A group of 41 nations gathered this month to officially update the language of the Wassenaar Arrangement, a voluntary agreement governing certain export controls for classified dual-use software and technology, otherwise known as “cyberweapons.”
Along with one other representative, Iain Mulholland, I participated as a technical expert in security vulnerability disclosure and cyber incident response. (As a disclaimer, we did not represent any department of the U.S. government.) Our responsibilities at each technical expert’s working group meeting, from June 2016 leading up to last week’s plenary vote, included helping to clarify the arrangement’s language. We did so to prevent unintended consequences, especially any that would disrupt internet defenses.
The progress our group made was substantial and important, both to America and for countries around the world, now also including India as the 42nd country newly added to the group. We were able to work as a team to add some important new clarifications affecting vulnerability disclosure and cyber incident response.
How did we get here?
The Wassenaar Arrangement, once used primarily to help slow the proliferation of conventional military weapons and technology like advanced radar systems, added command and delivery platforms for “intrusion software” and “intrusion software technology” in 2013, classifying both as items requiring export licenses. All 41 countries party to this agreement, except the U.S., had already implemented the required export control changes in their national regulations.
We in the U.S. paused our implementation of the new controls locally, based on unprecedented industry feedback including, outcry, panic, chagrin, consternation, and frustration.
Where did we stand up until this month? The Wassenaar Arrangement as written would have required export control licenses for nearly anyone involved in defensive security activities involving an export of, for example, command and control software & technology shared in taking down a botnet attack in real time.
The response to cyberattacks such as the “WannaCry” worm could have been held up in export control paperwork for days, if not weeks, as would any other vulnerability disclosure or incident response in which command and control software or technical analysis of that software, were to cross a country’s virtual or physical border.
Clearly, this wasn’t the intent of the export controls.
Changes clarify export controls for internet defenders
Now that the official Wassenaar plenary votes have ratified the new language edited for clarity, the security industry can breathe easier knowing that the specific cross-border sharing activities around vulnerability disclosure and security incident response are exempt from requiring export control licenses as dictated by Wassenaar.
Also, updates and upgrades were clarified, as long as the software is not designed to update “intrusion software,” or turn benign software into something more malicious.
Do U.S. defenders need new export licenses?
For the U.S., it is likely there will be a decision between whether to pursue further clarifications of Wassenaar, or to draft a new export control rule. All options moving forward are all still on the table, and there will likely be further opportunities for the public to weigh in on this undecided next move by the US.
In the U.S., none of the controls are implemented until domestic regulations are drafted and approved. This means U.S. organizations and individuals have no immediate need to change what they are doing domestically.
Individual countries may still have their own separate regulations, apart from what is covered under Wassenaar, around the export of this type of software and technology. Therefore, it's important to check with your country's export licensing office before declaring everything you do specifically as exempt.
Policy and practitioner partnerships, plus a little patience
This marks an important victory, not of perfection, but of progress. Yes, raise a glass today and pour one out for internet defense, we should be celebrating.
No regulation is perfect, and bugs can just as easily be found in legal code as they are in computer code. It is only with mutual respect and commitment to shared goals, such as the defense of the internet, can we work together to ensure the best outcomes, even if the first version was flawed.
Cheers to the 41 countries, to their experts and exporters, their researchers and academics, their industry partners, and their heads of national security. Here is to the future of "wabi sabi" policy, and the teams of policy people and technical practitioners who help shape and correct them, as our society rides the train of progress, building the track in front of us as we go.
Bottoms up, and buckle up, it's going to be an interesting ride. All aboard.
Katie Moussouris is the founder and CEO of Luta Security.
The views expressed are those of the author and do not represent the position of the U.S. government.