Jul 07, 2015 of note, italy is a signatory to the wassenaar arrangement. According to moussouris, when wassenaar delegates agreed to include the tools under the treaty in december 20, they adopted an overly broad definition of computer intrusion technology which would have inadvertently outlawed much of the business thats done across the global cybersecurity industry. Usbacked effort to ease software export limits fails. The united states was unable to renegotiate portions of the wassenaar arrangements export controls for intrusion software at the plenary meeting held from dec. Langevin statement on wassenaar arrangement plenary. When small words have the power to shatter security. Wa the wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies. In 20, the wassenaar arrangement, a 41country international forum that seeks consensus among its members on dualuse export controls, adopted new controls on intrusion software and carrier class network surveillance tools. Langevin statement on obama administrations decision to. Cybersecurity and the wassenaar arrangement what needs to.
Department of commerce announced a proposal for an implementation of the amendments that were made in 20 to the international wassenaar arrangement on conventional weapons and related technologies that may be used for military purposes. Unless the wassenaar arrangements approach to controlling intrusion software and associated research, development, and information sharing are addressed, multinational companies with cybersecurity teams spread across multiple countries that are members of the wassenaar arrangement will find themselves unable to test their own networks. Read more introduction the wassenaar arrangement has been established in order to contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dualuse goods and technologies, thus preventing destabilising accumulations. On july 5, 2015, a 400 gb document dump of files from hacking team, including emails. News releases major business and tech groups call on.
The wassenaar arrangement was established to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dualuse goods and technologies, thus preventing destabilizing accumulations. The international rules that have the security world on alert. Dec 21, 2016 i am deeply disappointed that wassenaar member states declined to make needed updates to the intrusion software controls, particularly those related to technologies necessary for their development, said congressman jim langevin in a statement issued monday. Last month, changes to the wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies wassenaar arrangement placed zerodays, other computer exploits, and potentially more categories of. These items were added to the wassenaar arrangements control list of dual use technologies technologies that can be used maliciously or for legitimate purposes. To resolve these, microsoft proposes to evolve the intrusion software control over time to a narrowly tailored and well understood control that can help protect those involved in human.
Response to the us proposal for implementing the wassenaar. It remains an open question whether the trump administration will move to implement the existing language in the meantime. Changes to export control arrangement apply to computer. Intrusion software now exportcontrolled as dualuse. In 20, members of the wassenaar arrangement agreed to impose export controls on hardware and software specially designed or modified for the generation, operation or delivery of, or communication with intrusion software. The wassenaar arrangement is a 41country, voluntary export control agreement. Wassenaar arrangement inhibits international cybersecurity. Congressman jim langevin dri, cofounder and cochair of the congressional cybersecurity caucus and a senior member of the house committees on armed services and homeland security, released a statement in response to changes made to intrusion software export controls at the recent wassenaar arrangement plenary session. Human rights advocates have recognized that surveillance software designed and sold by companies in western countries has been responsible for serious abuses around the world. This paper acknowledges that the wassenaar arrangements intrusion software clauses are intended to protect the activists and dissidents whose lives are endangered b y government surveillance. The wassenaar arrangement defines intrusion software as technology used to avoid detection by monitoring tools or defeat protective countermeasures of a computer or network. The hacking team data leak shed light on the business of zerodays and intrusion software, notably in countries such as ethiopia, sudan, russia or kazakhstan.
I am deeply disappointed that wassenaar member states declined to make needed updates to the intrusion software controls, particularly those related to technologies necessary for their development, said congressman jim langevin in a statement issued monday. May 28, 2015 the wassenaar arrangement includes controls for technology connected to intrusion software. Microsofts comments on the proposed rule under the wassenaar. Langevin statement on wassenaar arrangement plenary session. On july 5, 2015, a 400 gb document dump of files from hacking team, including emails and financial data, were shared on bittorrent. Jul 20, 2015 members of the wassenaar arrangement have agreed to control a wide range of goods, software, and information, including technologies relating to intrusion software as theyve defined that term. The bureau of industry and security bis proposes to implement the agreements by the wassenaar arrangement wa at the plenary meeting in december 20 with regard to systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software. In numerous press declarations, the hacking team ceo argues that his company respects international law, and notably the wassenaar arrangement, triggering numerous debates on the topic. Jul 21, 2016 the intrusion software export controls of the wassenaar arrangement were created to stop the crossborder proliferation of cyberweapons. Obama administration to renegotiate rules for intrusion.
