Google and Black Hat hit out against cyber security export bans through Wassenaar Arrangement
Black Hat and Google are making themselves heard, since today is the last day for public comments on the Wassenaar Arrangement.
What is an Wassenaar Arrangement?
The Wassenaar Arrangement is a multilateral export control regime (MECR) with 41 participating states including many former COMECON (Warsaw Pact) countries. The Wassenaar Arrangement was set up to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus stopping unrest in accumulations.
However, a proposed rule change to the Wassenaar Arrangement — an international agreement that started in 1996 concerning the sale and export of military-grade weapons — poses threats to the ability of independent researchers to reveal susceptibilities and in exchange for money provide proof-of-concept code. However, Google and Black Hat believe that this rule change would have a notable and negative effect on the security industry, and would likely disproportionately affect self-employed, independent researchers from making a livelihood on bug bounties.
How it changes the threat landscape:
The U.S. Department of Commerce Bureau of Industry and Security (BIS) has recommended export rules to cover “systems, equipment, components and software specially designed for the generation, operation or delivery of, or communication with, intrusion software [including]network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices.” These suggested rules have been publicly denounced by Google and Black Hat.
Black Hat did not comment much, all they do is leave the majority of the conversation for a panel during the Black Hat conference which would hold next month, but pointed out that “as currently written, has the potential to significantly restrict and/or eliminate the depth and types of research curated by many members of our security community, especially those that collaborate internationally.”
These proposed changes to the Wassenaar Agreement are likely to hurt Black Hat hackers profiting from the sale of these susceptibilities or finished products (spyware, trojans, etc.) to governments and criminal organizations using them for wicked or criminal purposes.
However, on the other hand, Google in a blog post today said in details that rules are “dangerously broad and vague” and eventually not feasible. According to the BIS, details regarding susceptibilities and their causes cannot be controlled, while Google said the rules are wide enough that in certain cases such details could be controlled.