn about impact of wassenaar. Changes to export control arrangement apply to computer.
While wellintentioned, the wassenaar arrangements intrusion software control was imprecisely drafted, and it has become evident. Why an arms control pact has security experts up in arms wired. Participating states seek, through their national policies, to. Unsuccessful in renegotiating wassenaar international. Jul 28, 2015 the expansion at the end of 20 included definitions for intrusion software and ip network surveillance systems.
The wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies is a multilateral export control regime mecr with 42 participating states including many former comecon warsaw pact countries the wassenaar arrangement was established to contribute to regional and international security and stability by promoting transparency and greater responsibility. Wa the wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies. The provision would cover the software toolkits that companies sell to law enforcement and intelligence agencies to carry out intrusive surveillancesee for example hacking teams. Microsofts comments on the proposed rule under the. How the wassenaar arrangement threatens responsible. Department of commerce announced a proposal for an implementation of the amendments that were made in 20 to the international wassenaar arrangement on conventional weapons and related technologies that may be used for military purposes. Tech companies said that move had the unintended consequence of. The wassenaar arrangement cyber weapons proposal will. Vupen, a leading zeroday exploit firm and known supplier of exploits to the nsa, announced on its website that, in response to the wassenaar arrangement changes, it would restrict exploit sales, supplying only approved government agencies in approved countries. These items were added to the wassenaar arrangements control list of dual use technologies technologies that can be used maliciously or for legitimate purposes. New changes to wassenaar arrangement export controls will.
Intrusion software now exportcontrolled as dualuse under. The wassenaar arrangement changes are already having an impact on companies. Us to renegotiate rules on exporting intrusion software. Bureau of industry and security first set out to write regulations for implementing the wassenaar intrusion software rules, it opened. The wassenaar arrangement has 41 signatory countries. The aim is also to prevent the acquisition of these items by terrorists.
This paper acknowledges that the wassenaar arrangements intrusion software clauses are intended to protect the activists and dissidents whose lives are endangered b y government surveillance. May 09, 2016 after an interagency effort to draft the u. The international rules that have the security world on alert. Unless the wassenaar arrangements approach to controlling intrusion software and associated research, development, and information sharing are addressed, multinational companies with cybersecurity teams spread across multiple countries that are members of the wassenaar arrangement will find themselves unable to test their own networks. In the current item list, intrusion software is clari. Obama administration to renegotiate rules for intrusion. The proposal addressed a new type of cyber weapons known as intrusion software. The fuzzy analytical meaning of intrusion software during the 2010s wassenaar debate inferred from the department of commerce 2015 and the wassenaar arrangement 2018 for summarizing the key observations and ambiguities, an analytical conceptual model is presented in fig. The international rules that have the security world on.
At the time, there was some analysis by law firms, legal. Wassenaar arrangement decides to make india its member the. Hacking team had its wassenaar license to export intrusion software outside europe revoked by its government in 2015. May 22, 2015 the international rules that have the security world on alert. Its members are among the worlds most innovative companies. While wellintentioned, the wassenaar arrangements intrusion software control was imprecisely drafted, and it has become evident that there is simply no way to interpret the plain. Specifically, the revisions added intrusion software and ip network communications surveillance systems to the list of controlled technologies.
The wassenaar meeting was intended to create a postcold war. Human rights advocates have recognized that surveillance software designed and sold by companies in western countries has been responsible for serious abuses around the world. The wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies is a multilateral export control regime mecr with 42 participating states including many former comecon warsaw pact countries the wassenaar arrangement was established to contribute to regional and international security and stability by promoting transparency and. Hacking team series the wassenaar arrangement enisa. In 20, the wassenaar arrangement added a new category pertaining to intrusion software that could potentially be used as monitoring tools, or to thwart protective countermeasures. Mar 02, 2016 while wellintentioned, the wassenaar arrangements intrusion software control was imprecisely drafted, and it has become evident that there is simply no way to interpret the plain. In may 1996 41 countries came to wassenaar, a small town in the netherlands, to sign what was to be called the wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies. Members of the wassenaar arrangement have agreed to control a wide range of goods, software, and information, including technologies relating to intrusion software as theyve defined that term. Revisions to wassenaar cyber exportcontrol agreement gain. Jul 24, 2015 by cristin goodwin, senior attorney, microsoft. May 28, 2015 the wassenaar arrangement includes controls for technology connected to intrusion software. Cyber industry assails antihacking regulations thehill. Wassenaar arrangement recommendations for cybersecurity. At the end of 20, changes were made to the wassenaar arrangement wa on the export control for conventional arms and dualuse of goods and technologies including references to zero days, computer exploits and other software categories e.
