ST. MAARTEN–Perhaps no regulation has caused as much turmoil in the technology industry recently as the proposed export controls for intrusion software written by the Department of Commerce. The rules have broad implications for security researchers who rely on information sharing to do defensive work, and the potential restriction of that data moving across borders is a serious concern for them.
But the situation isn’t as dire as outsiders have been led to believe, said Katie Moussouris, CEO of Luta Security, and a former Microsoft security expert who created that company’s first vulnerability reward program. Moussouris is part of the official United States delegation for the Wassenaar Arrangement, the international agreement that regulates many dual-use technologies, such as software exploits, and she said that while the initial drafts of these rules certainly had problems, the people involved have been willing to listen and make changes.
“I had to tell them that there’s a root cause problem and you’re threat model missed a whole bunch of things,” she said in a talk at the Kaspersky Lab Security Analyst Summit here Tuesday. “I had to explain to them what they were catching and what they were missing with the original arrangement.”
One of the main concerns that people in the security community have with Wassenaar and Commerce’s rules is the effect it could have on how defenders in various countries are allowed to share information. Things such as proof-of-concept exploit code, malware used to run botnets, and other potentially dangerous software is shared regularly in the security research community, and restrictions on doing so across borders could be a serious obstacle. Moussouris said much of the challenge in the Wassenaar meetings has to do with semantics, not always actual policy.
“We’ve spent hours arguing over a hyphen. We have at least gotten to the place where we’ve redone the verbiage on the technology,” she said. “But between September and December, something bad happened. Countries started getting cold feet. We didn’t know what was going to happen with the next administration on this.
“We take our marching orders from the National Security Adviser. This does feel like a never ending story, and it’s going to take a hell of a lot more than a luck dragon to get out of this.”
Even with the uncertainty, Moussouris said she’s optimistic that both the U.S. government and the countries participating in the Wassenaar Arrangement will come through with sensible, workable policies.
“Going forward thinking [the policy makers] are idiots won’t get us very far. Explaining the technology impact is a win-win,” she said. “They want to know and they want to make good policies. They want to know who is creating intrusion technology and where it’s going.”