Member states voted to begin controlling cybersecurity tools in december 20, starting with intrusion software. Although the wassenaar arrangement does not directly control intrusion software, the intrusion software definition underpins the arrangement s controls on software, systems, and technology that operate or communicate with intrusion. The wassenaar arrangement has 41 signatory countries. Us department of commerce proposes licensing requirements. United states to renegotiate controls on intrusion software. Because the wassenaar arrangement text is not selfexecuting, each member state then in turn implements the agreedupon controls domestically. While wellintentioned, the wassenaar arrangement s intrusion software control was imprecisely drafted, and it has become evident that there is simply no way to interpret the plain. Wassenaar arrangement 41 member multilateral export control regime. The international rules that have the security world on alert. Langevin statement on wassenaar arrangement plenary. The wassenaar arrangement plays a significant role in promoting transparency and greater responsibility in transfers of conventional arms and dualuse goods and technologies.
Unsuccessful in renegotiating wassenaar international. Technology for the development of intrusion software includes proprietary. How the wassenaar arrangement threatens responsible. Technology for the development of intrusion software. Software specially designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures, of a computer or network capable device, and performing any of the. Dec 19, 2016 congressman jim langevin dri, cofounder and cochair of the congressional cybersecurity caucus and a senior member of the house committees on armed services and homeland security, released a statement in response to changes made to intrusion software export controls at the recent wassenaar arrangement plenary session. But rather than control intrusion software itself, the arrangement put export. Today i participated in the center for strategic and international studies csis discussion on decoding the bis proposed rule for intrusion software platforms and the important topic of the department of commerces proposed rule on intrusion software under the wassenaar arrangement. Speciallydesigned to avoid detection by monitoring tools or to defeat protective countermeasures. These include specific emerging technologies such as intrusion software, and cyber warfare tools, electronic forensics equipment, lawful interception equipment, uav jamming systems, 3 and spacecraft. Wassenaar defined intrusion software as software specially designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures and that either extracted data from a computer or network device or modified the standard execution path of a program to allow the execution of externally provided instructions. That is capable of extracting or modifying data or modifying. The wassenaar arrangement cyber weapons proposal will. The bureau of industry and security bis has considered the public comments it received in response to its proposed rule implementing the wassenaar arrangement s wa 20 agreements related to systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software.
Dec 22, 2016 the united states was unable to renegotiate portions of the wassenaar arrangements export controls for intrusion software at the plenary meeting held from dec. The wassenaar arrangement cyber weapons proposal will benefit. Wassenaar arrangement decides to make india its member. Controlling technologies of software development and automation is. These items were added to the wassenaar arrangements control list of dual use. Introduction this document aims to clearly outline the wassenaar arrangement and how it has affected trade across the globe especially in developing countries such as zimbabwe in particular. The fuzzy analytical meaning of intrusion software during the 2010s wassenaar debate inferred from the department of commerce 2015 and the wassenaar arrangement 2018 for summarizing the key observations and ambiguities, an analytical conceptual model is presented in fig. Participating states seek, through their national policies, to. These export controlsrequirements that organizations selling or sending technologies with potential military applications abroad obtain a license from the commerce.
Multilateral export control regimes wassenaar arrangement. However, once intrusion software was added to the mix, problems with the vague wording of the agreement began to emerge. The wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies wassenaar or the arrangement is a voluntary, multilateral export control regime whose member states exchange information on transfers of conventional weapons and dualuse goods and technologies. Dec 21, 2017 infosec controls relaxed a little after latest wassenaar meeting. Implicitly, such software is related to previously unregulated software. How the wassenaar arrangement threatens responsible vulnerability disclosures. Export control regime wassenaar arrangement admits india as. Jul 07, 2015 how the wassenaar arrangement threatens responsible vulnerability disclosures. Jul 11, 2018 wassenaar arrangement decides to make india its member the wa membership is also expected to build up a strong case for indias entry into the 48member nuclear suppliers group nsg. Wassenaar arrangement defines intrusion software and thus also. Export control regime wassenaar arrangement admits india. Infosec controls relaxed a little after latest wassenaar. Systems, equipment, and components therefor, specially.
