The inclusion of intrusion software on the wassenaar control list was done with good intentions, galperin said in a blog post. The original proposed rule, issued by the bureau of industry and security bis, contained flaws. Coauthored by house cybersecurity caucus cochairs jim langevin dr. According to moussouris, when wassenaar delegates agreed to include the tools under the treaty in december 20, they adopted an overly broad definition of computer intrusion technology which would have inadvertently outlawed much of the business thats done across the global cybersecurity industry. Mar 01, 2016 obama administration softens stance on wassenaar. The wassenaar arrangement, once used primarily to help slow the proliferation of conventional military weapons and technology like advanced radar systems, added command and delivery platforms for intrusion software and intrusion software technology in 20, classifying both as items requiring export licenses. Jul 28, 2015 wassenaar rules are not the right direction. The hacking team data leak shed light on the business of zerodays and intrusion software, notably in countries such as ethiopia, sudan, russia or kazakhstan. Speaker, securing our networks from cyber attack is a challenging task. Dhs cyber czar, tech titans tell commerce to rethink hacking.
Mar 01, 2016 the white house, lawmakers said yesterday, wants to renegotiate the divisive u. Is proposed rule, wassenaar arrangement 20 plenary agreements implementation. In december, new export control rules for computer network intrusion software were published by the wassenaar arrangement, an international body that governs trade in goods with military and. Commerce department faq on proposed wassenaar implementation.
Mccaul and langevin urge administration to weigh in on. A letter signed by over a quarter of the house of representatives and sent wednesday to national security adviser susan rice called on the white house to revise the u. For those of you who are new to the debate over wassenaar and would like to know just what it is and why you might care about it, click here for our. Congressman jim langevin dri, cofounder and cochair of the congressional cybersecurity caucus and a senior member of the house committees on armed services and homeland security, released a statement in response to changes made to intrusion software export controls at the recent wassenaar arrangement plenary session. Microsofts comments on the proposed rule under the. The white house vowed more consultations in a response to a house of representatives letter sent to national security adviser susan rice late last year urging a revision to implementation of export controls on cybersecurity intrusion software. Langevin statement on wassenaar arrangement plenary. Us to renegotiate rules on exporting intrusion software.
Dhs cyber czar, tech titans tell commerce to rethink. By adding the removal of the technology control to the agenda at wassenaar. Dec 19, 2016 congressman jim langevin dri, cofounder and cochair of the congressional cybersecurity caucus and a senior member of the house committees on armed services and homeland security, released a statement in response to changes made to intrusion software export controls at the recent wassenaar arrangement plenary session. Changes to export control arrangement apply to computer. The congressmen flagged concerns about the 20 addition of intrusion software controls to the wassenaar arrangements list of dual use technologies that members must subject to export controls. Dec 21, 2017 infosec controls relaxed a little after latest wassenaar meeting. Intrusion software now exportcontrolled as dualuse under. Today i participated in the center for strategic and international studies csis discussion on decoding the bis proposed rule for intrusion software platforms and the important topic of the department of commerces proposed rule on intrusion software under the wassenaar arrangement. Controlled items put security research and defense at risk. Cybersecurity and the wassenaar arrangement what needs to. Wassenaar arrangement 20 plenary agreements implementation.
Silicon valley squares off with white house over arms. Intrusion and surveillance items, released in the federal register on may 20, 2015 the proposed rule. Serious progress made on the wassenaar arrangement for global. Controls would not apply to intrusion software itself. For those of you who are new to the debate over wassenaar and would like to know just what. Changes made in 20 sought to extend export controls to cybersecurity intrusion and surveillance software and technology. Written testimony of cristin flynn goodwin assistant general. Hacking team series the wassenaar arrangement enisa. The wassenaar arrangement wassenaar or wa on export controls for conventional arms and dualuse goods and technologies is a group of 41 likeminded states committed to promoting responsibility and transparency in the global arms trade, and preventing destabilizing accumulations of arms. Langevin asked and was given permission to address the house for 1 minute and to revise and extend his remarks. The administration filed a proposal on monday to eliminate the 20 controls on the development of intrusion software, according to a congressional aide with knowledge of the proceedings.
Wassenaar is a multilateral export control regime established in 1996 to contribute to international security and stability by promoting responsibility and. House urges administration to revise implementation of. Wassenaar is an armscontrol pact in which more than 40 nations agreed to limit the export of certain types of weaponry and dualuse products. May 02, 2016 while wellintentioned, the wassenaar arrangements intrusion software control was imprecisely drafted, said langevin in the february statement, and it has become evident that. In the current item list, intrusion software is clari. It remains an open question whether the trump administration will move to implement the existing language in the meantime. Phyllis schneck for a joint house committee on homeland security, subcommittee on cybersecurity, infrastructure protection and security technologies, and house committee on oversight and government reform, subcommittee on information technology hearing titled. Mar 02, 2016 us to renegotiate rules on exporting intrusion software. Langevin statement on obama administrations decision to.
