Wassenaar Arrangement: When small words have the power to shatter security

Katie Moussouris explains why a battle over wording could break the Internet's ability to defend itself.
Written by Charlie Osborne, Contributing Writer

ST. MAARTEN: The Wassenaar Arrangement must be renegotiated or the weapons control regulations will "break the Internet's ability to protect itself," a security expert has claimed.

The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is an agreement between 41 countries which generally hold similar views on human rights.

Encompassing countries such as the United States, United Kingdom, Japan, and Russia, the Wassenaar Arrangement is not a legally binding construct, but rather one that encourages and expects similar export controls on weaponry, including banning certain products outright and requiring licenses for others.

The agreement's original intentions are ones you could consider "noble," according to Katie Moussouris, CEO of Luta Security.

However, speaking at the Kaspersky Security Summit in St. Maarten, the bug bounty expert said that more work needs to be done to protect the security industry from faulty regulations that could destroy the vulnerability disclosure sector.

Constructed with oppressive regimes in mind, the Wassenaar Arrangement was meant to protect citizens from having their human rights abused. However, in 2013, the legislation was amended to include "intrusion software," and at this moment, ripples spread through the cybersecurity community.

While well-intentioned, the broad language of the agreement not only included offensive digital weaponry which could be used to intrude upon the privacy of citizens but also encompassed offensive cybersecurity offerings which are not as clear-cut in their usage.

While certain kinds of software can be considered offensive or intrusive -- such as surveillance software, malware, and network intrusion systems -- and are found in black-hat toolkits, they can also be considered dual-purpose and are key tools for white-hat penetration testers.

At Black Hat USA last year, in an interview with Dark Reading, Moussouris called the agreement a "dragnet" which sweeps in software used for legitimate purposes, as well as offensive software which can be used for illegal purposes.

"[The Wassenaar Arrangement] impedes defense by regulating the wrong parts of offense," Moussouris said. "The existing language would break vulnerability disclosure and hamstring cyber incident response."

The agreement is described as a way of "promoting transparency and greater responsibility" for the sale and trade of weaponry worldwide. However, once "intrusion software" was added to the mix, problems with the vague wording of the agreement began to emerge.

Bug bounties are one such area affected by the arrangement. Under the current proposals, software which bypasses defenses and exploits, if not public, would be controlled under the legislation. This, in turn, could impact on whether or not US researchers can legally share information pertaining to bug bounties across country borders, and if doing so is going to result in a need for expensive export licenses.

In addition, US-based arms of cybersecurity companies may not be able to communicate fully with colleagues in other countries under the current, broad terms of the agreement.

If there are foreign nationals employed by a US company or a business wants to bring in experts from another country to analyze a breach or malware sample, then the company would be obligated to file for licenses to export "offensive" software or knowledge, despite uses in defense.

This, in turn, is likely to ramp up costs and dull the competitive edge of US cybersecurity firms.

After consulting with experts including Moussouris and Iain Mulholland, CTO of security at VMWare -- as well as receiving a large volume of public comments -- the US decided in May 2015 to issue a second proposed draft of the arrangement.

However, from this point to December 2016, a number of countries and regulators got cold feet over some of the changes in wording that had already been renegotiated, and the abrupt changes in the US government due to the election results also spread a wave of uncertainty surrounding the Wassenaar Arrangement as a whole.

There was a spark of hope. On February 10, 2017, US representative Jim Langevin sent a letter to General Michael Flynn, the first national security advisor appointed by President Donald Trump, urging for continued renegotiations of the agreement's wording. However, only three days later, Flynn resigned.

The new advisor, Lt. Gen. H. R. McMaster, however, has also accepted the need for renegotiation.

In Vienna, Austria, talks are currently underway to thrash out the dialogue of the arrangement, which would potentially protect security researchers and vulnerability disclosure as an industry from licensing troubles or potential prosecution.

"I am anxiously awaiting the state representatives and other Wassenaar delegation members' [verdict] on this," Moussouris said. "I can't tell you whether the seriousness of this has permeated the other delegations, or they understand the risk involved in breaking the Internet's ability to protect itself."

"However, they want to know what the impact would be and they want to make good regulations," the security expert added.

If the meetings currently underway do not accept all the wording changes required to protect the security industry, then Moussouris and Wassenaar delegation members will have to meet again over the next year to renegotiate the wording of the arrangement once more.

As the Wassenaar Arrangement's changes are yet to be set in stone and Trump's administration is now firmly in office, it will be the new government's decision on how to proceed -- but the security industry will likely watch closely to see the fate of the "intrusion software" clause.

Disclosure: The trip to St. Maarten was sponsored by Kaspersky.

Must-have mobile apps to encrypt your texts and calls

Editorial standards