Hacking team series the wassenaar arrangement enisa. Intrusion software is the sword that hones the shield. Mar 18, 2016 as a result of the 20 addition, the wassenaar arrangement requires restrictions on exports for technology, software, and systems that develop or operate intrusion software. Controls would apply only to systems thatgenerate, operate, deliver and communicate with intrusion software. These export controlsrequirements that organizations selling or sending technologies with potential military applications abroad obtain a license from the commerce. The aim is also to prevent the acquisition of these items by terrorists. Dec 22, 2016 the united states was unable to renegotiate portions of the wassenaar arrangements export controls for intrusion software at the plenary meeting held from dec. Constructed with oppressive regimes in mind, the wassenaar arrangement was meant to protect citizens from having their human rights abused. New changes to wassenaar arrangement export controls will. The broad definition of intrusion software could mean that we end up with control of commonplace research, as opposed to the technologies the wassenaar arrangement set out to control.
But rather than control intrusion software itself, the arrangement put export controls on software, systems or equipment that interacted with. Unsuccessful in renegotiating wassenaar international. The wassenaar arrangements language on intrusion software is a more broadly defined control than ip network surveillance and others within the computers. This paper analyzes a recent debate on regulating cyber weapons through multilateral export controls. Inadvertently, in its current form, the legislation will.
In the current item list, intrusion software is clari. Jun 05, 2019 this paper analyzes a recent debate on regulating cyber weapons through multilateral export controls. Wassenaar arrangement decides to make india its member. The wassenaar arrangement was established to contribute to regional and international security and stability by. Wassenaar arrangement 41 member multilateral export control regime. We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community.
Participating states seek, through their national policies, to ensure that transfers of these items do not contribute to the development or enhancement of military capabilities which undermine these goals, and are not. The inclusion of intrusion software on the wassenaar control list was done with good intentions. Jul 24, 2015 by cristin goodwin, senior attorney, microsoft. Implicitly, such software is related to previously unregulated software vulnerabilities and exploits, which also make the ongoing debate particularly relevant.
Today i participated in the center for strategic and international studies csis discussion on decoding the bis proposed rule for intrusion software platforms and the important topic of the department of commerces proposed rule on intrusion software under the wassenaar arrangement. The voluntary agreement among the 41 participating. Jan 16, 2018 in december, new export control rules for computer network intrusion software were published by the wassenaar arrangement, an international body that governs trade in goods with military and. Productsdesigned for penetration testing are included. Wassenaar arrangement recommendations for cybersecurity. How the wassenaar arrangement threatens responsible. The commerce departments proposed rules stem from u. Of note, italy is a signatory to the wassenaar arrangement. At the end of 20, changes were made to the wassenaar arrangement wa on the export control for conventional arms and dualuse of goods and technologies including references to zero days, computer exploits and other software categories e. The united states successfully negotiated researchuse exceptions to export controls on surveillance tools at the december 2017 meeting of the wassenaar arrangement, a club of advanced economies that coordinates export controls. Implicitly, such software is related to previously unregulated software vulnerabilities and exploits, which also make the ongoing.
As a result of the 20 addition, the wassenaar arrangement requires restrictions on exports for technology, software, and systems that develop or operate intrusion software. Intrusion software now exportcontrolled as dualuse under. Members of the wassenaar arrangement have agreed to control a wide range of goods, software, and information, including technologies relating to intrusion software as theyve defined that term. The intrusion software export controls of the wassenaar arrangement were created to stop the crossborder proliferation of cyberweapons. Microsofts comments on the proposed rule under the. Dec 20, 2017 the basic problem with wassenaar stems from the vast overbreadth of the definition of intrusion software itself, he said. Unfortunately, the first round of the wassenaar arrangements export controls on intrusion software reflected the regulators somewhat.
