Treatment of information security tools under the Wassenaar Arrangement

This proposal seeks to evaluate the treatment of information security research tooling under the Wassenaar Arrangement. As a result of developments outlined below, many tools that the information security research community commonly produces and uses, and that are readily distributed amongst the members of this community are now, or will soon be, in scope of the export control regime maintained as a result of the Wassenaar Arrangement. Not surprisingly, the Arrangement has led to much concern among hackers, security experts and scientists alike. Read more…

Abstract
The Wassenaar Arrangement is a multilateral export control regime that involves over 40 participating states, including the United States, Russia, EU countries (and, thus, The Netherlands) and tries to find methods and structures to control the export of military and dual-use goods.
In December 2013, the Wassenaar Arrangement added new controls that aim to limit the export of “intrusion software”, making it more difficult for oppressive regimes to import these goods. In reaction to these new controls, the information technology industry and information security researchers raised their concerns about the overly broad reach of the “intrusion software” rules. Examples of these concerns include the controls having a chilling effect on innovation and operational ability to respond to security issues.
The goal of the project “Treatment of information security tools under the Wassenaar Arrangement” was to gather insight into the historical and present day context of the Wassenaar Arrangement, assess the new controls regarding “intrusion software” and propose changes that would alleviate the concerns regarding the new controls.
The contributions of the project towards solving the previously mentioned issues include:

  1. An essay introducing the problems caused by the Wassenaar Arrangement’s rules regarding “intrusion software”.
  2. A panel discussion at the NCSC One conference by supervisors R. van den Hoven van Genderen and H. J. Bos.
  3. An advisory report and memorandum requested by the Dutch Cyber Security Council, containing:
    1. Historic and legal context of the Wassenaar Arrangement
    2. Detailed explanation of the issues regarding harmonization of national implementations between participating states.
    3. Detailed explanation of the problematic controls in the Wassenaar Arrangement;
    4. Recommendations on how changes in the wording of the Wassenaar Arrangement could resolve specific issues.

The Dutch Cyber Security Council acknowledged the problems that we addressed.
They are working on a solution in line with the content of our advisory report.