Wassenaar Arrangement Goes Back to the Drawing Board

The US government has decided to bin its controversial proposals for restrictions on the export of intrusion software and start again.

After a meeting with industry stakeholders yesterday, a Commerce department spokesman hinted that the decision was taken in light of the large number of comments received regarding the latest iteration of the Wassenaar Arrangement.

“All of those comments will be carefully reviewed and distilled, and the authorities will determine how the regulations should be changed,” he told Reuters. “A second iteration of this regulation will be promulgated, and you can infer from that that the first one will be withdrawn.”

The 41-country Wassenaar Arrangement is an export treaty covering so-called ‘dual use’ technologies which can be used for both peaceful and military purposes.

The US proposals for updating the pact included provisions to include ‘intrusion software’ on the list of technologies requiring a license to export across borders – the idea being to clamp down on the sale of spyware to corrupt regimes around the world.

However, experts and technology companies revolted, claiming the definition of intrusion software was too broad and would end up banning the sale of legitimate tools for finding software flaws.

Symantec wrote a highly critical blog post earlier this month claiming “the proposed rule would severely damage legitimate vulnerability research and security testing worldwide, and thus undermine our ability to protect our own networks and to innovate cybersecurity products and service.”

Then Google weighed in, arguing that the terms defining export controls should be rewritten so that everyone could understand them, and that the rules should be changed so that multinationals can share information on vulnerabilities internally with offices in different countries without having to apply for new licenses each time.

Symantec for one welcomed the rethink from the US Department of Commerce.

It sent the following statement to Infosecurity.

“Symantec is encouraged by the Commerce Department’s acknowledgment today that the current Wassenaar proposed rule is overly broad and would harm cybersecurity innovation, testing, and research. While we still believe the best course of action is for the US Government to return to the Wassenaar Plenary to amend the arrangement itself, we look forward to working closely with Commerce to develop and review any future proposals.”

What’s Hot on Infosecurity Magazine?