Jan 16, 2018 in december, new export control rules for computer network intrusion software were published by the wassenaar arrangement, an international body that governs trade in goods with military and. At issue is the socalled wassenaar arrangement for restricting access to conventional arms and dualuse goods, which was expanded several years ago to include intrusion software. Today i participated in the center for strategic and international studies csis discussion on decoding the bis proposed rule for intrusion software platforms and the important topic of the department of commerces proposed rule on intrusion software under the wassenaar arrangement. Washington, dcapril 7, 2017the coalition for responsible cybersecurity, together with bsa the software alliance, applauds the efforts of the u. What the wassenaar arrangement means for cybersecurity pros. Arrangements export control of intrusion software affects industry. On july 5, 2015, a 400 gb document dump of files from hacking team, including emails and. However, once intrusion software was added to the mix, problems with.
Microsofts comments on the proposed rule under the wassenaar. State department will try to fix wassenaar arrangement. The wassenaar arrangement is a 41country, voluntary export control agreement. In 2012 and 20 members of the wassenaar arrangement added.
Wassenaar arrangement changes in multifaceted digital. Of note, italy is a signatory to the wassenaar arrangement. Jul 20, 2015 members of the wassenaar arrangement have agreed to control a wide range of goods, software, and information, including technologies relating to intrusion software as theyve defined that term. The wassenaar arrangement bsa the software alliance. In 20, the wassenaar arrangement, a 41country international forum that seeks consensus among its members on dualuse export controls, adopted new controls on intrusion software and carrier class network surveillance tools. Jul 21, 2016 the wassenaar arrangement has 41 signatory countries. Cybersecurity industry remains concerned over wassenaar. The purpose of this post is to help answer questions about the wassenaar arrangement. The voluntary agreement among the 41 participating. Blue coat technology has been sold to authorities in syria, for example, while italys hacking team exported its intrusion software to countries including ethiopia and sudan.
Dec 21, 2016 i am deeply disappointed that wassenaar member states declined to make needed updates to the intrusion software controls, particularly those related to technologies necessary for their development, said congressman jim langevin in a statement issued monday. The inclusion of intrusion software on the wassenaar control list was done with good intentions. Bureau of industry and security bis enforcement of an international arms agreement called the wassenaar arrangement. But rather than control intrusion software itself, the arrangement put export controls. Guest blog by james gannon, director and principal of cyber invasion, ltd. Wassenaar arrangement admits india what is wassenaar. Many of you may have heard about the recent debate regarding the u. The wassenaar arrangement, which is implemented in the united states via the ear, was modified in 20 to include controls for certain cybersecurityrelated technologies. The background relates to the amending of the international wassenaar arrangement with offensive cyber security technologies known as intrusion software.
Department of commerces proposed rule to implement the wassenaar arrangement 20 plenary agreement on intrusion and surveillance software rin 0694ag49. Corp expert who has researched the intrusion software market. As a result of the 20 addition, the wassenaar arrangement requires restrictions on exports for technology, software, and systems that develop or operate intrusion software. Bob rarog, bureau of industry and security, department of commerce for ispab keywords.
