US-Backed Effort to Ease Software Export Limits FailsWassenaar Arrangement Seen as Restricting Threat Information Sharing
The Obama administration has failed to reach agreement with 40 other nations on modifying a non-binding export control agreement that it says could hurt cybersecurity.
Three years ago, the Wassenaar Arrangement, an international arms control pact, placed restrictions on the exports of certain intrusion software tools, sometimes called "spyware," that potentially could be exploited by repressive regimes - but also could be used to help secure computer systems.
To modify the agreement, the participating nations must unanimously approve any changes. Delegates to a Wassenaar Arrangement meeting earlier this month in Vienna could not reach a unanimous decision on the U.S. proposal to ease the export restrictions.
The Wassenaar Arrangement defines intrusion software as technology used to avoid detection by monitoring tools or defeat protective countermeasures of a computer or network.
Rep. Jim Langevin, the Rhode Island Democrat who co-chairs the Congressional Cybersecurity Caucus, said the failure to adopt the agreement modification "could harm our nation's cybersecurity by making it more difficult to quickly share defensive tools and close vulnerabilities."
Harley Geiger, director of public policy at the security research firm Rapid7, said in a statement: "Although the ultimate goal of this [export] control is a noble one, without further edits, this control can impede work needed to advance cybersecurity and protect technology users around the world."
More Precise Language Sought
U.S. officials had wanted more precise language to control the spread of such hacking tools without the unintended negative consequences for national cybersecurity and research that industry groups and lawmakers have complained about for months, according to an Associated Press report. Critics have argued that the current language, while well meaning, broadly sweeps up research tools and technologies used to create or otherwise support hacking and surveillance software, the AP reports.
The agreement did not take the subtleties of cybersecurity into account, and some of its restrictions could prevent the sharing of cyber research and information about threats, The Hill reports.
Jonathan Nichols, an independent information operations and cyberwarfare analyst, said the failure to modify the international agreement "may have a continuing, detrimental effect on the cybersecurity capabilities of rule-following member states."
Next Step Is Up to Trump
Katie Moussouris, a member of the American delegation to the Vienna meeting, characterized the inaction on the agreement modification as a "bummer" in a tweet. "Let's hope the next administration supports us continuing the efforts," Moussouris, CEO and founder of the security advisory firm Luta Security, said.
Requiring precise rewording of tech & policy, multilingually & multilaterally, it should be no surprise #Wassenaar consensus takes >1 year— Katie Moussouris (@k8em0) December 19, 2016
Noting the aim of the U.S. effort to modify the arrangement was to ease the sharing of research information - export restrictions could limit cross-border communications about specified technologies - Moussouris said in an interview with the Associated Press. "If anybody understands how quickly you need to respond to a fire, this would essentially impede the internet's firefighters if it was left in place."
Moussouris told the AP that delegates to the meeting agreed to tighten language to specify that the restrictions on exports should apply to attacker code used to command and control malware, not regular computer defense tools. But Langevin called those changes insufficient. "The small changes clarifying the role of command-and-control functionality that were made at the annual meeting, while needed, are simply insufficient to address the broader flaws in the language," he said.
Change of Heart
In May 2015, the Commerce Department's Bureau of Industry and Security posted in the Federal Register a request for comments on proposed rules to implement the 2013 agreement. That led to the computer industry pushing to get the U.S. government to halt the rulemaking and work instead to ease the restrictions of the Wassenaar Arrangement.
"Lots of people commented negatively because they thought the restrictions could impact their [legitimate] sales and activities," Purdue University Computer Science Professor Eugene Spafford, who blogged about the Wassenaar Arrangement at the time, told Information Security Media Group this week. Those arguments, Spafford said, led the government to drop the rulemaking and instead try to convince its Wassenaar Arrangement partners to modify its restrictions.
The next Wassenaar Arrangement meeting will be held in December 2017. It will be up to the Trump administration to decide whether to pursue changes in the agreement regarding export controls on the intrusion software.