American diplomats traveled to Vienna this week with a daunting task. They are attempting to revise an international arms control deal that seeks to limit the sale of surveillance and hacking software to regimes that commit human rights abuses.
The challenge for the delegation from the US State Department won’t be just convincing the 39 other signatories to the Wassenaar Arrangement, a voluntary export-control regime mostly focused on conventional arms, that they should reconsider how the deal applies to digital weapons. They will also try to convince the American tech sector that there’s a way to impose restrictions on this kind of trade without blunting legitimate cybersecurity sales and research.
While most of the cybersecurity community agrees with the intent of the Wassenaar Agreement, many professionals and experts lambasted the government’s handling of the pact. In fact, there’s no surer way to elicit the full range of human emotion than to mention "cyberarms control" to a room of cybersecurity professionals.
To most, the very concept of trying to restrict the export of software is a ludicrous impossibility. From the perspective of the technologists in Silicon Valley, the diplomats in Foggy Bottom were not just wrongheaded in their approach to Wassenaar in the first place, but so entirely off base that it appears those making the rules do not understand much about technology.
So, given their inherent skepticism about Washington’s ability to write smart regulations that apply to cybersecurity products, it’s no surprise the tech community collectively recoiled when they read the original language that resulted from the 2013 Wassenaar Agreement meeting that addressed surveillance technologies.
And they had plenty of reason to be concerned. The actual language used in Wassenaar was broadly written. It currently restricts exports of any software "designed to … avoid detection by 'monitoring tools' or to defeat 'protective countermeasures' " and to ban non-Arrangement sales of "technology for the development of intrusion software" or even software designed for "communication with" intrusion software.
These terms sweep up not only offensive hacking suites but also legitimate network management and security software. It is easy to imagine how this language could require an export license for monitoring software installed by parents, network administration tools and malware research. But it's difficult to imagine that wealthy dictators will throw up their hands and give up on acquiring the tools they believe they need for regime survival.
Wassenaar does, in theory, contain carve-outs for legitimate research. However, after the US negotiated the multilateral language in the arrangement, the Department of Commerce went on to unilaterally propose rules specifically forbidding "proprietary research on the vulnerabilities and exploitation of computers and network-capable devices." All of which is to say that international cooperation involving US experts to reverse engineer and defeat zero-day exploits would likely be a no-go without significant clarifying edits.
What’s more, the legal uncertainty and time delays imposed by filling out export control paperwork – and waiting for Washington to answer – are culturally anathema to cybersecurity researchers who, like previous generations of scientists and technologists, most often view themselves as advancing global understanding across national boundaries.
Thankfully, as result of the backlash to Wassenaar from the tech community and congressional lawmakers, the State Department announced in late February that it would attempt to renegotiate cybersecurity-related language in the pact. While that effort is now underway, the resulting negotiations with the other 40 Arrangement signatories will not be ratified until December 2016.
The aim of Wassenaar and other arms control regimes is to restrict the flow of weapons. In that sense, Wassenaar remains in search of a useful and precise definition for what a cyberweapon is, and how such software would differ from a defensive use of the same code. Since the distinction is almost never in the code itself, but in its deployment, it’s important to examine the legitimate market for offensive cybersecurity tools: What are the companies selling, why do their customers keep coming back, and what happens if the sale of those tools is restricted?
The military, intelligence agencies, and law enforcement customers that buy this kind of technology from offensive security tool vendors are doing so to allow agents and investigators to routinely and reliably access a wide variety of targets, often by making available a large quantities of nonpublic – or so-called "zero day" – software exploits that they provide as a subscription service. If the diplomats aren’t careful, they could end up harming the legitimate trade of hacking software that’s become a valued tool in modern law enforcement around the world.
Instead, Wassenaar should focus on known human rights abusers (a list the State Department already maintains) and exclude them from this cybersecurity marketplace. That way, the threat posed by rogue regimes and harmful actors can be reduced.
Still, as technologists would no doubt quickly point out, none of this would prevent a security service anywhere from working their way into the underground markets that traffic in software exploits. But curtailing access that known bad actors have to zero-day subscription services by making that process burdensome, for instance, would still make large-scale, abusive monitoring impractical for the many dozens of countries that rely on being able to buy such products today.
Focusing on the bad actors also continues to permit the worldwide, rapid collaboration in the cybersecurity ecosystem that’s so vital to improving digital defenses. Going forward, it’s this community that Washington needs to actively engage to craft these kinds of global agreements that have far-reaching and often unintended consequences.
Christopher Porter is the manager of Horizons, the strategic forecasting arm of FireEye iSIGHT Intelligence. Before joining FireEye he served as an intelligence officer at the CIA for eight years, most recently as the CIA's cyber intelligence briefer at the White House National Security Council Staff. The opinions expressed in this essay do not necessarily reflect those of the US Government.