Software specially designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures, of a computer or network capable device, and performing any of the following. Mar 02, 2016 us to renegotiate rules on exporting intrusion software. May 02, 2016 while wellintentioned, the wassenaar arrangements intrusion software control was imprecisely drafted, said langevin in the february statement, and it has become evident that. Why wassenaar arrangements definitions of intrusion software. Software specially designed or modified for the development or. Software specially designed or modified for the development or production of equipment or software specified. The united states successfully negotiated researchuse exceptions to export controls on surveillance tools at the december 2017 meeting of the wassenaar arrangement, a club of advanced economies that coordinates export controls. The international rules that have the security world on. Exportkontrolle fur intrusionsoftware macht securityexperten zu. Compiled by the wassenaar arrangement secretariat december 2019. Jul 21, 2016 the wassenaar arrangement has 41 signatory countries. Microsofts comments on the proposed rule under the. Export control of cybersecurity software and tools.
Exportkontrolle fur intrusionsoftware macht securityexperten zu schaffen. The background relates to the amending of the international wassenaar arrangement with offensive cyber security technologies known as intrusion software. Us department of commerce proposes licensing requirements for export and transfer of cybersecurity items. The wassenaar arrangement has been established in order to contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dualuse goods and technologies, thus preventing destabilising accumulations. Written testimony of cristin flynn goodwin assistant. Internet protocol ip network communications surveillance systems or equipment and test, inspection, production equipment. May 22, 2015 intrusion software is the sword that hones the shield.
While the wassenaar arrangement did not propose to control intrusion software itself, it did seek to add export restrictions on the software, systems, equipment, components and technology specially designed for the generation, operation or delivery of, or communication with, intrusion software. Wassenaar arrangement recommendations for cybersecurity. Three years ago, the wassenaar arrangement, an international arms control pact, placed restrictions on the exports of certain intrusion software tools. This paper analyzes a recent debate on regulating cyber weapons through multilateral export controls. You can find the us proposal for implementing the arrangement here, and an accompanying faq from the bureau of industry and security bis here. This paper acknowledges that the wassenaar arrangement s intrusion software clauses are. Rethinking intrusion software control and regulation in anticipation of additional technical discussions that wassenaar arrangement participating states will be having on the intrusion software control, we offer these thoughts publicly to government policymakers engaged in those discussions and welcome engagement on this topic from the. In december, new export control rules for computer network intrusion software were published by the wassenaar arrangement, an international body that governs trade in goods with military and civilian applications for 42 member states. Overview of fr notice wassenaar arrangement 41member multilateral export control regime noticewould implement control language agreed to in the. Implicitly, such software is related to previously unregulated software vulnerabilities and exploits, which also make the ongoing debate particularly relevant. Due to the restrictions imposed on the export of such tools, companies need to apply for an export license in order to legally trade them. While wellintentioned, the wassenaar arrangements intrusion software control was imprecisely drafted, and it has become evident that there is simply no way to interpret the plain. But rather than control intrusion software itself, the arrangement put.
Infosec controls relaxed a little after latest wassenaar meeting. Researchers are particularly worried about a measure that would. Participating states seek, through their national policies, to ensure that transfers of these items do not contribute to the development or enhancement of military. It also controlled any type of technology involved in the development of intrusion software. This paper acknowledges that the wassenaar arrangements intrusion software clauses are. Wassenaar arrangement inhibits international cyber. The hacking team data leak shed light on the business of zerodays and intrusion software, notably in countries such as ethiopia, sudan, russia or kazakhstan. Wassenaar arrangement decides to make india its member the. The relevant sections in the list of dualuse goods and technologies covering intrusion software are 4. Controlled items put security research and defense at risk. Wassenaar arrangement 20 plenary agreements implementation. In 20, members of an export control regime known as the wassenaar arrangement were concerned about hackers using certain types of tools to violate human rights and threaten national security, and they agreed to create a control on the creation and use of intrusion software.
Wassenaar arrangement decides to make india its member the wa membership is also expected to build up a strong case for indias entry into the 48member nuclear suppliers group nsg. The broad definition of intrusion software could mean that we end up with control of commonplace research, as opposed to the technologies the wassenaar arrangement set out to. These clauses are intended to protect activists, dissidents and journalists whose. Dualuse goods and technologies, dns, surveillance, intrusion software. Technology required for the development of intrusion software eccn 4e001 internet protocol ip network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor. New changes to wassenaar arrangement export controls will. Export control regime wassenaar arrangement admits india as member. Although the wassenaar arrangement does not directly control intrusion software, the intrusion software definition underpins the arrangements controls on software, systems, and technology that operate or communicate with intrusion.
