Microsoft and pals re-write arms control pact to save infosec industry
Wassenaar Arangement aims to stop sale of spyware to rogue states, but also goes further
Microsoft and a team of concerned engineers from across the security sector have joined forces to suggest a major re-write of the arms control pact the Wassenaar Arrangement, as they fear the document's terms are a threat tot he information security industry.
The pitch is the result of brainstorming by the group to redefine the core aims of the Arrangement, which aims to restrict export of both weapons and "dual-use" items that have military potential beyond their main functions. The Arrangement was negotiated and signed behind closed doors in 2013, without the infosec industry's participation.
The Arrangement's provisions are broad as it (see this PDF) aims to stop the sale of exploitation software to restricted regimes with poor human-rights records that it promises to impact almost every aspect of the information security industry.
If the Wassenaar Arrangement carries through under its current state, it will force Microsoft to submit some 3800 applications for arms export every year, company assistant general counsel Cristin Goodwin says.
"However we tweak the implementation, the definition is still going to be the problem," Goodwin told the RSA Asia Pacific Security conference in Singapore today.
"No-one on the government side is willing to change the definition and that is the problem.
"It talks about [restricting] the modification of the intended path of a file - this is fundamental to information technology."
Symantec director government affairs Brian Fletcher (left) with Microsoft assistant general counsel Cristin Goodwin.
Image: Darren Pauli, The Register.
While the US, through the Department of Commerce, has opened up to discussion about the Arrangement in recent months, it will not negotiate on changing the definitions on which the Arrangement's dual-use restrictions are based.
Goodwin did not reveal the names of the companies or engineers who worked together to ink a new technology-savvy re-draft of the document.
She says its central definition is solid, and will serve to more effectively restrict the movement of spyware like Hacking Team's trojans, while relieving a tortured security industry of the threat of massive fines and jail time for the regular and essential disseminating of exploit code.
The proposed new definition reads, with Goodwin's emphases included:
"Intrusion delivery platforms’ are defined as systems, equipment, components and software specifically designed for use in offensive intrusion and remote monitoring and that demonstrate elements of vulnerability exploitation, evasion, and enabling subversion or destruction."
Goodwin fleshed out the Arrangement with Brian Fletcher, a former Australian Signals Directorate executive who worked in the security sphere and sat on the nation's latent Wassenaar Arrangement technical committees until November 2015 before becoming director of government affairs or Symantec's Asia Pacific operations.
"Dual-use technology controls are by definition very difficult," Fletcher told The Register. "We need to ask questions like 'is this something that could be best handled by industry?'".
The Wassenaar Arrangement caught all corners of the security industry off guard, but its full potentially-devastating effects will only be realised in coming months and years.
Champions of the security cause such as Goodwin, Fletcher, and industry icon Katie Moussouris have stepped up to take the technology cause straight to the halls of government, including the European Commission and the White House.
Yet of the more than ,5000 delegates to the RSA conference, this reporter counted just eight in the 9:00AM day one session discussing the Wassengaar Arrangement.
The effects of the Arrangement are now well-stated. While your correspondent was the first scribe to cover the updated Arrangement, dozens of articles have been written since, covering the localised impacts that could arise from the regime's various implementations by signatory nations.
"How did we miss it?" Goodwin says. "It became one of the largest set of comments the (US) Department of Commerce had ever received, which shows quite an oversight by the Department."
"It is an unintended consequence of the Arrangement, but it is here now," Goodwin adds.
Goodwin and Fletcher are calling on the industry to lobby their agencies to overhaul the dual-use software definition of the Arrangement ahead of a closed-door meeting in September where changes can be proposed.
The US has held back on implementing the Arrangement in case changes should come into effect in the final vote in December.
Should the Arrangement come into force in its current state, the industry will feel the "real pain" when the US begins enforcement.
Australians can write to the Defence Export Controls, Americans to the Department of Commerce, and Britons to the Government Communications Headquarters (GCHQ).
"As it is this (the Arrangement) is our worst choice," Goodwin says. "Let's change it." ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust