What Wassenaar Could Mean for Security Research

Talk of the Wassenarr Arrangement has appeared in many news forums over the past week. In a recent statement by The Bureau of Industry and Security (BIS), the U.S. is finally set to implement export controls from the Wassenaar Arrangement’s Plenary meeting in December 2013. This announcement from the BIS concerns some security experts that the new controls will not support the current open security research community.

What Is the Wassenaar Arrangement?

The Wassenaar Arrangement (WA) is a multilateral export control regime that consists of 41 participating states, including the United States. Having begun in Wassenaar of the Netherlands in 1996, the arrangement seeks to regulate use of conventional arms and dual-use goods and technologies among the nations involved. In December of 2013, the Wassenaar Arrangement held their 19th annual Plenary meeting that suggested further export controls in areas of surveillance and law enforcement and intelligence.

After 18 months, the U.S. has finally moved to implement these new controls as proposed by the WA. The Bureau of Industry and Security announced their proposed changes in May of this year, and then asked for comments (which were already collected on July 20).

What Are the Concerns about WA?

Google and HackerOne’s Katie Moussouris, among other big Internet influencers, have raised their concerns of the new controls and recently published them. Google’s biggest concerns deal with the obscurity of the proposed controls by the BIS and the restrictions that these proposed controls may place on security researchers’ ability to do vulnerability testing. “We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community. They would also hamper our ability to defend ourselves, our users, and make the web safer.” Because the security industry relies so heavily on white hat hackers to identify vulnerabilities and help solve weak security infrastructures, strict rules placed on these hackers would cripple the current structure of Internet security.

The concerns Google raises are concerns that would affect not only Google’s own systems, but that would affect the entire Internet ecosystem.

What WA Could Mean for the Future of Security

While the export controls themselves have not yet been approved or implemented by the U.S. Department of Commerce, those in the security industry should be aware of the potential rules that could come from the Wassenaar Arrangement and how that could affect security in the future. Namely, that according to some security experts these controls could great stunt security research.