Jul 07, 2015 of note, italy is a signatory to the wassenaar arrangement. On july 5, 2015, a 400 gb document dump of files from hacking team, including emails and financial data, were shared on bittorrent. The hacking team data leak shed light on the business of zerodays and intrusion software, notably in countries such as ethiopia, sudan, russia or kazakhstan. Coalition for responsible cybersecurity, bsa the software. The change would apply wassenaar arrangement controls to software and tools commonly used by security researchers and penetration testers.
A student from the university of northumbria in the uk said he was unable to publish exploits developed as part of his dissertation on bypassing microsoft emet 5. Mar 18, 2016 as a result of the 20 addition, the wassenaar arrangement requires restrictions on exports for technology, software, and systems that develop or operate intrusion software. The wassenaar arrangement helps member countries create common definitions of goods and technologies that can be used for both peaceful and military purposes. Dec 22, 2016 the united states was unable to renegotiate portions of the wassenaar arrangements export controls for intrusion software at the plenary meeting held from dec. In numerous press declarations, the hacking team ceo argues that his company respects international law, and notably the wassenaar arrangement, triggering numerous debates on. Wassenaar arrangement decides to make india its member. Member states voted to begin controlling cybersecurity tools in december 20, starting with intrusion software. You can find the us proposal for implementing the arrangement here, and an accompanying faq from the bureau of industry and security bis here.
The international fight against spyware needs a level playing. The european union adopted the rules covering intrusion software in october 2014 and the wassenaar arrangement indeed appears to have a negative impact on security research. Background on indian admittance to wassenaar arrangement wa in december 20 amended its export control clauses to deny nonmember states many new technologies, including intrusion software to avoid misuse by authoritarian and dictatorial regimes hurting india which aimed to strengthening domestic surveillance post the 2008 mumbai attacks. But rather than control intrusion software itself, the arrangement put export controls on software, systems or equipment that interacted with intrusion software. Cybersecurity and the wassenaar arrangement what needs to. Pardon the intrusion cybersecurity worries scuttle.
Wassenaar arrangement inhibits international cyber. This paper acknowledges that the wassenaar arrangements intrusion software clauses are intended to protect the activists and dissidents whose lives are endangered b. At the time, there was some analysis by law firms, legal scholars, think tanks, independent bloggers, and a few technology companies about the potential impact. The wassenaar arrangement on export controls for conventional arms. The wassenaar arrangement was established to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dualuse goods and technologies, thus preventing destabilizing accumulations. Mar 29, 2016 in 20, the wassenaar arrangement added a new category pertaining to intrusion software that could potentially be used as monitoring tools, or to thwart protective countermeasures. In 20, intrusion software controls were added to the wassenaar arrangements list of dualuse technologies that members must subject to export controls. For rapid7s take on wassenaar, and information on the comments we intend to submit to bis, please read this companion piece. What the wassenaar arrangement means for cybersecurity. The wassenaar arrangement cyber weapons proposal will benefit. The wassenaar arrangement is a 41country international export control agreement. The united states was unable to renegotiate portions of the wassenaar arrangements export controls for intrusion software at the plenary meeting held from dec. In december, new export control rules for computer network intrusion software were published by the wassenaar arrangement, an international body that governs trade in goods with military and.
Head to las vegas next month to see how the wassenaar arrangements export control of intrusion software affects the security industry, just added to the black hat schedule. In numerous press declarations, the hacking team ceo argues that his company respects international law, and notably the wassenaar arrangement, triggering numerous debates on the topic. News releases major business and tech groups call on. Wassenaar arrangement inhibits international cybersecurity. We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community. Penetration testers are hackers companies hire to find. The relevant sections in the list of dualuse goods and technologies covering intrusion software are 4. When small words have the power to shatter security. For rapid7s take on wassenaar, and information on the comments we. I am deeply disappointed that wassenaar member states declined to make needed updates to the intrusion software controls, particularly those related to technologies necessary for their development, said congressman jim langevin in a statement issued monday.
1458 482 770 1022 840 335 755 857 1274 184 1063 298 1547 1277 1235 614 584 724 926 1205 1488 1380 861 897 1465 50 477 1427 883 1441 923 540 299 704 1116 1073 252