Constructed with oppressive regimes in mind, the wassenaar arrangement was meant to protect citizens from having their human rights abused. Guest blog by james gannon, director and principal of cyber invasion, ltd. State department will try to fix wassenaar arrangement share it share on twitter share on facebook copy link regular readers of this blog will likely be familiar with the wassenaar arrangement, a 41nation agreement intended to regulate the export of certain dualuse technologies, such as. However, in 20, the legislation was amended to include intrusion software, and at this moment, ripples spread through the cybersecurity community. Federal register wassenaar arrangement 2016 plenary.
On may 20, 2015, the department of commerce, bureau of industry and security bis, proposed a rule to implement the new dualuse controls. And while having these controls in place may not explicitly stop the export each time, these changes holds. Jul 24, 2015 for the past two months, the department of commerces bureau of industry and security bis has been running a public consultation to solicit feedback on its proposal for implementing export controls for intrusion software under the wassenaar arrangement. Changes to export control arrangement apply to computer. The wassenaar agreement was an agreement reached in 1982 between employers organisations and labour unions in the netherlands to restrain wage growth in return for the adoption of policies to combat unemployment and inflation, such as reductions in working hours and the expansion of parttime employment.
Aug 26, 2016 what s michael ossmann urges however is to remove software from the scope of the wassenaar arrangement at the annual meeting of wassenaar arrangement members in december 2015. Recognizing that the wassenaar arrangement changes eliminated the need for certain subcategories and created a need for other, new subcategories, there are. Us department of commerce proposes licensing requirements. The wassenaar arrangement gnu project free software. Of note, italy is a signatory to the wassenaar arrangement. The wassenaar arrangement s first foray into cybersecurity export controls has created a multitude of unintended consequences and implementation challenges. The wassenaar arrangements attempt to wrestle a mostly ethereal problem into regulatable problem was, for the most part, handled well. The goals of the wassenaar arrangement wa are constructive, and our. The wassenaar arrangement is one of several nonproliferation arrangements india has sought to enter, and it is therefore pertinent to analyse the implications of the 20 amendment regulating the export of intrusion software and ip surveillance networks. Understanding the wassenaar arrangement controversy. Faqs related to public feedback on a may 2015 bis proposed rule and changes to the wassenaar arrangement list in 2017 for intrusion software. These export controlsrequirements that organizations selling or sending technologies with potential military applications abroad obtain a license from the commerce. Last month, changes to the wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies wassenaar arrangement placed zerodays, other computer exploits, and potentially more categories of. Revisions to wassenaar cyber exportcontrol agreement gain.
The aim is also to prevent the acquisition of these items by terrorists. The wassenaar arrangements language on intrusion so. Intrusion and surveillance items, released in the federal register on may 20, 2015. At issue is the socalled wassenaar arrangement for restricting access to conventional arms and dualuse goods, which was expanded several years ago to include intrusion software, a move that tech firms said had the unintended consequence of limiting the. See the wassenaar arrangement, supra note 1, category 5pt. The intention of this was to prevent rogue countries from buying technology they could use to oppress or spy on their citizens. Sep 20, 2016 in 20, members of an export control regime known as the wassenaar arrangement were concerned about hackers using certain types of tools to violate human rights and threaten national security, and they agreed to create a control on the creation and use of intrusion software. Nov 07, 2014 it is also important to remember that it is made very clear in the wassenaar arrangement and by extension the eu list that controls do not apply to technology or software in the public domain or relating to basic scientific research. The wassenaar arrangement wassenaar or wa on export controls for conventional arms and dualuse goods and technologies is a group of 41 likeminded states committed to promoting responsibility and transparency in the global arms trade, and preventing destabilizing accumulations of arms. Today, microsoft is furthering the conversation by publishing a whitepaper entitled rethinking intrusion software. The broad definition of intrusion software could mean that we end up with control of commonplace research, as opposed to the technologies the wassenaar arrangement set out to control. Director, information technology controls division.
