Cyber threats move at Internet speed and so must cyber responders, to protect networks and data across the globe. Imagine the impact on cybersecurity if responders, innovators, and developers were told to pause and apply for an export license before responding to a threat. With a new round of international negotiations about to begin for the Wassenaar Arrangement, now is the time to press hard to arrive at a workable international standard that protects, rather than undermines, cybersecurity.
In 2013, the Wassenaar Arrangement, a 41-country international forum that seeks consensus among its members on dual-use export controls, adopted new controls on “intrusion software” and “carrier class network surveillance tools.” The purpose behind these controls is worthy: protecting human rights activists and political dissidents from surveillance by authoritarian governments.
Unfortunately, the approach proposed by the Wassenaar regulation misses the mark, and indeed, the controls would ultimately undermine that goal by making it harder for cyber responders to defend against the use of surveillance technologies. Because the regulation is so overly broad, it would require cyber responders and security researchers to obtain an export license prior to exchanging essential information to remediate a newly-identified network vulnerability, even when that vulnerability is capable of being exploited for purposes of surveillance. It would also require an onerous licensing process for sales of strong cybersecurity tools and services by companies around the world, and in some cases, could prohibit their sale altogether. Continue Reading