In 20, members of an export control regime known as the wassenaar arrangement were concerned about hackers using certain types of tools to violate human rights and threaten national security, and they agreed to create a control on the creation and use of intrusion software. A group of 41 nations gathered this month to officially update the language of the wassenaar arrangement, a voluntary agreement governing certain export controls for classified dualuse software. Sep 20, 2016 in 20, members of an export control regime known as the wassenaar arrangement were concerned about hackers using certain types of tools to violate human rights and threaten national security, and they agreed to create a control on the creation and use of intrusion software. Why an arms control pact has security experts up in arms wired. In december, new export control rules for computer network intrusion software were published by the wassenaar arrangement, an international body that governs trade in goods with military and civilian applications for 42 member states. Controls would not apply to intrusion software itself. While wellintentioned, the wassenaar arrangements intrusion software control was imprecisely drafted, and it has become evident that there is simply no way to interpret the plain. Us to renegotiate rules on exporting intrusion software. On may 20th 2015, the bureau of industry and security bis published its proposal for implementing new export controls under the wassenaar arrangement.
A group of 41 countries, including all eu member states, the us and russia, has decided to control the export of certain intrusive technologies, states the blog of mep marietje schaake d66 party. Wassenaar defined intrusion software as software specially designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures and that either extracted data from a computer or network device or modified the standard execution path of a program to allow the execution of externally provided instructions. The wassenaar arrangements language on intrusion so. The wassenaar arrangements first foray into cybersecurity export controls has created a multitude of unintended consequences and implementation challenges. The proposal addressed a new type of cyber weapons known as intrusion software, causing a vocal protest in the multinational. The wassenaar arrangement plays a significant role in promoting transparency and greater responsibility in transfers of conventional arms and dualuse goods and technologies. However, in 20, the legislation was amended to include intrusion software, and at this moment, ripples spread through the cybersecurity community. As of december 4th 20 intrusion software is exportcontrolled as a dualuse technology under the wassenaar arrangement. Wassenaar arrangement inhibits international cyber. Dec 19, 2016 congressman jim langevin dri, cofounder and cochair of the congressional cybersecurity caucus and a senior member of the house committees on armed services and homeland security, released a statement in response to changes made to intrusion software export controls at the recent wassenaar arrangement plenary session. The wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies is a multilateral export control regime mecr with 42 participating states including many former comecon warsaw pact countries the wassenaar arrangement was established to contribute to regional and international security and stability by promoting transparency and greater responsibility.
Wassenaar arrangement changes in multifaceted digital. The wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies is a multilateral export control regime mecr with 42 participating states including many former comecon warsaw pact countries. The fuzzy analytical meaning of intrusion software during the 2010s wassenaar debate inferred from the department of commerce 2015 and the wassenaar arrangement 2018 for summarizing the key observations and ambiguities, an analytical conceptual model is presented in fig. The background relates to the amending of the international wassenaar arrangement with offensive cyber security technologies known as intrusion software.
Bureau of industry and security bis enforcement of an international arms agreement called the wassenaar arrangement. Software specially designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures, of a computer or network capable device, and performing any of the. Wassenaars exemptions for scientific research or public domain. The rules were negotiated through the wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies, an agreement governing the trade of weapons and technology. In december, new export control rules for computer network intrusion software were published by the wassenaar arrangement, an international body. Mar 02, 2016 while wellintentioned, the wassenaar arrangements intrusion software control was imprecisely drafted, and it has become evident that there is simply no way to interpret the plain. The international rules that have the security world on. Cybersecurity and the wassenaar arrangement what needs. Implicitly, such software is related to previously unregulated software vulnerabilities and exploits, which also make the ongoing debate. Controlled items put security research and defense at risk. Bob rarog, bureau of industry and security, department of commerce for ispab keywords. Cybersecurity industry remains concerned over wassenaar.
1444 62 643 1610 1558 315 1196 1144 1613 987 648 1539 1504 162 44 1589 1133 1008 1465 1252 1207 166 596 1061 1223 178 222 1533 1532 1086 452 343 1127 556 533 893 355 1200 575 1086 1193 1295