The Wassenaar Arrangement was signed by the US, Europe, and Russia in 1996. The primary goal of the arrangement is stated as anti-proliferation, stopping uranium enrichment and chemical weapons precursors, and controlling conventional weapons. Wassenaar also classifies crypto as a munition. This allows the NSA to eavesdrop and decrypt messages.
Last year, Wassenaar added three categories of cyber-weapons:
- “intrusion malware”: The specific example is malware sold by FinFisher to governments like Bahrain, which has been found on laptops of Bahraini activists living in Washington D.C.
- “intrusion exploits”: These are tools, including what’s known as “0-days”, that exploit a bug or vulnerability in software in order to hack into a computer, usually without human intervention.
- “IP surveillance” products: These are tools, like those sold by Amesys, that monitor Internet backbones in a country, spy on citizen’s activities, and try to discover everyone activists/dissents talk to.
Wassenaar includes both intrusion malware and intrusion exploits under the single designation “intrusion software”, but while they are related, they are significantly different from each other. The BIS rules clarifies this difference more.
On May 20th, the United States Bureau of Industry and Security (BIS) proposed US rules to comply with the Wassenaar additions. These rules further restrict anything that may be used to develop a cyberweapon, which therefore make a wide number of innocuous product export-restricted, such as editors and compilers.
Excuse me? Yes, more here.
The BIS proposal is not yet fixed in stone. The comment period ends July 20. You can submit comments here.
One thing to note is that the comments we want to make don’t precisely match up with the questions they are asking. For example, they ask “How many additional license applications would your company be required to submit per year?” This has nothing to do with why people are up in arms over this proposal.