This is bigger news than the Safe Harbour agreement being torn up
on October 15, Europe will decide on how best to interpret the Wassenaar Arrangement—an agreement between 41 countries that was originally designed to limit the proliferation of physical, military weapons to non-desirables—when it applies to the proliferation of surveillance software, intrusion tools, and zero-day software vulnerabilities.
The proposed change
The US Commerce Department’s Bureau of Industry and Security (BIS) proposed changes to the arrangement on May 20. The change would apply Wassenaar Arrangement controls to software and tools commonly used by security researchers and penetration testers. Penetration testers are hackers companies hire to find vulnerabilities in their network and products. The controls mean companies operating in the US would require a specific license to export their security technologies, or information on newly discovered vulnerabilities to anywhere other than Canada. This would mean, if the proposed changes are approved, a US security researcher with information on a vulnerability in a European company’s technology would need a license before they could alert the firm.
Also in the US….
In the US, the Senate is set to vote on the Cybersecurity Information Sharing Act, which would expand the Computer Fraud and Abuse Act to include security research. The US is trying to decide how to interpret Wassenaar when it comes to the exporting of intrusion software and zero-days, too.
Given that the US legislature appears to be in hoc to big business, in this case the software companies, who want to stop public zero-day research. It isn’t looking good. Also following the Hacking Team hack I’m sure the Wassenaar Arrangement discussions will be examining the issue in a manner that may not be wholy compatable with the existing research and disclosure practices!