Legislation is tricky stuff. Hard to understand, hard to follow. Hard to undo.  Which is why we need to be aware of things that have the potential to impact us be so we can get ahead of them incase there is a problem.  The reality is, time won’t be on our side.

As is the case with the Wassenaar Arrangement, and the proposal to enforce it by the US Business of Industry and Security (BIS).   Wassenaar is a voluntary agreement between 41 countries, with the purpose of regulating the knowledge of how to create “intrusion software,” which is defined as “software that is capable of extracting or modifying data or modifying the standard execution path of software in order to allow the execution of externally provided instructions.”   Their mandate is for controls to be put in place over intrusive software that could become digital weapons, used by regimes to subjugate their citizens, or  spy on their personal lives. While this sounds like a good premise, it’s actually far-reaching and has the potential to create a lot of collateral damage. And the direct recipients of that damage are the very people we need to keep us and our information safe online: those who work with security testing, research and software.

The objectives of Wassenaar and the BIS have only been furthered by the recent publicity over the attack of Hacking Team, a cyber espionage outfit that counted governments as clients and whose dealings were kept secret for the benefit of both sides. As per the recent article by Katie Moussouris in Wired,

“Security experts warn that overzealous laws will stifle this vital security research that aids defense. Many also fear these regulations will put legitimate tech companies out of business due to excessive license application burdens and delays in the ability to sell security products and compete globally.”

Here’s the truth of it. By enforcing the broad mandate of Wassenaar as per BIS, we shut down the very organizations and people who can best act as our first line of defence. There is no question that malware and cybercrime are evolving rapidly, and that we do not have full control over our security.  Those who seek to profit from using and abusing technology will continue to do so, and find ways around any legislation, or risk existing penalties in favour of what they stand to gain, be that money, power or both. Wassenaar will not rewrite human nature any more than it will prevent the inevitable from happening.

We need to have people finding the bugs in our software that could be exploited and making that knowledge available through vulnerability research and disclosure. But the legislation would control information necessary for research, testing & development. Security researchers and companies must be able to watch over existing traffic and monitor it for threats without fear of reprisal.  To fully appreciate just how BIS and Wassenaar will impede security providers I encourage you to read the full article by Katie Moussouris in Wired here.

“One thing is constant: Those who wish to create tools and use or distribute them to cause harm will continue to do so with the impunity that was revealed in the internal communications of the hacked Hacking Team. No regulation will stop them. It is our job to collectively ensure that no regulation stops defenders.”

BIS has invited public feedback about what they propose but the deadline is today, July 20.  If you can, speak up today. Here are some helpful guidelines:

1. Give examples of what technology is caught by these rules and what the impact will be.

2. Explain in detail the burden to organizations and individuals who will have to apply for export licenses under the new rule.

3. Show how the new rule won’t achieve the stated goal of protecting human rights, but instead will hinder defense of the Internet.

Comments on this rule may be submitted to the Federal rulemakingportal (www.regulations.gov). The regulations.gov ID for this rule is: BIS-2015-0011. Comments may also be submitted via email to publiccomments@bis.doc.gov or on paper to Regulatory Policy Division, Bureau of Industry and Security, Room 2099B, U.S. Department of Commerce, 14th St. and Pennsylvania Ave. NW., Washington, DC 20230. Please refer to RIN 0694-AG49 in all comments and in the subject line of email comments.

https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items#h-19

We all have a stake in how Wassenaar plays out. And today, we all have an opportunity to influence that outcome.