There was good news for white hats this week after it was revealed the US government has listened to industry over a controversial clause in a weapons export pact which threatened to severely limit the use of security testing tools.
The Wassenaar Arrangement was originally agreed between 41 countries and was intended to prevent the export of dual-use technologies to criminal organizations or repressive regimes.
However, intrusion software, network surveillance tools and other related products were provisionally added to the list after a proposal to update the pact in 2013 – prompting an outcry last year.
Opponents of the proposals argued that while the export of sophisticated hacking tools does represent a legitimate national security concern, the definition of intrusion software was too broad and would end up banning the sale of legitimate tools for finding software flaws.
Many big name corporates including Symantec and Google threw their weight behind those calling for a rethink of the amendment.
The latter claimed that as it operates in numerous countries around the globe, it would be forced to request tens of thousands of licenses from the Commerce Department to share tools and information related to security testing, even internally between staff.
One of the 125 members of Congress who wrote a letter of complaint about the proposals to National Security Advisor Susan Rice last year was Jim Longevin, co-chair of the Congressional Cybersecurity Caucus.
In a response to that letter made public this week, special assistant to the president, Caroline Tess, explained that in light of the complaints, the Department of Commerce will now be seeking “one more round of public comment on a revised draft rule.”
Responding on behalf of Rice, she wrote:
“The Administration is committed to taking into account the impact that any export control rule relating to cyber-technology may have on our national security and adequately considering the burden that such a rule may place on legitimate cybersecurity activities.”
As a result, the government has “intensified” its engagement with industry experts “on how to mitigate the national security risks posed by the proliferation of cyber-tools in a manner consistent with promoting cybersecurity.”
The letter was given a cautious welcome by Longevin, who argued that it may take more than a final round of comments and rewrites to reach a satisfactory conclusion.
“As we learned at the Homeland Security Committee hearing last month, the underlying problem may lie in the Arrangement language itself, meaning the only solution may be to go back to Wassenaar and renegotiate,” he wrote in a blog post.
“I am confident that the NSC, with additional insight from industry leaders and cybersecurity experts, will be able to guide the interagency to an outcome that protects our national security, and I look forward to continuing my work with Chairman McCaul to monitor this process.”
Eric O’Neill, national security strategist for Carbon Black and a former FBI counterterrorism expert, hailed the decision to revisit the treaty as a win for security, claiming the original proposal “left too many grey areas.”
“The industry as a whole needs to unite against the cyber threats we are facing – putting shackles on researchers who are doing important work to help us understand how our enemies operate and identify their potential weaknesses will be counterproductive in the long run,” he told Infosecurity.
“We are all in the same fight against the bad guys; we need to have some freedom to do our jobs and help protect people and companies against attackers.”