Wassenaar Arrangement – Wording is Everything


  1. https://threatpost.com/white-house-wants-to-renegotiate-u-s-implementation-of-wassenaar/116531/
  2. http://www.theverge.com/2015/7/20/9005351/google-wassenaar-arrangement-proposal-comments
  3. http://thehill.com/regulation/cybersecurity/248579-cyber-industry-assails-anti-hacking-regulations

The Wassennaar Arrangement is a deal meant to control the exportation of conventional firearms, dual-use goods, and dual-use technologies.
The cybersecurity problem that this creates is the fact that the wording of a particular section of the arrangement is too broad. There’s a section in the deal that refers to cybersecurity tools as intrusion technologies. Unfortunately this term covers a broad spectrum of tools that cybersecurity professionals use to research vulnerabilities/attacks, perform penetration tests, and make security assessments. Many of these “intrusion technologies” actually play a role in governance and compliance with respect to PCI-DSS, HIPAA, SOX; etc… The troubling thing is that this arrangement may not have enough time to go¬†through another rewrite¬†and place this draft through another comment period before the Wassenaar meeting in December.