The commenting period regarding the Wassenaar Arrangement expired on Monday but the echo chamber around the largely maligned proposal continues to reverberate. Several stakeholders implicated in the proposal added their voices to that chamber on Friday morning, urging the government to revise particulars of the proposal that they believe will ultimately constrain security research and severely hamper day-to-day operations at multiple security firms.
Legal representatives from Microsoft, FireEye, Symantec, and security experts from other companies discussed the arrangement Friday morning during a panel, “Decoding the BIS Proposed Rule for Intrusion Software Platforms,” at the Center for Strategic & International Studies in Washington.
Cristin Goodwin, a senior attorney for Microsoft, warned that in its current incarnation the Commerce Department’s implementation of Wassenaar would bring research at the company, most of which follows the sun–going country to country in real time–to a screeching halt.
Goodwin claimed the rules don’t make sense for companies who do this kind of work regularly, pointing out that they’d especially impede the reverse engineering of malware, something researchers at Microsoft do daily, Goodwin claimed.
“To be able to understand [malware] — what it is, what it does, you’d have to go get a license. How do you define or describe this category? If you’re looking to articulate what this is, you’re bringing into scope the everyday activities of security companies here,” Goodwin said.
Under the Wassenaar proposal, brought forth by the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) back in May, the export of what BIS refers to as intrusion software would be tightened. For many companies, to carry out certain research activities, they’d be forced to request export licenses, something that many security officials believe would work against the idea of information sharing.
The issue has been a largely one-sided one. Vagaries in the rule’s wording have many believing that under Wassenaar, export control authorities, not vulnerability researchers, will dictate the tempo of legitimate research and exploit development. As it stands, the rules, already adopted by the EU, aim to curb intrusion software like FinFisher and Hacking Team’s Remote Control System.
Officials at Google called out the arrangement on Monday, insisting the rules aren’t feasible and would have a “significant negative impact” on security research, possibly requiring the company to request thousands or tens of thousands of export licenses for its research.
Laura Galante, the director of threat intelligence at FireEye, echoed those sentiments Friday morning, saying that like Google, her company’s research team would have to file for tens of thousands of licenses and that they’d likely also be working against the presumption of denial, something that could eventually breed a defeatist “don’t bother” mentality.
Katie Moussouris, chief policy officer at HackerOne, was one of the first to publish her feelings on the proposed rules. On Friday, she described to the panel how companies that specialize in cybersecurity defense would be more harmed by Wassenaar than those who cater to offense. Moussouris described how Microsoft, her former employer – and bug bounty companies like HackerOne – have benefited from bounty programs that wouldn’t have been able to flourish under the proposed agreement. Specifically Moussouris referenced the success of Microsoft’s Mitigation Bypass Bounty program.
“The reason why that bounty program exists is because the only other way that a company like Microsoft can learn about new exploitation techniques was through actual attacks. Providing a defensive incentive to bring those forward earlier gives Microsoft a head start in defense,” Moussouris said. “That program was launched a few months before Wassenaar added those rules.”
“Microsoft has awarded that bounty five times in the past two years. That’s five times that Microsoft has gained access to technology that’s regulated in this proposal and five times that Microsoft would have not had access to that information to build a more secure operating system,” Moussouris said. “This is a concrete example of how this regulation impacts defense.”
In the end, rules may actually prove fruitless, Stewart Baker, a partner at Steptoe & Johnson LLP, said during the panel. Baker remarked that many of the more serious and restrictive Wassenaar rules date back to the Cold War, and admitted that relying on criminal prosecution might be a better move.
“No export control regime is going to have any impact on the bad guys, they already have the tools,” Baker said.
“What we’re looking at here is the U.S. taking unilateral control of its tech industry,” Baker said.