The Obama administration is committed to making sure that controversial proposals regarding the sale of spy software will not interfere with legitimate uses of cybersecurity tools, according to a letter written by the National Security Council.
One of the most contentious debates in information security has been around the Wassenaar Arrangement—a trade pact geared at regulating the flow of conventional arms and dual-use technologies to repressive regimes. Proposals were written to add surveillance software to that agreement, but, with those included, Wassenaar would lead to all sorts of other problems for researchers and cybersecurity more generally.
The infosec community has responded with heavy criticism, in part because provisions under the agreement would also encompass the tools used by white hat hackers for testing the strength of a customer's network and could have a chilling effect on academics hunting out computer vulnerabilities. Congress has additionally pushed for a new approach.
“We agree that keeping these technologies from illegitimate actors must not come at the expense of legitimate cybersecurity activities that are vital to protecting our nation from rapidly evolving cyber threats.”
A recently written letter from the National Security Council, first reported on by the Associated Press, suggests the Obama administration has now heard those cries.
“The export of sophisticated hacking technologies to criminal organizations or repressive regimes is a legitimate national security concern,” Caroline A. Tess, special assistant to the President and senior director for legislative affairs at the National Security Council, wrote in a letter to Congressman Jim Langevin. “We agree that keeping these technologies from illegitimate actors must not come at the expense of legitimate cybersecurity activities that are vital to protecting our nation from rapidly evolving cyber threats.”
Langevin is co-chair of the Congressional Cybersecurity Caucus, and was one of 125 Members of Congress to write to National Security Advisor Susan Rice in December last year to share concerns that Wassenaar “could seriously hinder our national security without a significant overhaul.”
Their letter claimed the definition of “intrusion software” in Wassenaar was so broad that “it includes a number of products regularly used for cybersecurity research and defense.” These would include things such as commercial versions of the penetration suite Metasploit, used for probing computer networks for vulnerabilities.
Information security experts said that, as a solution, the term could be clarified somewhat.
“Ultimately, we believe that the countries involved with the Wassenaar arrangement will have to revisit the inclusion of ‘intrusion software’ to focus more on the action taken by the malware, such as exfiltration or stealing of data,” wrote Katie Moussouris, chief policy officer of bug bounty site HackerOne, in July 2015 when the public were encouraged to provide comments on Wassenaar.
But the government has said it will address these problems.
“The Administration is committed to taking into account the impact that any export control rule relating to cyber technology may have on our national security and adequately considering the burden that such a rule may place on legitimate cybersecurity activities,” the letter from Tess states.
Another round of comments will be held after the revised version of Wassenaar comes out, and according to the Associated Press, new wording for the arrangement is expected in the first half of the new year.