After nearly a year of protests from the information security industry, security researchers, and others, US officials have announced that they plan to re-negotiate regulations on the trade of tools related to “intrusion software.” While it’s potentially good news for information security, just how good the news is will depend largely on how much the Obama administration is willing to push back on the other 41 countries that are part of the agreement—especially after the US was key in getting regulations on intrusion software onto the table in the first place.
The rules were negotiated through the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, an agreement governing the trade of weapons and technology that could be used for military purposes. Originally intended to prevent proliferation and build-up of weapons, the US and other Western nations pushed for operating system, software, and network exploits to be included in the Wassenaar protocol to prevent the use of commercial malware and hacking tools by repressive regimes against their own people for surveillance.
These concerns appear to have been borne out by documents revealed last year in the breach of Italy-based Hacking Team, which showed the company was selling exploits to Sudan and other regimes with a record of human rights abuses. Network surveillance and “IMSI catcher” systems for intercepting phone calls had been covered in a 2011 Wassenaar rule after widespread use of the tools during the “Arab Spring” uprisings. Security systems from Blue Coat were resold to a number of repressive states through back channels, including Syria’s Assad regime—which may have used the software to identify and target opposition activists.