Wassenaar Arrangement and dual-use computer code

The Wassenaar Arrangement is frequently mentioned in information security (and vulnerability research in particular) since inclusion of computer code as dual-use good. The Agreement does not clearly specify what is and isn’t considered a controlled good that should be subject to export controls, making a number of security researchers and long-term thinkers rightfully concerned about the future of security research.

The section on dual-use technology that’s relevant to software (not crypto) says: >‘4. A. 5. Systems, equipment, and components therefor, specially designed or modified for the generation, operation or delivery of, or communication with, “intrusion software”.

The problem with the above statement, and the need to specify what “intrusion software” is that the equipments and components used for any of the above is the same as the equipment used for normal systems administration or even for normal use of the networked systems. Hence why “intrusion software” is defined specifically for the purposes of the Wassenaar Arrangement.

‘4. D. 4. “Software” specially designed or modified for the generation, operation or delivery of, or communication with, “intrusion software”.

‘4. E. 1. “Technology” as follows: c. “Technology” for the “development” of “intrusion software”.

The statements, despite their best efforts, remain extremely vague. Despite attempting to clarify the uses that would make software, and security software in particular, subject to stricter export controls the statements above do no such thing. There’s attempt to clarify just what differentiates controlled use of software and controlled software from its non-controlled use, but the definitions for that remain vague:

Cat 4 “Intrusion software”
“Software” specially designed or modified to avoid detection by ‘monitoring tools’, or to defeat ‘protective countermeasures’, of a computer or network-capable device, and performing any of the following:
a. The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or
b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

1. “Intrusion software” does not include any of the following: a. Hypervisors, debuggers or Software Reverse Engineering (SRE) tools; b. Digital Rights Management (DRM) “software”; or c. “Software” designed to be installed by manufacturers, administrators or users, for the purposes of asset tracking or recovery.
2. Network-capable devices include mobile devices and smart meters.
Technical Notes
1. ‘Monitoring tools’: “software” or hardware devices, that monitor system behaviours or processes running on a device. This includes antivirus (AV) products, end point security products, Personal Security Products (PSP), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) or firewalls.
2. ‘Protective countermeasures’: techniques designed to ensure the safe execution of code, such as Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) or sandboxing.

The definitions are open to interpretation. Expansive reading of the definition can include a number of software that is currently considered part and parcel of security research, because any vulnerability research going forward could easily produce code that would be considered controlled, dual use code that needs strict export controls. The fact that debuggers, hypervisors and reverse engineering tools (whatever is meant by that) are not considered “intrusion software” bodes well, but that does not exclude the product of their use. The narrow reading of the definition would exclude whole families of malware that’s written specifically for exfiltration of data by making each malware do a single specific fuction: one to stop ‘monitoring tools’ from properly functioning, another to communicate on the network, etc.

How Wassenaar Agreement is going to be implemented in individual Participating States is left to be seen, but the current media and political climate does not favour security research.