SlideShare a Scribd company logo

Wassenaar Agreement

R
Rangarirai Mukora
1 of 9
Download to read offline
THE WASSENAAR AGREEMENT: IMPACT ON EXPLOIT RESEARCHERS IN NON-MEMBER DEVELOPING NATIONS Rangarirai Mukora Macdonald U Bandama Information Security and Assurance Information Security and Assurance Harare Institute of Technology Harare Institute of Technology Harare, Zimbabwe Harare, Zimbabwe mukoraranga@gmail.com mubands@gmail.com Abstract Following the Cold War-era Coordinating Committee for Multilateral Export Controls (COCOM) export control regime, the United States of America together with 40 other nations formed the Wassenaar Arrangement (WA). The WA is a multidimensional politically-binding export control arrangement instigated in 1996. Its objective is to encourage transparency and nurture greater accountability in the transfer of conventional arms and dual-use goods and technologies. It is intended to daunt the transfer of sensitive military technology to non-WA states and states of concern. A study on the current literature was made to identify its implications, advantages, shortfalls and effects on non-member developing nations with special regards to Zimbabwe. Suggestions were then made both to the member and non- member states in order to provide solutions to current shortfalls of the arrangement. Keywords: Dual-Use Goods and Technologies, DNS, surveillance, intrusion software. 1. Introduction This document aims to clearly outline the Wassenaar Arrangement and how it has affected trade across the globe especially in developing countries such as Zimbabwe in particular. The WA is still being revised but so far its terms has had some effects on companies and nations. It has led to a change in the trade patterns and this motivated the writers to come up with this document in order to dissect and examine the effectiveness and extent of impact of the WA across the globe. 2. Literature Review “Sandler, Travis and Rosenberg wrote a report on the WA on Tuesday 06/01/2015. They highlighted that the WA points out new export controls of some dual-use goods but however relaxed on others. Goods were categorised with some under export controls and some were not under any export controls. The article reiterates that the WA secretariat will continue to monitor opportunities for the Arrangement to contribute to international cooperation with regard to this agreement. The WA has also made available the attached summary of changes to the List of Dual-Use Goods and Technologies and Munitions List.” [1] “According to the Treaty Compliance the WA’s goal’s is not only stimulate transparency and raise greater accountability in the transfer of conventional arms and dual-use goods and
technologies nevertheless also to dampen the transfer of sensitive military technology to non- WA states and states of concern. Members of the Arrangement apply export controls to the items. To inspire the interchange of information on transfers and prevent disrupting build-ups of weapons. The Wassenaar Arrangement's Initial elements requests for member states to account information on certain exports to non-members semi-annually on April 30 and October 31. Member States will provide notification of denial of licenses to non-Wassenaar members of items on the list of Dual-Use Goods and Technologies and notify of licenses issued or transfers made of items in Tier 2 of the List of Dual-Use Goods and Technologies.” [2] “Michael Ossmann’s greatest concern is clarity of the proposed rule. He argues that the proposed rule directly prevents the sharing of information among those researchers, and it will have a negative impact on the security of computing systems and software for the entire world. What s Michael Ossmann urges however is to remove software from the scope of the Wassenaar Arrangement at the annual meeting of Wassenaar Arrangement members in December 2015.”[3] “Robert Graham created the first “intrusion prevention system”, as well as many tools and much cybersecurity research over the last 20 years. He articulates that he would not have done so had these rules been in place. His main point is that the rules are so vague that they become impossible for anybody to know exactly what is prohibited and therefore people have to take the conservative approach. Robert Graham however suggests that the rules be made clear especially on the software aspects.”[4] “This paper acknowledges that the Wassenaar Arrangement’s intrusion software clauses are intended to protect the activists and dissidents whose lives are endangered by government surveillance. The regulations of the Wassenaar Arrangement are intended to reverse or abate this trend, limiting the availability of computer surveillance to repressive regimes. The WA’s definitions will impose a prior restraint on the publication of security research, analogous to the export controls on strong encryption software that were in effect in the 1990s. This article demonstrates that these methods fail to cover the majority of technological artefacts and processes that are crucial to security research and defence, and are therefore insufficient to meet the intent of the Arrangement. The anti-surveillance intent of Wassenaar will, however, be fully fulfilled if surveillance-enabling software and hardware were to be addressed directly.” [5] “In this article Japan lost one if its biggest sponsors Pwn2Own hacking competition to be held at the PacSec conference in Tokyo, as Hewlett-Packard (HP) pulled out over legal concerns regarding the recent changes to the Wassenaar Arrangement governing software exploits. According to event organizer Dragos Ruiu, HP and its Zero Day Initiative (ZDI) declined to participate due to Japan’s implementation of Wassenaar. The decision was made after consulting with internal legal and compliance experts. The motive of HP’s decision was based on the real-time transfer of research from the researcher to HP ZDI to the affected vendor.” [6]
3. Objectives of the Study  To perform a case study analysis on the impact of Intrusion software related items as listed under the WA and proposed for regulation by BIS on developing countries.  To review literature on related cases or research to come up with solutions to the problems.  To analyze the current WA framework and refine it making it more clear. 4. Scope and Limitations of the Study There are various areas covered by the WA but our research will focus on “Intrusion software” related items as listed under the Wassenaar Agreement (WA) and proposed for regulation by BIS which severely restrict security vulnerability improvements and R&D undertaken by Zimbabwean companies, academia, NGO’s, and individuals. The proposed rule would affect entities that create or operate intrusion software and any information system that communicates with such intrusion software. The limitations of the study are that the research is based on the information provided by various international documents, newspapers and websites only. 5. Methodology The researchers came across various articles regarding the WA formation, objectives and how it operates to regulate the world on various exploit kits. Further primary investigation through the use of magazine and newspaper articles from reputable sources such as journals, articles and papers written in the WA. Important points noted are as follows:  The WA was accepted and is viewed as a noble idea.  