Controlled items put security research and defense at risk. Technology for the development of intrusion software 3. Members of the wassenaar arrangement, an export control association whose 41 member states exchange information on transfers of. In 20, the wassenaar arrangement, a 41country international forum that seeks consensus among its members on dualuse export controls, adopted new controls on intrusion software and carrier class network surveillance tools. While wellintentioned, the wassenaar arrangements intrusion software control was imprecisely drafted, and it has become evident that there is simply no way to interpret the plain. Focusing on the goal the ongoing wassenaar discussions about the intrusion software and technology controls are a very positive development. Jul 07, 2015 of note, italy is a signatory to the wassenaar arrangement. The wassenaar arrangement is a multilateral export control regime for conventional arms and dual use goods and technologies. It is also important to remember that it is made very clear in the wassenaar arrangement. Block intrusion software free download block intrusion. Dec 21, 2016 wassenaar weapons pact talks collapse leaving software exploit exports in limbo. Critically, by adding intrusion software and ip monitoring to the control list. The bureau of industry and security bis proposes to implement the agreements by the wassenaar arrangement wa at the plenary meeting in december 20 with regard to systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software.
July 20, 2015 director, regulatory policy division director. Members of the wassenaar arrangement, an export control association whose 41 member states exchange information on transfers of conventional weapons, have agreed to add technologies relating to intrusion software, to their control list us companies would require a license to export security technologies or information on newly discovered vulnerabilities. Sw is run on pc connected to network and usestcpip to connect to device. Cybersecurity and the wassenaar arrangement what needs. Wassenaar weapons pact talks collapse leaving software exploit exports in limbo. The wassenaar arrangement s attempt to wrestle a mostly ethereal problem into regulatable problem was, for the most part, handled well. May 21, 2015 the broad definition of intrusion software could mean that we end up with control of commonplace research, as opposed to the technologies the wassenaar arrangement set out to control. The proposal addressed a new type of cyber weapons known as intrusion software, causing a vocal protest in the multinational. On july 5, 2015, a 400 gb document dump of files from hacking team, including emails and financial data, were shared on bittorrent. Last month, changes to the wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies wassenaar arrangement placed zerodays, other computer exploits, and potentially more categories of software under this multilateral export control regime. In may 1996 41 countries came to wassenaar, a small town in the netherlands, to sign what was to be called the wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies. Since i wrote about microsofts comments on the proposed rule under the wassenaar arrangement, microsoft has been continuing to work with the wassenaar member states and the security community to find a balance between the needs of security researchers and regulators. Jan 05, 2018 the wassenaar arrangement is one of several nonproliferation arrangements india has sought to enter, and it is therefore pertinent to analyse the implications of the 20 amendment regulating the export of intrusion software and ip surveillance networks. Us to renegotiate rules on exporting intrusion software.
Rapid7s comments on the wassenaar arrangement proposed. Rethinking intrusion software microsoft cybersecurity. Wassenaar allies to include generally available encrypted software has not pre vented the clinton administration the administration from regulating the ex port of such software by united states companies. On july 5, 2015, a 400 gb document dump of files from hacking team, including emails. How the wassenaar arrangement threatens responsible. So we posted an announcement seeking people in nonwassenaar countries to participate in distribution and. Wassenaar backpedaling, rifle hacking, stagefright, wifi sense hysteria. Jul 24, 2015 by cristin goodwin, senior attorney, microsoft. What you need to know about the wassenaar arrangement. The wassenaar meeting was intended to create a postcold war. Hp pulls out of hacking contest, citing changes to. These export controlsrequirements that organizations selling or sending technologies with potential military applications abroad obtain a license. The wassenaar meeting was intended to create a postcold war approach to. Wassenaar weapons pact talks collapse leaving software.
When sensor detect movement guards r alerted by the sw. Software specially designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures, of a computer or network capable device, and performing any of the. Microsofts comments on the proposed rule under the wassenaar. What s michael ossmann urges however is to remove software from the scope of the wassenaar arrangement at the annual meeting of wassenaar arrangement members in december 2015. Comments on wassenaar arrangement 20 plenary agreements implementation. Uncertain future for wassenaar cyberweapons agreement. Notable security news items for the week ending july 31, 2015. Eu catches up, takes steps to control export of intrusion.
