Microsoft and pals re-write arms control pact to save infosec industry

Wassenaar Arangement aims to stop sale of spyware to rogue states, but also goes further

Microsoft and a team of concerned engineers from across the security sector have joined forces to suggest a major re-write of the arms control pact the Wassenaar Arrangement, as they fear the document's terms are a threat tot he information security industry.

The pitch is the result of brainstorming by the group to redefine the core aims of the Arrangement, which aims to restrict export of both weapons and "dual-use" items that have military potential beyond their main functions. The Arrangement was negotiated and signed behind closed doors in 2013, without the infosec industry's participation.

The Arrangement's provisions are broad as it (see this PDF) aims to stop the sale of exploitation software to restricted regimes with poor human-rights records that it promises to impact almost every aspect of the information security industry.

If the Wassenaar Arrangement carries through under its current state, it will force Microsoft to submit some 3800 applications for arms export every year, company assistant general counsel Cristin Goodwin says.

"However we tweak the implementation, the definition is still going to be the problem," Goodwin told the RSA Asia Pacific Security conference in Singapore today.

"No-one on the government side is willing to change the definition and that is the problem.

"It talks about [restricting] the modification of the intended path of a file - this is fundamental to information technology."

Symantec director government affairs Brian Fletcher (left) with Microsoft assistant general counsel Cristin Goodwin.

Image: Darren Pauli, The Register.

While the US, through the Department of Commerce, has opened up to discussion about the Arrangement in recent months, it will not negotiate on changing the definitions on which the Arrangement's dual-use restrictions are based.

Goodwin did not reveal the names of the companies or engineers who worked together to ink a new technology-savvy re-draft of the document.

She says its central definition is solid, and will serve to more effectively restrict the movement of spyware like Hacking Team's trojans, while relieving a tortured security industry of the threat of massive fines and jail time for the regular and essential disseminating of exploit code.

The proposed new definition reads, with Goodwin's emphases included:

"Intrusion delivery platforms’ are defined as systems, equipment, components and software specifically designed for use in offensive intrusion and remote monitoring and that demonstrate elements of vulnerability exploitation, evasion, and enabling subversion or destruction."

Goodwin fleshed out the Arrangement with Brian Fletcher, a former Australian Signals Directorate executive who worked in the security sphere and sat on the nation's latent Wassenaar Arrangement technical committees until November 2015 before becoming director of government affairs or Symantec's Asia Pacific operations.

"Dual-use technology controls are by definition very difficult," Fletcher told The Register. "We need to ask questions like 'is this something that could be best handled by industry?'".


The Wassenaar Arrangement caught all corners of the security industry off guard, but its full potentially-devastating effects will only be realised in coming months and years.

Champions of the security cause such as Goodwin, Fletcher, and industry icon Katie Moussouris have stepped up to take the technology cause straight to the halls of government, including the European Commission and the White House.

Yet of the more than ,5000 delegates to the RSA conference, this reporter counted just eight in the 9:00AM day one session discussing the Wassengaar Arrangement.

The effects of the Arrangement are now well-stated. While your correspondent was the first scribe to cover the updated Arrangement, dozens of articles have been written since, covering the localised impacts that could arise from the regime's various implementations by signatory nations.

"How did we miss it?" Goodwin says. "It became one of the largest set of comments the (US) Department of Commerce had ever received, which shows quite an oversight by the Department."

"It is an unintended consequence of the Arrangement, but it is here now," Goodwin adds.

Goodwin and Fletcher are calling on the industry to lobby their agencies to overhaul the dual-use software definition of the Arrangement ahead of a closed-door meeting in September where changes can be proposed.

The US has held back on implementing the Arrangement in case changes should come into effect in the final vote in December.

Should the Arrangement come into force in its current state, the industry will feel the "real pain" when the US begins enforcement.

Australians can write to the Defence Export Controls, Americans to the Department of Commerce, and Britons to the Government Communications Headquarters (GCHQ).

"As it is this (the Arrangement) is our worst choice," Goodwin says. "Let's change it." ®

Similar topics

Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading

Biting the hand that feeds IT © 1998–2022