Generally the WA is regarded as being vague in sections especially those to do with intrusion software. This highlighted a major problem especially to the developing countries regarding development of software which aid in bug hunting and zero day exploit detection as they are classified as intrusion software. This then limits software developers in developing good software that aid in vulnerability research. A number of cases were hindrance in the software development have been noted through the research. We have cases like that of HP which together with its Zero Day Initiative (ZDI) declined to participate due to Japan’s implementation of Wassenaar. The decision was made after consulting with internal legal and compliance experts. The motive of HP’s decision was based on the real-time transfer of research from the researcher to HP ZDI to the affected vendor. However, there was a certain norm followed by most of the papers. This was basically that most of the cases that the research team came across were mainly focused on the shortfalls of the WA although they acknowledged that it is a noble idea which only requires refinement. According to another paper, the vagueness of the arrangement now hinders software developers from doing their job as well as trading the new and better intrusion software. This aspect then led to the analysis of studies on how the arrangement can be refined so as not to hinder any positive development and promote zero-day bounty hunters as well as bug bounty hunters. This logically made sense since black-hats are always finding and coming up with more sophisticated ways to gain unauthorized access into networks. Security has been reduced to a
more passive action rather than being proactive. This can only be made possible if only the WA’s rules are clearer and more permitting in terms of developing such software for the sole purposes of protecting networks. The overall findings of this research were that the WA has limitations which urgently needs attention. The analysis of the available information on the WA then led to the compilation of the problems emanating from the vagueness of the WA has led to development of a framework that is more refined, a framework that will allow software developers to develop software that will greatly aid in protecting computer networks. This framework will also try and incorporate previous non-member nations so that they may benefit as well from the WA as it is a great and noble idea that will increase global cooperation amongst nations. Nations like Zimbabwe will also have a chance to participate and also benefit from it. In the event that Zimbabwe develops its own Intrusion software which aid in protecting networks trade with other nations would be possible. 6. Analysis of the Wassenaar Arrangement Due to the nature of the Wassenaar Arrangement’s General Software Note, which exempts software that is publicly-available without the need for substantial support from the vendor, these controls will not regulate the open market for commonplace spyware sold in a near retail manner to individuals attempting to monitor children, spouses and others, though in the United States and other countries the sale of such software is regulated under other statutes. Both controls limit themselves to highly-professionalized systems of surveillance that are often only provided to government agencies and telecommunications companies, with little legitimate use outside of law enforcement and intelligence mandates. The effectiveness of both Intrusion Software and IP Network Surveillance systems are dependent on their invisibility and unavailability to the general public, especially to avoid the reach of the security and antivirus research communities that might interfere with their operations. Manufacturers of both types of equipment also avoid sales that may run afoul of wiretapping statutes and restrict access to information on their use to only government customers. However, law enforcement intrusion and surveillance systems are also highly dependent on supplier support, including for integration into telecommunications networks, after sales service, and continuing updates. The design of Intrusion Software does not constitute a highly sophisticated or exclusive field of knowledge, and thus it would not benefit the objective of the control to regulate research that is not performed for the sole purpose of deployment of a commercial product. Moreover, we do not believe that the exploit or vulnerability market is covered under the definition of Intrusion Software. While exploitation is a common mechanism for the circumvention of protective and monitoring measures, it is not concomitant to intrusion nor is vulnerability research necessarily Intrusion Software development. Whether or not particular tools are appropriated by malicious actors, it remains in the interest of export control authorities to promote the availability of information security tools and not chill their development. Instead, the primary focus for export control authorities in the application of the Technology classification should be oversight of the consultative services that are rendered prior to or in support of the deployment of Intrusion Software. The exemptions under both Intrusion Software (for debuggers, software reverse engineering, digital rights management, and asset recovery) and IP Network Surveillance (marketing and
network management) appear to be narrowly-defined and are unlikely to present significant short-term risk of relabelling by companies that may want to apply avoid scrutiny. For example, asset tracking, which most closely resembles the tracking function of Intrusion Software, implies ownership of the device. It should not require the opaque behaviour that necessitates bypassing security countermeasures or evasion of antivirus applications. Similarly, marketing equipment generally maintains an active presence on the network with limited inspection of content, inserting tracking code for the purpose of advertising, as opposed to passive interception and retention of all Internet traffic. In order to avoid the possible misuse of exemptions, it is important that export control authorities maintain an expectation about how exempted devices should operate in order to achieve the strict definition of a legitimate objective. As export control authorities consider license applications and industry education, it is incumbent on them to ensure that these new regulations are narrowly applied to control equipment, software, and technologies that are substantially designed for surveillance, while not chilling research and work that is fundamental to the promotion of Internet security. In the process of determining the applicability of the control language in licensing determinations and pursuing enforcement actions, export control authorities should: The new Wassenaar Arrangement controls represent the recognition of an increasing need for export control Authorities and private industry to limit the proliferation of sensitive technologies to bad faith actors. Clearly defined and well enforced Intrusion Software and IP Network Surveillance controls can lay the groundwork for a constructive and expansive role for export controls in the promotion of human rights and cyber security goals. Diagram for the WA Dual-Use Licensing Process
