UPDATE: The U.S. government has decided to scrap the initial version of the Wassenaar Arrangement. The decision to do so was driven by the negative feedback from many of its stakeholders. This is a great example of the system working and common sense prevailing. I’d like to see this happen more often.
I’m going to keep this quick, pithy, and ranty. The fine folks at Google have a good rant on this as well and is worth a read.
First off, let me explain what I’m all rantified about. The Wassenaar Arrangement is an agreement among 41 states that aims to manage the transfer of conventional arms and dual-use goods around the world such that the troublemakers of the world don’t amass a sufficient volume of weapons to raise a ruckus much outside the perimeters of their sovereign boundaries. I’m paraphrasing a bit but you get the idea.
The Wassenaar Arrangement sounds like a good idea on paper and I think it has done a lot to promote the general political stability of the world. However, the most recently proposed modification includes tools the good guys use to keep your data safe. These tools fall under the “dual-use” goods mentioned in the Wassenaar Arrangement. You can use many security tools to secure your data as well as compromise the data of others. Where do we draw the line between acceptable and unacceptable use?
If we had a discrete, clearly defined list of technologies they wanted to control, I’d be much less ranty. As it stands, here is the Scope of the New Entries makes my eye start twitching:
Systems, equipment, components and software specially designed for the generation, operation or delivery of, or communication with, intrusion software include network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices. Certain penetration testing products are currently classified as encryption items due to their cryptographic and/or cryptanalytic functionality. Technology for the development of intrusion software includes proprietary research on the vulnerabilities and exploitation of computers and network-capable devices. The new entry on the CCL that would control Internet Protocol (IP) network communications surveillance systems or equipment is restricted to products that perform all of the functions listed; however, the Export Administration Regulations (EAR) also prohibits the export of equipment if the exporter intends it will be combined with other equipment to comprise a system described in the new entry.
That scope could be interpreted to include items such as the antivirus software you have installed on your workstation, the tools that encrypt the data on your phone, or your web browser.
I have four big problems with the updated Wassenaar Arrangement:
- The verbiage is ambiguous. It’s hard to tell what could get pulled into scope.
- It places additional burdens on the teams defending your data from breach in terms of time, cost, and complexity. When was the last time you went through a government licensing process that was quick, cheap, and easy?
- It makes it more difficult for the good guys to share information and INFOSEC profession already sucks at information sharing. Post a code sample online and suddenly you are an “exporter”.
- Enforcement will be a trick. Keeping track of physical weapons and dual-use tools can be hard. It approaches impossible when you virtualize them.
The net result is that this regulation makes it exponentially more difficult for the Good Guys to do their jobs. That makes the Bad Guys’ job exponentially easier and your data exponentially more probable to be compromised.
Perhaps we could solve the problem by approaching it from a different angle. Instead of requiring a license to discuss, use, and export security tools, what if we were to require a license to develop software? It seems to me that would be addressing the cause of the problem rather than just a symptom of the problem.