The US government is currently considering new implementing regulations related to “intrusion software” which in December 2013 was added to the 41 nation export control regime on dual use military technology known as the Wassenaar Arrangement. This change to the agreement has the potential to significantly affect the security industry by placing controls on the export of intrusion software and pen testing software. Burdensome licensing requirements are expected. This could have a significant negative effect on security research as well.
The Bureau of Industry and Security (BIS) within the U.S. Department of Commerce has released for comment a first draft of a proposed implementing regulation. The draft has met with significant opposition from industry and non-governmental organizations. While the comment period is closed, BIS has announced that it will issue a second much different version of the implementing regulations after receiving over 200 comments on the issue. They have not yet released a target date for that issuance. Industry is expected to be heavily engaged throughout this process and new coalitions are forming.
The rules are seen as overly broad and problematic. As an example, the current draft regulation would apply to tools that are used daily by cybersecurity professionals such as reverse engineering malware, penetration testing and other tools of the trade. As a result, if the drafted implementing regulation went forward it would require the filing of thousands of license requests. Licenses would be needed even to share information just with US citizens within a company. More licenses would be needed to share information with employees that are non-US citizens or third party company collaborators.
This will remain a high profile issue in the coming months.
If you are interested in more information or engaging on this critical cyber security issue, please contact Adam Rak at firstname.lastname@example.org or 650-766-1833.