Obama administration softens stance on wassenaar the register. Revisions to wassenaar cyber exportcontrol agreement gain industry support. Last month, changes to the wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies wassenaar arrangement placed zerodays, other computer exploits, and potentially more categories of. Dec 17, 2015 the rule was in line to the addition of intrusion software as a category in the wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies. White house promises more consultations in response to. Implicitly, such software is related to previously unregulated software. In december, new export control rules for computer network intrusion software were published by the wassenaar arrangement, an international body. The wassenaar arrangement bsa the software alliance. The white house wants to renegotiate the divisive u. In may 1996 41 countries came to wassenaar, a small town in the netherlands, to sign what was to be called the wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies. Infosec controls relaxed a little after latest wassenaar. The wassenaar arrangement is a 41country international export control agreement. The wassenaar arrangement helps member countries create common definitions of goods and technologies that can be used for both peaceful and military purposes. While wellintentioned, the wassenaar arrangements intrusion software control was imprecisely drafted, said langevin in the february statement, and it has become evident that.
Dec 16, 2015 the underlying goal of the export controls, which were agreed to by the 41 member states of the wassenaar arrangement, is to restrict the export of hacking tools, or intrusion software, that could be used for cybercrime and illegal surveillance. May 09, 2016 while wellintentioned, the wassenaar arrangements intrusion software control was imprecisely drafted, said langevin in the february statement, and it has become evident that. Langevin asked and was given permission to address the house for 1 minute and to revise and extend his re. The white house, lawmakers said yesterday, wants to renegotiate the divisive u. Obama administration softens stance on wassenaar the. Cybersecurity and the wassenaar arrangement what needs to be done in 2017. The letters authors, house cybersecurity caucus cochairs jim langevin dr. This paper analyzes a recent debate on regulating cyber weapons through multilateral export controls. In 20, the wassenaar arrangement added a new category pertaining to intrusion software that could potentially be used as monitoring tools, or to thwart protective countermeasures.
However, some technology companies have expressed concerns that the scope of the controls may be too. Revisions to wassenaar cyber exportcontrol agreement gain. In addition, usbased arms of cybersecurity companies may not be able to. Guest blog by james gannon, director and principal of cyber invasion, ltd. The inclusion of intrusion software on the wassenaar control list was done with good intentions. Federal register wassenaar arrangement 2016 plenary. The wassenaar arrangement was established 20 years ago to apply to conventional arms and dualuse goods and technology. White house cybersecurity coordinator at the time, praised the us. Serious progress made on the wassenaar arrangement for. Reached in 20, the wassenaar arrangement bans multinational firms and cyber vendors from transmitting information about intrusion software across borders without first obtaining a license.
New changes to wassenaar arrangement export controls will. Wa the wassenaar arrangement on export controls for conventional arms and dualuse goods and technologies. These export controlsrequirements that organizations selling or sending technologies with potential military applications abroad obtain a license from the commerce. Written testimony of nppd deputy under secretary for cybersecurity and communications dr. Jan 16, 2018 in december, new export control rules for computer network intrusion software were published by the wassenaar arrangement, an international body that governs trade in goods with military and. Researchers and companies routinely develop proofs of concept to. Bis also proposes to add the definition of intrusion software to the. Jan 11, 2016 january 11, 2016 congressional recordhouse h259 intrusion software and the wassenaar arrangement mr. More recently, offensive network intrusion tools such as exploit toolkits have. Mccaul and langevin urge administration to weigh in on wassenaar. Confusion over the department of commerces proposed implementation of the latest changes to the wassenaar arrangements export controls continues.
Without much fanfare, negotiators crafting changes to the wassenaar arrangement earlier this month moved to make things easier for infosec whitehats. State department will try to fix wassenaar arrangement. A nearly twoyear effort to renegotiate language related to export controls around intrusion software in the wassenaar arrangement was rejected earlier this month during the member states. The expansion at the end of 20 included definitions for intrusion software and ip network surveillance. Dec 20, 2016 a nearly twoyear effort to renegotiate language related to export controls around intrusion software in the wassenaar arrangement was rejected earlier this month during the member states. Langevin statement on wassenaar arrangement plenary session. Congressman jim langevin dri, cofounder and cochair of the congressional cybersecurity caucus and a senior member of the house committees on armed services and homeland security, released a statement in response to changes made to intrusion software export controls at.
The congressional record is the official daily record of the debates and proceedings of the u. White house promises more consultations in response to house. Jan 12, 2016 silicon valley squares off with white house over arms control pact the wassenaar arrangement aims to reduce the supply of spy software for authoritarian states. Jan, 2016 reached in 20, the wassenaar arrangement bans multinational firms and cyber vendors from transmitting information about intrusion software across borders without first obtaining a license.