For trade in goods of interest applications have to be made and depending on the goods of interest the timeline for the approval process varies form 9 days to 90 days. There are various boards which the application has to go through for it to be approved which can either approve or deny the trading licence. For the licence to be approved it can be noted that the chain is just too long and it may take months or even a year before any meaningful action has been made this can be seen as one of the drawbacks of the WA’s system. 7. SWOT Analysis The researchers performed a SWOT analysis on the case and this was the result from the analysis STRENGHTS  Security researchers routinely explore techniques for bypassing system protections  Centralised control of weaponry  Enhanced national security WEAKNESSES  Hinders creation of new software technologies in developing countries  Non-member States have no say and are suppressed  The vagueness of the WA control lists has real world chilling effects on fundamental academic research.  Makes it more difficult to address zero-day vulnerabilities and other exploits.  Unilateral global restrictions are ineffective OPPORTUNITIES  Expand the controlled technologies to include exported security exploits to governments for surveillance THREATS  The more sophisticated the technology the more less controllable states will be  A cornerstone of new economic world order  Delay in addressing genuine security risks.
8. Findings  The WA’s rules are vague especially in clauses which address software.  The design of Intrusion Software does not constitute a highly sophisticated or exclusive field of knowledge, and thus it would not benefit the objective of the control to regulate research that is not performed for the sole purpose of deployment of a commercial product  The exploit or vulnerability market is not covered under the definition of Intrusion Software  The exemptions under both Intrusion Software (for debuggers, software reverse engineering, digital rights management, and asset recovery) and IP Network Surveillance (marketing and network management) appear to be narrowly-defined and are unlikely to present significant short-term risk of relabeling by companies that may want to apply avoid scrutiny.  The new Wassenaar Arrangement controls represent the recognition of an increasing need for export control Authorities and private industry to limit the proliferation of sensitive technologies to bad faith actors. 9. Suggestions  The WA conditions for a country to be able to participate are rather segregatory. They should lessen the strictness or prerequisites for countries to qualify  The WA should not be like any private treaty between only a few select nations as is the current situation. It should include as many nations as possible so as to create a global village guided by the same principles and rules in terms of trade.  If developing nations, Zimbabwe in particular ever wish to be part of governing bodies like the WA they should consider abiding to its regulations. That way it is easier for them to be accommodated in the arrangement.  It was noted that one of the major weaknesses of the WA is that its definitions especially on clauses that have to do with “Intrusion Software” are vague. Therefore they should be revised and made clear. As it is they are too vague to such an extent that they are now limiting software developers in coming up with more “Intrusions Software” which are rather important and therefore depriving the security field of the necessary software.  The chain taken to approve trade in goods of interest should by all means be made shorter so as avoid too much unnecessary delays. 10. Conclusion Having researched on several articles and journals on the WA it is evident that the idea behind the formation of the arrangement is a very noble idea. Today’s peace is threatened by so much technological advancements and there is no telling what the other person or corporate is producing and for what reasons. There was therefore a great need to at least set ground rules as to what to produce and what is allowed to trade. Some “dual use goods” truly pose a threat if trade on those items is left uncurbed. However it has been discovered that most views and concerns are on the vagueness of the rules. They do not clearly state what exactly is prohibited and also in the case of software it is really tricky to label them as intrusive as the same “intrusive software used by hackers are also used by legitimate corporates to discover and participating member states to eliminate vulnerabilities in their systems. So to prohibit their trade would be
literally leaving organisations vulnerable with no capability of protecting themselves which becomes a bigger concern. So there is therefore great need for the participating states to take all these comments and views and make amendments on the WA. Also in terms of participation something needs to be done so they can accommodate countries which may seems not to qualify developing nations) to participate at the moment because if left out it they are deprived of some great technological advancements they greatly need.
References: [1] Sandler, Travis and Rosenberg report dated 06/01/2015 http://www.strtrade.com/news-publications-dual-use-export-controls-Wassenaar-010615.html [2] Treaty Compliance http://www.acq.osd.mil/tc/treaties/wass/execsum.htm [3] Michael Ossmann Wassenaar Comments Posted at: 20 July 2015 22:36 by Michael Ossmann, https://greatscottgadgets.com/2015/07-20-wassenaar-comments/[1] [4] Robert Graham Creator of BlackICE, side jacking, and masscan. Frequent speaker at cybersecurity conferences. [5] Sergey Bratus, D J Capelis, Michael Locasto, Anna Shubina October 9, 2014 Why Wassenaar Arrangement’s Definitions of Intrusion Software and Controlled Items Put Security Research and Defence at Risk—And How to Fix It. [6] HP Pulls Out of Hacking Contest, Citing Changes to Wassenaar Arrangement, Posted in Vulnerabilities & Exploits. [7] Achieving Non-proliferation Goals: Moving from Denial to Technology Governance June 2009 Dr. Elizabeth Turpen pdf [8] Uncontrolled Global Surveillance, Updating Export Controls to the Digital Age by Tim Maurer, Edin Omanovic, and Ben Wagner March 2014 pdf [9] Strict Controls Proposed on the Export of Cybersecurity Items by Brian Finch and Sanjay Mullick May 28 2015 pdf [10] “Structural conflict” was coined by Stephen D. Krasner in Structural Conflict: The Third World against Global Liberalism (University of California Press, Berkeley; 1985), which discusses the North-South divide extensively, including the formation of the Group of 77 and the subsequent calls for a New International Economic Order. [11] Michael Moodie, “Beyond Proliferation: The Challenge of Technology Diffusion—A Research Survey” in: Weapons Proliferation in the 1990s, Brad Roberts, ed. (Cambridge, MA: MIT Press, 1996), pp. 71-92, and Brad Roberts,