This paper examines the failed negotiations from an international and an indian perspective. Arrangement is nonbinding and each signatory agrees to enact do mestic. Human rights advocates have recognized that surveillance software designed and sold by companies in western countries has been responsible for serious abuses around the world. You can read about the proposal and rapid7s initial thoughts here. The inclusion of intrusion software on the wassenaar control list was done with good intentions. Could these rules regulate full disclosure and open source. Wassenaar arrangement 20 plenary agreements implementation.
Mar 02, 2016 while wellintentioned, the wassenaar arrangements intrusion software control was imprecisely drafted, and it has become evident that there is simply no way to interpret the plain. The primary goal of the arrangement is to prevent the proliferation of conventional arms such as uranium, and keeping them out of the hands of regimes that could use them against their own people and neighbors. Wassenaar allies to include generally available encrypted software has not prevented the clinton administration the administration from regulating the ex. Microsofts comments on the proposed rule under the. For the past two months, the department of commerces bureau of industry and security bis has been running a public consultation to solicit feedback on its proposal for implementing export controls for intrusion software under the wassenaar arrangement. Hp pulls out of hacking contest, citing changes to wassenaar.
Members of the wassenaar arrangement, an export control association whose 41 member states exchange information on transfers of conventional weapons, have. Written testimony of cristin flynn goodwin assistant general. Department of commerce announced a proposal for an implementation of the amendments that were made in 20 to the international wassenaar arrangement on conventional weapons and related technologies that may be used for military purposes. Today i participated in the center for strategic and international studies csis discussion on decoding the bis proposed rule for intrusion software platforms and the important topic of the department of commerces proposed rule on intrusion software under the wassenaar arrangement. Rapid7s comments on the wassenaar arrangement proposed rule. Our first information about the new wassenaar arrangement came in the form of a newspaper article, which said that export of encryption software would be prohibitedand this seemed to include free software. May 25, 2015 guest blog by james gannon, director and principal of cyber invasion, ltd. The agreement has been credited with ending the wageprice spiral of the 1970s, greatly. In 20, members of an export control regime known as the wassenaar arrangement were concerned about hackers using certain types of tools to violate human rights and threaten national security, and they agreed to create a control on the creation and use of intrusion software. May 28, 2015 the wassenaar arrangement includes controls for technology connected to intrusion software. Cybersecurity and the wassenaar arrangement what needs to. At the december 20 meeting of representatives from all the wassenaar countries, they agreed to new regulations to control intrusion software technology such as malicious software, commandandcontrol software, and surveillance software.
This paper acknowledges that the wassenaar arrangements intrusion software clauses are intended to protect the activists and dissidents whose lives are endangered b y government surveillance. To resolve these, microsoft proposes to evolve the intrusion software control over time to a narrowly tailored and well understood control that can help protect those involved in human rights advocacy, and protecting our security online. The united states successfully negotiated researchuse exceptions to export controls on surveillance tools at the december 2017 meeting of the wassenaar arrangement, a club of advanced economies that coordinates export controls. Eu catches up, takes steps to control export of intrusion spyware, ip monitoring. July 20, 2015 director, regulatory policy division. Block intrusion software free download block intrusion top 4 download offers free software downloads for windows, mac, ios and android computers and mobile devices. Implicitly, such software is related to previously unregulated software vulnerabilities and exploits, which also make the ongoing debate particularly relevant. Wassenaar defined intrusion software as software specially designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures and that either extracted data from a computer or network device or modified the standard execution path of a program to allow the execution of externally provided instructions. Read more introduction the wassenaar arrangement has been established in order to contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dualuse goods and technologies, thus preventing destabilising accumulations. The background relates to the amending of the international wassenaar arrangement with offensive cyber security technologies known as intrusion software. Written testimony of cristin flynn goodwin assistant.
1025 1259 1343 558 302 1229 497 1325 115 1087 204 1588 795 295 300 777 1447 1442 1265 322 339 128 659 998 1055 1155 460 1191 287 1050