Chevron icon It indicates an expandable section or menu, or sometimes previous / next navigation options. HOMEPAGE

A tiny change to this obscure arms dealing agreement could kill the cyber security industry

EU US flags
The EFF and Google think the Wassenaar Arrangement changes are too vague and will stop international collaboration when fighting cyber threats. REUTERS/Shaun Bes

Proposed legislation that would add fresh controls to the export of security research and technologies, has caused widespread concerns the US government is about to kill the cyber security industry.

Advertisement

What is the Wassenaar arrangement?

The legislation in question relates to an obscure international agreement called the Wassenaar Arrangement

The arrangement is a piece of legislation originally designed to control the export and import of physical weapons and technologies that have potential military applications – referred to in the arrangement as “Dual Use Technologies."

Cooley LLP partner Kevin M. King explained to Business Insider, in its current form, the arrangement is intended to protect the financial interests of participating arrangement members and ensure rogue states do not develop advanced military capabilities.

“The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is a voluntary, multilateral export control regime whose member states exchange information on transfers of conventional weapons,” he explained.

Advertisement

“Wassenaar establishes lists of items for which member countries are to apply export controls. Member governments implement these controls to ensure that transfers of the controlled items do not contribute to the development or enhancement of military capabilities that undermine the goals of the Arrangement.”

There are 40 countries participating in the arrangement, in addition to the United States.

The proposed change

The US Commerce Department’s Bureau of Industry and Security (BIS) proposed changes to the arrangement on May 20.

The change would apply Wassenaar Arrangement controls to software and tools commonly used by security researchers and penetration testers. Penetration testers are hackers companies hire to find vulnerabilities in their network and products.

The controls mean companies operating in the US would require a specific license to export their security technologies, or information on newly discovered vulnerabilities to anywhere other than Canada.

Advertisement

This would mean, if the proposed changes are approved, a US security researcher with information on a vulnerability in a European company’s technology would need a license before they could alert the firm.

Why they want to do this

The proposed change is designed to stop human rights abuses and ensure dissident groups, or internationally blacklisted states, cannot be sold surveillance software, or cyber attack tools, by companies operating in the US. 

Concerns around private groups' and rogue nations' use of Western surveillance tools spiked in June during the Hack Team leaks.

Hacking Team is  surveillence software provider that sells spy tools to numerous law enforcement agencies, including the US Federal Bureau of Investigation (FBI) and UK National Cime Agency (NCA).

Advertisement

It fell into infamy when hackers published 400GB of data, allegedly stolen from Hacking Team's internal systems, online. The data suggested Hacking Team sold its surveillance products to countries international organisations, including the United Nations, NATO, European Parliament, and the US have blacklisted.

Hacking Team has constantly denied any wrong doing, claiming the sales in question happened before the countries were blacklisted.

Why everyone is up in arms

While the legislation is intended to stop human rights abuses, it has caused concerns within the security community with many, including the Electronic Freedom Foundation (EFF) – who initially supported stronger export controls – feeling the changes are too vague.

"EFF has long advocated for greater vigilance over the potential sale of specially-developed surveillance tools to oppressive regimes that use technology to commit human rights abuses," explained the EFF in a public statement.

Advertisement

"But when we saw the proposal [...] we saw that the BIS had drafted a vague, overbroad, and contradictory set of rules that have the potential to chill legitimate research into security vulnerabilities that will keep data and devices secure from attacks."

The EFF is not alone in this belief. Google vulnerability research export compliance counsel Neil Martin and Chrome Security Team hacker philanthropist Tim Willis similarly called the proposed legislation “dangerously vague,” in a blog post.

“Rules are dangerously broad and vague. The proposed rules are not feasible and would require Google to request thousands - maybe even tens of thousands - of export licenses,” read the post.

“Clarity is crucial. We acknowledge that we have a team of lawyers here to help us out, but navigating these controls shouldn’t be that complex and confusing. If BIS is going to implement the proposed controls, we recommend providing a simple, visual flowchart for everyone to easily understand when they need a license.”

Advertisement

Google is also concerned the legislation would hamper researchers' ability to share information and delay the discovery of new software vulnerabilities – a development that would leave general web users more vulnerable to attack by hackers.

The firm highlighted the infamous Heartbleed and Poodle security flaws as proof of its claim.

“It’s through diligent research that we uncover and fix bugs — like Heartbleed and Poodle — that can cause serious security issues for web users around the world,” read Google’s statement.

"If we have information about intrusion software, we should be able to share that with our engineers, no matter where they physically sit."

Advertisement

Heartbleed is dangerous flaw OpenSSL that was uncovered in April 2014. OpenSSL is a security protocol used by open source web servers such as Apache and Nginx - which host around 66 percent of all the world’s sites.

Before being fixed by the OpenSSL Project in 2014 it could be exploited by hackers to steal data, even if it was encrypted, from sites and services using OpenSSL.

Poodle is a separate bug in the Secure Socket Layer (SSL) technology used to secure key services including Apple OS X and Microsoft Outlook. Google uncovered the Poodle flaw it in October 2014.

Far from over

There are many other companies and security experts criticising the proposed Wassenaar Arrangement changes.

Advertisement

Katie Moussouris, the chief policy officer for HackerOne, an initiative designed to help coordinate security researchers efforts, publically criticised the changes in an article on Wired.

A group of security companies formed a "Coalition for Responsible Cybersecurity" focused on stopping the Wassenaar Arrangement changes becoming official on 14 July.

Business Insider has reached out to BIS for comment on the security community's criticisms.

On February 28, Axel Springer, Business Insider's parent company, joined 31 other media groups and filed a $2.3 billion suit against Google in Dutch court, alleging losses suffered due to the company's advertising practices.

Government Google Cybersecurity
Advertisement
Close icon Two crossed lines that form an 'X'. It indicates a way to close an interaction, or dismiss a notification.

Jump to

  1. Main content
  2. Search
  3. Account