Recommended

2014 WMD Sanctions Presentation
2014 WMD Sanctions Presentation2014 WMD Sanctions Presentation
2014 WMD Sanctions PresentationBryan Knouse
 
The Security Implications of Foreign Hardware & Software February 2019
The Security Implications of Foreign Hardware & Software February 2019The Security Implications of Foreign Hardware & Software February 2019
The Security Implications of Foreign Hardware & Software February 2019ChadCogan
 
Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015
Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015
Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015Mark Raduenzel
 
VerizonFinalPresentation_TomCruz
VerizonFinalPresentation_TomCruzVerizonFinalPresentation_TomCruz
VerizonFinalPresentation_TomCruzTom Cruz
 
Investigating cybercrime at the United Nations
Investigating cybercrime at the United NationsInvestigating cybercrime at the United Nations
Investigating cybercrime at the United Nationsblogzilla
 
Garland_Coatings_Brochure0415
Garland_Coatings_Brochure0415Garland_Coatings_Brochure0415
Garland_Coatings_Brochure0415Tom Townsend
 
PocketDawahManual
PocketDawahManualPocketDawahManual
PocketDawahManualRizmila Thahir
 
Презентация вебинара "Подготовка к ЕГЭ по английскому"
Презентация вебинара "Подготовка к ЕГЭ по английскому"Презентация вебинара "Подготовка к ЕГЭ по английскому"
Презентация вебинара "Подготовка к ЕГЭ по английскому"EnglishDom
 

Recommended

2014 WMD Sanctions Presentation
2014 WMD Sanctions Presentation2014 WMD Sanctions Presentation
2014 WMD Sanctions PresentationBryan Knouse
 
