Security researchers have been left in the lurch after negotiators failed to find a breakthrough in talks designed to update a controversial export treaty which currently treats white hat hacking tools like weapons.
The Wassenaar Arrangement is a 41-country pact to restrict the export of weapons and “dual use” technologies.
It was updated in 2013 to include “intrusion software” in a bid to prevent repressive regimes getting their hands on tools which could help them monitor dissidents and political activists.
However, the security industry revolted, claiming the language used in the update was too broad and would also require researchers to apply for export licenses simply to share code and tools with colleagues and partners across borders – hampering white hat efforts.
The US government finally recognized this in 2015 and has since been trying to persuade all countries involved to agree on new language – but that has proven too difficult this year.
Congressman Jim Langevin, co-chair of the Congressional Cybersecurity Caucus, expressed disappointment at the outcome.
“For over a year, I have led my colleagues in Congress in calling for a careful review of these controls, which could harm our nation’s cybersecurity by making it more difficult to quickly share defensive tools and close vulnerabilities,” he said in a statement. “The small changes clarifying the role of ‘command and control’ functionality that were made at the annual meeting, while needed, are simply insufficient to address the broader flaws in the language.”
Harley Geiger, director of public policy at Rapid7, argued that without the changes, the arrangement would impede the work needed to advance cybersecurity efforts around the globe.
“Although some helpful changes were made, the problematic ‘technology’ category definition was not changed,” he explained. “This broad description could result in security researchers and companies having to obtain export licenses in order to share exploit code across borders. Sharing this kind of information is currently a relatively routine part of identifying and mitigating security vulnerabilities.”
The hope is that the Trump administration will continue to fight for changes to the language in the pact.