Wassenaar defined intrusion software as software specially designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures and that either extracted data from a computer or network device or modified the standard execution path of a program to allow the execution of externally provided instructions. Public statements letter to lieutenant general michael t. Obama administration to renegotiate rules for intrusion. The united states successfully negotiated researchuse exceptions to export controls on surveillance tools at the december 2017 meeting of the wassenaar arrangement, a club of advanced economies that coordinates export controls. The wassenaar arrangements language on intrusion so. Our goal here is to help narrow the definition of intrusion software to code that. Infosec controls relaxed a little after latest wassenaar meeting. Jun 12, 2015 confusion over the department of commerces proposed implementation of the latest changes to the wassenaar arrangements export controls continues. Dec 20, 2017 the basic problem with wassenaar stems from the vast overbreadth of the definition of intrusion software itself, he said. At issue is the socalled wassenaar arrangement for restricting access to conventional arms and dualuse goods, which was expanded several years ago to include intrusion software. Silicon valley squares off with white house over arms control pact the wassenaar arrangement aims to reduce the supply of spy software for authoritarian states. Intrusion and surveillance items bob rarog bureau of industry and security robert.
Written testimony of nppd for a joint house homeland. While wellintentioned, the wassenaar arrangements intrusion software control was imprecisely drafted, and it has become evident that there is simply no way to interpret the plain. Cybersurveillance export control reform in the united states. Late in 20, a group of 41 countries agreed to expand an agreement about export controls. Congressman jim langevin dri, a senior member of the house committee on homeland security and cofounder of the congressional cybersecurity caucus, issued the following statement about the obama administrations decision to renegotiate portions of the wassenaar arrangement with respect to controls on intrusion software. The wa was designed to promote transparency, exchange of views and information and greater responsibility in transfers of. The wassenaar arrangement wa, the first global multilateral arrangement on export controls for conventional weapons and sensitive dualuse goods and technologies, received final approval by 33 cofounding countries in july 1996 and began operations in september 1996.
Cybersecurity and the wassenaar arrangement what needs. In 20, members of an export control regime known as the wassenaar arrangement were concerned about hackers using certain types of tools to violate human rights and threaten national security, and they agreed to create a control on the creation and use of intrusion software. An export control is a requirement that a company wishing to sell a. Mar 29, 2016 in 20, the wassenaar arrangement added a new category pertaining to intrusion software that could potentially be used as monitoring tools, or to thwart protective countermeasures. As a result of the 20 addition, the wassenaar arrangement requires. Human rights advocates have recognized that surveillance software designed and sold by companies in western countries has been responsible for serious abuses around the world. However, once intrusion software was added to the mix, problems with.
The fuzzy analytical meaning of intrusion software during the 2010s wassenaar debate inferred from the department of commerce 2015 and the wassenaar arrangement 2018 for summarizing the key observations and ambiguities, an analytical conceptual model is presented in fig. A fundamental rewrite of the 20 wassenaar definition of intrusion software is unlikely to occur at the export control groups upcoming december plenary, despite concerted efforts by the u. Wassenaar arrangement 41 member multilateral export control regime. In 20, the wassenaar arrangement, a 41country international forum that seeks consensus among its members on dualuse export controls, adopted new controls on intrusion software and carrier class network surveillance tools.
The wassenaar meeting was intended to create a postcold war. Bsa applauds bipartisan house letter urging trump admin to. Wassenaar arrangement recommendations for cybersecurity. The agency appears to have given in to the pressure.
Human rights advocates have recognized that surveillance software designed and sold by companies in western countries has been responsible for serious abuses around. Wassenaar countries move toward carveouts aimed at fixing. The wassenaar arrangement on export controls for conventional arms and dualuse goods. White house wants wassenaar renegotiation threatpost. January 11, 2016 congressional recordhouse h259 intrusion software and the wassenaar arrangement mr. New technologies placed under the export control regime include intrusion softwaresoftware designed to defeat a. A group of 41 nations gathered this month to officially update the language of the wassenaar arrangement, a voluntary agreement governing certain export controls for classified dualuse software. The wassenaar arrangement on export controls for conventional arms. Aisha chowdhry writes the wassenaar arrangement was amended in 20 to include intrusion software and internet network monitoring products to a. Jan 12, 2016 our witnesses on how the wassenaar arrangement in its implementation would affect these objectives. One control relates to intrusion software, while the other focuses on.
1303 1605 371 1225 906 1601 1162 1567 1468 514 1499 1223 1256 865 949 1085 581 918 1116 1330 1385 1175 614 320 374 506 879 105 1444 422 169 1002 179 316 1468 1293 738 1260 318 1481 1121 554 898 914 1367