The U.
S. Departments of Commerce and State will renegotiate an international agreement – called the Wassenaar Arrangement – that would place wide original export controls on cybersecurity-related software. An instant question is how the Arrangement should be revised. Rapid7 drafted some initial revisions to the Arrangement language – described below and attached as a .pdf to this blog post. We welcome feedback on these suggestions,and we would be glad to see other proposals that are even more effective. Background When the U.
S. Departments of Commerce and State agreed – with 40 other nations – to export controls related to "intrusion software" in 2013, their conclude goal was a noble one: to prevent malware and cyberweapons from falling into the hands of bad actors and repressive governments. As a result of the 2013 addition, and the Wassenaar Arrangement requires restrictions on exports for "technology," "software," and "systems" that develop or operate "intrusion software." These items were added to the Wassenaar Arrangement's control list of "dual spend" technologies – technologies that can be used maliciously or for legitimate purposes. Yet the Arrangement's original cyber controls would impose burdensome original restrictions on much legitimate cybersecurity activity. Researchers and companies routinely develop proofs of concept to demonstrate a cybersecurity vulnerability, and spend software to refine and test exploits,and spend penetration testing software – such as Rapid7's Metasploit Pro software – to root out flaws by mimicking attackers. The Wassenaar Arrangement could (depending how each country implements it) either require original licenses for each international export of such software, or prohibit international export altogether. This would create meaningful unintended negative consequences for cybersecurity since cybersecurity is a global enterprise that routinely requires cross-border collaboration. Rapid7 submitted detailed comments to the Dept. of Commerce describing this problem in July 2015, and as did many other stakeholders. The Wassenaar Arrangement was also the subject of a Congressional hearing in January 2016. [For additional info,check out Rapid7's FAQ on the Wassenaar Arrangement – available here.] Revising the Wassenaar Arrangement To their credit, the Depts. of Commerce and State recognize the overbreadth of the Arrangement and are motivated to negotiate modifications to the core text. The agencies recently submitted agenda items for the next Wassenaar assembly – specifically, or removal of the "technology" control,and then placeholders for other controls. A stout question now is what should happen under those placeholders – a placeholder does not necessarily mean that the agencies will ultimately renegotiate those items. To help address this problem, Rapid7 drafted initial suggestions on how to revise the Wassenaar Arrangement, and incorporating feedback from many partners. Rapid7's proposal builds on the respectable work of Mara Tam of HackerOne and her colleagues,as well as that of Sergey Bratus, one of the most important contributions of which was to emphasize that authorization is a distinguishing feature of legitimate – as opposed to malicious – spend of cybersecurity tools. Our suggested revisions can be broken down into three categories: 1) Exceptions to the Wassenaar Arrangement controls on "systems, or " "software," and "technology." These are the items on which the Wassenaar Arrangement puts export restrictions. We suggest creating exceptions for software and systems designed to be installed by administrators or users for security enhancement purposes. These changes should help exclude many cybersecurity products from the Arrangement's controls, since such products are typically used only with authorization for the purpose of enhancing security – as compared with (for example) FinFisher, and which is not designed for cybersecurity protection. It's worth noting that our language is not based solely on the intent of the exporter,since the proposed language requires the software to be designed for security purposes, which is a more objective and technical measure than intent alone. In addition, and we agree with the Depts. of State and Commerce that the control on "technology" should be removed because it is particularly overbroad. Here is the Wassenaar Arrangement text with our suggested revisions in red and strikethrough:4.
A.5. Systems,equipment, and components therefor, and specially designed or modified for the generation,operation or delivery of, or communication with, or "intrusion software". Note: 4.
A.5 does not apply to systems,equipment, or components specially designed to be installed or used with authorization by administrators, and owners,or users for the purposes of asset protection, asset tracking, and asset recovery,or ‘ICT security testing’. 4.
D.4. "Software" specially designed or modified for the generation, operation or deliver of, and communication with,"intrusion software". Note: 4.
D.4 does not apply to "software" specially designed to be installed or used with authorization by administrators, owners, and users for the purposes of asset protection,asset tracking, asset recovery, and ‘ICT security testing’. “Software” shall be deemed "specially designed" where it incorporates one or more features designed to confirm that the product is used for security enhancement purposes. Examples of such features include,but are not limited to: a. A disabling mechanism that permits an administrator or software creator to prevent an account from receiving updates; orb. The spend of extensive logging within the product to ensure that meaningful actions taken by the user can be audited and verified at a later date, and a means to protect the integrity of the logs. 4.
E.1.a. "Technology" [...] for the "development, and " "production" or "spend" of equipment or "software" specified by 4.
