Wassenaar weapons pact talks collapse leaving software exploit exports in limbo
Some progress, but it's glacial
Security researchers face continued uncertainty after talks broke down between US negotiators and 40 other countries over the state of exploit exports.
The negotiations concern the Wassenaar Arrangement, an arms-control pact in which members agree to limit the export of certain types of weaponry and "dual-use products." Usually this just covers conventional weaponry, but in December 2013, new wording was introduced that banned the export of software tools that could be used for online warfare – particularly code to exploit and attack insecure programs and servers.
Unfortunately, software IT security professionals use on a day-to-day basis could be classed as weaponry under the tweaked rules. An important step in testing and securing any network is to attack it and see where the holes are, and to do that, you need working exploit code.
Under the new wording, security researchers will have to go through the tedious process of getting an export license if they want to, say, email a network penetration exploit to a colleague or client overseas to use as part of an audit.
After protests from the infosec community, the US Commerce Department agreed to look at the rules again and has added ethical hackers to its negotiating team. However, the latest round of talks with other nations has failed to reach a conclusion on the best way forward for legit computer security researchers, so the arrangement is still up in the air.
Essentially, changes have been made to the arrangement that could require export licenses for some computer security tools, and countries part of the pact are now free to enforce the rules. Negotiations with the US and other nations to improve the wording have fallen through, so the infosec industry is in limbo and unsure of how to proceed legally.
It's not likely to be resolved for at least another year or so due to the change in administration in the White House. Meanwhile, as we've said, countries can start cracking down as per the agreement.
"I am deeply disappointed that Wassenaar member states declined to make needed updates to the intrusion software controls, particularly those related to technologies necessary for their development," said US negotiator Congressman Jim Langevin (D-RI).
"For over a year, I have led my colleagues in Congress in calling for a careful review of these controls, which could harm our nation's cybersecurity by making it more difficult to quickly share defensive tools and close vulnerabilities."
There was some small progress, however. The countries did agree that command and control software for botnets should be included in the export ban, although Langevin said this wouldn't do much to address the concerns of the IT industry.
Fellow negotiator Katie Moussouris, the woman who persuaded Microsoft to start its bug bounty and who now runs Luta Security, described the situation as a "bummer," and said it was now the next US administration's problem to deal with.
Requiring precise rewording of tech & policy, multilingually & multilaterally, it should be no surprise #Wassenaar consensus takes >1 year— Katie Moussouris (@k8em0) December 19, 2016
In the meantime, computer science students are having to censor their own course work, researchers flying overseas are being very careful, and companies are begging for clear advice as to what they can and cannot sell. Hopefully the incoming US Commander in Chief – a man known for making deals – can sort the mess out. ®