Without much fanfare, negotiators crafting changes to the Wassenaar Arrangement earlier this month moved to make things easier for infosec white-hats.
Wassenaar is an arms-control pact in which more than 40 nations agreed to limit the export of certain types of weaponry and "dual-use products." Usually this covers conventional weaponry.
However, in 2013, new wording was introduced to the rules that banned the export of software tools that could be used for online warfare – particularly code to exploit and attack insecure programs and servers. This has made life tricky for infosec pros who need such software to, for example, audit organizations' networks.
As we reported last year, the talks to clarify the Wassenaar rules, in light of complaints from the information security world, have been proceeding at a glacial pace, which is bad news for the IT sector.
Tools such as Metasploit, to pick just one example, would, if the aforementioned interpretation stood, required export licenses to distribute among Wassenaar states – a tedious process that leaves researchers at the mercy of bureaucratic whim.
Earlier this month, as recorded in this document [PDF], a few minor changes in wording were made that changes the picture.
At the December meeting, the parties agreed to add technical notes “for the local definitions [of] 'vulnerability', 'disclosure' and 'cyber incident response'”, and adopt a revised statement of understanding for the section (4.E.1 of the dual use technologies list).
The most current version [PDF] of the controlled products list now explains that the two worrying items (4.E.1.a and 4.E.1.c) “do not apply to 'vulnerability disclosure' or 'cyber incident response'”.
The list also defines vulnerability disclosure so as to allow individuals and organisations “responsible for conducting or coordinating remediation” to communicate and analyse vulnerabilities.
'Cyber incident response' also gets a definition, so individuals and organisations can exchange information to help them resolve incidents.
So what? According to this commentary published at The Hill, by Luta Security's Katie Moussouris – a participant in the talks as a vulnerability expert – it's important, because “the specific cross-border sharing activities around vulnerability disclosure and security incident response are exempt from requiring export control licenses as dictated by Wassenaar.”
According to the December plenary statement of outcomes [PDF], controls over computers were also relaxed, partly because performance-based export controls quickly fall behind the development of newer, bigger, and faster machines. ®