Security researchers are welcoming rewritten language that includes hacking tools in a treaty that regulates the global trade in weapons technology, saying it fixes rules that, if implemented in the U.S., would have outlawed much of the daily commerce of the cybersecurity industry.
The recent agreement, reached at the annual plenary session of the Wassenaar Arrangement — a 42-nation arms control treaty to which the U.S. is a signatory — was broadly welcomed by policy makers, industry sources and security researchers.
“We applaud the hard work of the U.S. interagency and our partners in industry, the research community, and foreign governments to clarify software and technology controls that could have had a negative impact on legitimate cybersecurity,” Rob Joyce, White House Cybersecurity Coordinator, told CyberScoop.
The changes provide exemptions to the export control requirements the treaty imposes on hacking tools.
Researchers engaged in vulnerability disclosure and incident response will no longer have to worry about the looming specter of needing a license to sell or share their tools abroad, according to Katie Moussouris, an independent security researcher who was a technical expert who worked on the rewrite.
It marks the latest stage in a long-running diplomatic tussle over hacking technology regulation that dates back four years, complicated by the fact that defenders and attackers can use the same tools.
According to Moussouris, when Wassenaar delegates agreed to include the tools under the treaty in December 2013, they adopted an overly broad definition of computer intrusion technology which would have inadvertently outlawed much of the business that’s done across the global cybersecurity industry.
“Even a white-paper describing an intrusion technique … you’d have needed an export license for that,” she told CyberScoop. “This shows that we, as a security community, can get together with [U.S.] policymakers and succeed in making really important changes.”
Fixing the problem
The new language, which was agreed to Dec. 6, “solves a huge chunk of the problems” with the 2013 provisions, Moussouris said.
Congress has taken notice of the new language since the U.S. government is bound by the treaty to implement the rules in its own trade regulations — although it hasn’t done so yet. The Commerce Department tried to do so in 2015, but failed.
“I commend the U.S. negotiating team for their efforts,” said Rep. Jim Langevin, D-R.I., a lawmaker who has closely followed the issue. “Member nations agreed to substantial changes … providing exemptions for vulnerability research and incident response, [that] are essential to allow cybersecurity defenders to share information in a timely fashion without fear of violating licensing requirements.”
Moussouris said that, for security researchers, uncertainty about whether their work might be covered by export control licensing requirements in the 2013 language had already caused “self-censorship,” even in the U.S.
Much of the technology that cyber defenders use involves testing network security with offensive tools of exactly the kind Wassenaar was seeking to regulate, she said. And Wassenaar had been implemented in Europe and by all other signatory nations, leaving responders to global cyber incidents exposed.
During a global cyberattack like the WannaCry ransomware incident, she said security researchers collaborating on defense “pass around — probably across borders because you are a global operation — the very same technology.”
If incident responders needed an export license to do that, “the frequency with which these events happen around the world would quickly overwhelm any imaginable licensing system,” she said.
Exemptions for cyber defenders
In the end, Moussouris said, the Wassenaar delegates agreed to adopt exemptions based on what the intent of the user. “It’s called end-use decontrol,” she said, “And it’s frowned upon in arms control circles because it’s considered too easy to get around.”
But by using “very specific, technical and real examples, showing the broad impact [of this language] beyond the capability of any government to manage or predict,” U.S. negotiators were able to convince the plenary delegates that the exemptions were needed.
Gaining that agreement was only the first step. “Ninety percent of the work was negotiating the definitions,” she said. “Different countries have different definitions of everything. Does ‘technology’ include software — source code or compiled code? In some countries it does, but in others it doesn’t.”
Those definitions often hide national agendas, said Kenneth Geers, a former NATO cyber official.
“This is a very amorphous area,” Geers, now with cybersecurity company Comodo, told CyberScoop about cyber treaties like Wassenaar. “Definitions are difficult … There’s so much politics involved.”
Indeed, Moussouris said the 18 months spent rewriting were at times “like torture,” because of such debates. “I can’t tell you how much Austrian beer I had to drink after those sessions,” she joked.
But it was worthwhile: the aim of the two rewrites she helped author was “to get to a place where internet defenders don’t have to worry about whether they need an export license.”
Work still to do
Industry representatives welcomed the new language, while acknowledging that more work remained.
“We see this as a good progress but recognize we still have a long way to the finish line,” Bill Wright, Symantec’s director of government affairs told CyberScoop, adding the changes “address some of the most egregious impacts of the controls” but not all of them.
The U.S. now faces two separate but connected decisions: Whether to keep pushing for more changes at next year’s plenary, and whether to implement the 2017 version of the language in domestic regulation.
Wright said Symantec — and the cybersecurity industry more generally — “strongly hopes and urges” that the U.S. government would “continue its efforts to better, more specifically, define and narrow the controls” Wassenaar imposes.
The basic problem with Wassenaar “stems from the vast over-breadth of the definition of ‘intrusion software’ itself,” he said.
It remains an open question whether the Trump administration will move to implement the existing language in the meantime.
The Department of Commerce — the lead agency for implementation — did not immediately respond to a request for comment.
Wright echoed Moussouris, calling the new language “a big step forward … achieved by partnership between the US government … industry, academia, and the research community.”
“They did bang-up job,” he said of the U.S. negotiators.