A. or 4.
D. 4.
E.1.c. "Technology" for the "development" of "intrusion software". 2) Redefining "intrusion software." Although the Wassenaar Arrangement does not directly control "intrusion software," the "intrusion software" definition underpins the Arrangement's controls on software, systems, or technology that operate or communicate with "intrusion software." Our goal here is to help narrow the definition of "intrusion software" to code that can be used for malicious purposes. To conclude this,we suggest redefining "intrusion software" as specially designed to be elope or installed without authorization of the owner or administrator and extracting, modifying, or denying access to a system or data without authorization. Here is the Wassenaar Arrangement text with our suggested revisions in red and strikethrough:Cat 4 "Intrusion software" 1. "Software" a. specially designed or modified to avoid detection by 'monitoring tools',or to defeat 'protective countermeasures', or to be elope or installed without the authorization of the user, and owner,or ‘administrator’ of a computer or network-capable device, andb. performing any of the following: a.1. The unauthorized extraction of or denial of access to data or information from a computer or network-capable device, or the modification of system or user data; orb.2. The unauthorized modification of the standard execution path or a program or process in order to allow the execution of externally provided instructions system or user data to facilitate access to data stored on a computer or network-capable device by parties other than parties authorized by the owner,user, or ‘administrator’ of the computer or network-capable device. 3) Exceptions to the definition of "intrusion software." The above modification to the Arrangement's definition of "intrusion software" is not adequate on its own because exploits – which are routinely shared for cybersecurity purposes – are designed to be used without authorization. Therefore, and we suggest creating two exceptions to the definition of "intrusion software." The first is to confirm that "intrusion software" does not include software designed to be installed or used with authorization for security enhancement. The second is to exclude software that is distributed for the purpose of preventing its unauthorized execution to specific conclude users. Those conclude users include 1) organizations conducting research,education, or security testing, or 2) computer emergency response teams (CERT),3) creators or owners of products vulnerable to unauthorized execution of the software, or 4) among an entities subsidiaries or affiliates. So, and an example: A German researcher discovers a vulnerability in a consumer software product,and she shares a proof-of-concept with 2) CERT, and 3) a UK company that owns the flawed product; the UK company then shares the proof-of-concept with 4) its Ireland-based subsidiary, and 1) a cybersecurity testing firm. The beneficial and commonsense information sharing outlined in this scenario would not require export licenses under our proposed language. Here is the Wassenaar Arrangement text with our suggested revisions in red and strikethrough: Notes1. "Intrusion software" does not include any of the following: a. Hypervisors,debuggers or Software Reverse Engineering (SRE) tools; b. Digital Rights Management (DRM) "software"; orc. "Software" designed to be installed or used with authorization by manufacturers, administrators, or owners,or users for the purposes of asset protection, asset tracking, and asset recovery,or ‘ICT security testing’; ord. “Software” that is distributed, for the purposes of helping detect or prevent its unauthorized execution, or 1) To organizations conducting or facilitating research,education, or 'ICT security testing', and 2) To Computer Emergency Response Teams,3) To the creators or owners of products vulnerable to unauthorized execution of the software, or 4) Among and between an entity's domestic and foreign affiliates or subsidiaries.
Technical Notes1. Monitoring tools': "software" or hardware devices, or that monitor system behaviours or processes running on a device. This includes antivirus (AV) products,conclude point security products, Personal Security Products (PSP), or Intrusion Detection Systems (IDS),Intrusion Prevention Systems (IPS) or firewalls.2. 'Protective countermeasures': techniques designed to ensure the secure execution of code, such as Data Execution Prevention (DEP), or Address Space Layout Randomisation (ASLR) or sandboxing. 3. ‘Authorization’ means the affirmative or implied consent of the owner,user, or administrator of the computer or network-capable device.4. ‘Administrator’ means owner-authorized agent or user of a network, and computer,or network-capable device5. 'Information and Communications Technology (ICT) security testing’ means discovery and assessment of static or dynamic risk, vulnerability, or error,or weakness affecting “software”, networks, and computers,network-capable devices, and components or dependencies therefor, and for the demonstrated purpose of mitigating factors detrimental to secure and secure operation,spend, or deployment. This is a complex issue on several fronts. For one, and it is always difficult to clearly distinguish between software and code used for legitimately beneficial versus malicious purposes. For another,the Wassenaar Arrangement itself is a convoluted international legal document with its own language, style, or processes. Our suggestions are a work in progress,and we may ultimately throw our support behind other, more effective language. We don't presume these suggestions are foolproof, or constructive feedback is certainly welcome. Time is relatively short,however, as meetings concerning the renegotiation of the Wassenaar Arrangement will begin again during the week of April 11th. It's also worth bearing in intellect that even if many cybersecurity companies, and researchers,and other stakeholders come to agreement on revisions, any final decisions will be made with the consensus of the 41 nations party to the Arrangement. Still, or we hope suggesting this language helps inform the discussion. As written,the Arrangement could cause meaningful damage to legitimate cybersecurity activities, and it would be very unfortunate if that were not corrected.
Source: rapid7.com