Export controls have become a dirty phrase in the security community, especially among researchers, pen testers, and others who rely on vulnerability information and exploits to do their jobs. And if the Wassenaar Arrangement rules proposed by the United States aren’t modified significantly before they’re implemented, dark days may lie ahead for the research community, experts say.
The U.S. implementation of the rules, which govern the export of so-called intrusion software among other things, has been criticized sharply by lawyers, security researchers, and software vendors, who say that the proposed rules are too vague and threaten to chill legitimate security research and other activities.
“The rules that we got on May 20 are confusing to say the least. The Commerce Department didn’t have any experience with these kind of rules,” Nate Cardozo, a staff attorney at the EFF, said during a panel on Wassenaar at the Black Hat conference here Thursday. “They are really horrendously vague.”
The Bureau of Industry and Security at the Commerce Department proposed the rules in May and opened up a 60-day comment period. Many security researchers and attorneys submitted comments, and the BIS has said it will revise the rules and open them up for public comment again, a somewhat unusual move. But researchers and security experts say that unless the rules are altered significantly, trouble is likely ahead.
“We are in danger of entering a prohibition era for exploitation and security research,” said Katie Moussouris, chief policy officer at HackerOne. “We don’t need to suffer the consequences of such a state.”
The Wassenaar rules have been compared in many circles to the export controls on encryption software that came into effect in the 1990s in the U.S. Moussouris said there is an important lesson to be drawn from the way the crypto controls were handled.
“We should learn how much those controls did the opposite of what was intended, which is weakening the security of the Internet as a whole,” she said.
Because the BIS rules as currently written are so vague about what constitutes intrusion software, things such as Metasploit and other common offensive tools could be regulated. And eve sharing information about your own security research with a co-worker in another country could cause issues. Researchers are quite wary of these vagaries and worry that their day-to-day work may be restricted.
“As a security researcher, I don’t want to have to consult a lawyer before I go to work,” said Dino Dai Zovi, a longtime security researcher.