Europe talks to hackers, security bods on Wassenaar recalibration
Delegates suggest govs should sort themselves out before criminalising researchers
Speaking at a roundtable meeting on export controls on Wednesday, Dutch MEP Marietje Schaake said that she and other lawmakers were working to avoid "some of the unintended consequences of the Wassenaar Arrangement."
That's the arrangement between various nations on the export of weapons and arms, which includes software used in modern-day information security.
The European Commission is asking for public feedback on plans to regulate the sale of so-called "cyber-weapons." The public consultation is open until 15 October.
Schaake said it is essential to ensure that these weapons do not fall into the hands of those who violate human rights. "After Hacking Team was hacked, we know that the Italian authorities had approved the export of ready-made digital weapons to Sudan and Russia. This despite the fact that it is known that these countries are covered by sanctions and violate human rights," she said.
Europe needs a way to assess if a buyer is legitimate or not, she continued. "It's about being consistent. On a political level we condemn certain actions and have stated objections to the abuse of human rights, but on the trade side nothing happens," added Schaake.
However, at the meeting she also heard from security researchers and ethical hackers, who fear that their legitimate research activities could be under threat. Schaake asked how a balance could be struck, particularly in the trade of zero-day vulnerabilities.
Schaake said that although she was wary of over-regulation, trade in zero-days was currently a free-for-all.
Stephane Chardon, the European Commission's man in charge of export controls, said that "penalties must be effective and proportionate," but that this is as far as harmonisation at European level goes. In his view, more cooperation and sharing of information between countries is needed. He said that law-makers also have to decide whether cyber export controls should be kept as part of more general export controls or dealt with as a special case.
Vincenzo Iozzo from Rokaku Holdings argued that overly focusing on sellers was short-sighted. "Why punish the selling side, when you should be punishing the buyer side?" he asked.
Mailyn Fidler, Marshall Scholar at the University of Oxford, took a slightly more nuanced view, saying: "Wassenaar is about security and stability, not human rights per se. Demand [for these products] comes not only from human rights violators, but also our own governments." ®
Sponsored: Becoming a Pragmatic Security Leader