Controlling technologies of software development and automation is extremely broad and contrary to principles of software engineering. Bis explained that the proposed controls on technology for the development of intrusion software would include. So far, the comments from the security world have been blistering. Wassenaar arrangement inhibits international cybersecurity. Jul 24, 2015 by cristin goodwin, senior attorney, microsoft. The goals of the wassenaar arrangement wa are constructive, and our. Microsofts comments on the proposed rule under the wassenaar. In a significant development, elite export control regime wassenaar arrangement wa on thursday decided to admit india as its new member, which is expected to raise new delhis stature in the. Department of commerces proposed rule to implement the wassenaar arrangement 20 plenary agreement on intrusion and surveillance software rin 0694ag49, as published in 80 fed. May 28, 2015 the wassenaar arrangement includes controls for technology connected to intrusion software. Department of commerces proposed rule to implement the wassenaar arrangement 20 plenary agreement on intrusion and surveillance software rin 0694ag49, as. Intrusion and surveillance items, released in the federal register on may 20, 2015.
The department had been engaged in a monthslong standoff with the departments of commerce and homeland security. The united states was unable to renegotiate portions of the wassenaar arrangement s export controls for intrusion software at the plenary meeting held from dec. Hacking team series the wassenaar arrangement enisa. Langevin statement on wassenaar arrangement plenary session. The wassenaar arrangements intrusion software clauses are intended. In december, new export control rules for computer network intrusion software were published by the wassenaar arrangement, an international body that governs trade in goods with military and. For rapid7s take on wassenaar, and information on the comments we. Why wassenaar arrangements definitions of intrusion software and. The purpose of this post is to help answer questions about the wassenaar arrangement. Among the unintended effects of the arrangements definitions are chilling effects on the development of anti surveillance measures and on the.
Us to renegotiate rules on exporting intrusion software. Intrusion software and human rights regulation ec 822014 amending the community regime for the control of exports, transfer, brokering and transit of dualuse items follows the intrusion software clauses in the wassenaar arrangement. The united states was unable to renegotiate portions of the wassenaar arrangements export controls for intrusion software at the plenary meeting held from dec. The wassenaar arrangement defines intrusion software as technology used to avoid detection by monitoring tools or defeat protective countermeasures of a computer or network. Sep 20, 2016 in 20, members of an export control regime known as the wassenaar arrangement were concerned about hackers using certain types of tools to violate human rights and threaten national security, and they agreed to create a control on the creation and use of intrusion software. Congressman jim langevin dri, cofounder and cochair of the congressional cybersecurity caucus and a senior member of the house committees on armed services and homeland security, released a statement in response to changes made to intrusion software export controls at the recent wassenaar arrangement plenary session. More recently, offensive network intrusion tools such as exploit toolkits have. Usbacked effort to ease software export limits fails. Cybersecurity industry remains concerned over wassenaar.
I am deeply disappointed that wassenaar member states declined to make needed updates to the intrusion software controls, particularly those related to technologies necessary for their development, said congressman jim langevin in a statement issued monday. May 21, 2015 the broad definition of intrusion software could mean that we end up with control of commonplace research, as opposed to the technologies the wassenaar arrangement set out to control. Intrusion software is the sword that hones the shield. Many of you may have heard about the recent debate regarding the u. Afeera firdous many computer security experts have celebrated the development of wassenaar arrangement wa in which it revised and added new export control rules for computer network intrusion software in its export control list. These export controlsrequirements that organizations selling or sending technologies with potential military applications abroad obtain.
Participating states seek, through their national policies, to ensure that transfers of these items do not contribute to the development or enhancement of military capabilities which undermine these goals, and are not. In this post, i describe the original wassenaar export controls. The wassenaar arrangement wa on export controls for conventional arms and dualuse. Jan 16, 2018 in december, new export control rules for computer network intrusion software were published by the wassenaar arrangement, an international body that governs trade in goods with military and. The wassenaar arrangement was established to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dualuse goods and technologies, thus preventing destabilizing accumulations. Obama administration to renegotiate rules for intrusion.
57 508 1629 195 1053 710 499 1323 783 252 1254 1254 1087 1495 1304 1068 1165 1077 859 1381 222 1105 254 1236 825 1578 483 611 827 1506 832 1090 277 718 322 637 459 684 1185 555 276 1200