The Security Implications of Foreign Hardware & Software February 2019
The Security Implications of Foreign Hardware & Software February 2019The Security Implications of Foreign Hardware & Software February 2019
The Security Implications of Foreign Hardware & Software February 2019ChadCogan
 
Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015
Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015
Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015Mark Raduenzel
 
VerizonFinalPresentation_TomCruz
VerizonFinalPresentation_TomCruzVerizonFinalPresentation_TomCruz
VerizonFinalPresentation_TomCruzTom Cruz
 
Investigating cybercrime at the United Nations
Investigating cybercrime at the United NationsInvestigating cybercrime at the United Nations
Investigating cybercrime at the United Nationsblogzilla
 
Garland_Coatings_Brochure0415
Garland_Coatings_Brochure0415Garland_Coatings_Brochure0415
Garland_Coatings_Brochure0415Tom Townsend
 
PocketDawahManual
PocketDawahManualPocketDawahManual
PocketDawahManualRizmila Thahir
 
Презентация вебинара "Подготовка к ЕГЭ по английскому"
Презентация вебинара "Подготовка к ЕГЭ по английскому"Презентация вебинара "Подготовка к ЕГЭ по английскому"
Презентация вебинара "Подготовка к ЕГЭ по английскому"EnglishDom
 
7 ways to grow love
7 ways to grow love7 ways to grow love
7 ways to grow lovePrinciple Skills
 
PrzemyslSpotkanwPolsce2016
PrzemyslSpotkanwPolsce2016PrzemyslSpotkanwPolsce2016
PrzemyslSpotkanwPolsce2016Polen Toerisme
 
Презентация вебинара "Подготовка к IELTS"
Презентация вебинара "Подготовка к IELTS"Презентация вебинара "Подготовка к IELTS"
Презентация вебинара "Подготовка к IELTS"EnglishDom
 
Christmas traditions
Christmas traditionsChristmas traditions
Christmas traditionsEnglishDom
 
Прайс на услуги
Прайс на услугиПрайс на услуги
Прайс на услугиИван Гусаков
 
Siemens 350 Generator Shipment Survey Report
Siemens 350 Generator Shipment Survey ReportSiemens 350 Generator Shipment Survey Report
Siemens 350 Generator Shipment Survey ReportDavid Sun
 
Garland_Solutions_Brochure0315
Garland_Solutions_Brochure0315Garland_Solutions_Brochure0315
Garland_Solutions_Brochure0315Tom Townsend
 
Presentación1
Presentación1Presentación1
Presentación1licDerecho Unadm
 
Гомельский лицей приборостроения
Гомельский лицей приборостроенияГомельский лицей приборостроения
Гомельский лицей приборостроенияglpribor
 
UNITED NATIONS INTER-AGENCY SMALL ARMS CONTROL STANDARDS DEVELOPMENT
UNITED NATIONS INTER-AGENCY SMALL ARMS CONTROL STANDARDS DEVELOPMENTUNITED NATIONS INTER-AGENCY SMALL ARMS CONTROL STANDARDS DEVELOPMENT
UNITED NATIONS INTER-AGENCY SMALL ARMS CONTROL STANDARDS DEVELOPMENTswilsonmc
 
154522243 united-nations-inter-agency-small-arms-control-standards-development
154522243 united-nations-inter-agency-small-arms-control-standards-development154522243 united-nations-inter-agency-small-arms-control-standards-development
154522243 united-nations-inter-agency-small-arms-control-standards-developmentJohn Hutchison
 
Net neutrality reloaded: zero rating, specialised service, ad blocking and tr...
Net neutrality reloaded: zero rating, specialised service, ad blocking and tr...Net neutrality reloaded: zero rating, specialised service, ad blocking and tr...
Net neutrality reloaded: zero rating, specialised service, ad blocking and tr...FGV Brazil
 
COMMON GOOD DIGITAL FRAMEWORK
COMMON GOOD DIGITAL FRAMEWORKCOMMON GOOD DIGITAL FRAMEWORK
COMMON GOOD DIGITAL FRAMEWORKBoston Global Forum
 
Artificial Intelligence - An Outline ( Eng.EmadFaragHABIB)- Ver 0.1.pdf
Artificial Intelligence - An Outline ( Eng.EmadFaragHABIB)- Ver 0.1.pdfArtificial Intelligence - An Outline ( Eng.EmadFaragHABIB)- Ver 0.1.pdf
Artificial Intelligence - An Outline ( Eng.EmadFaragHABIB)- Ver 0.1.pdfEmadfHABIB2
 
Un may 28, 2019
Un may 28, 2019Un may 28, 2019
Un may 28, 2019ZahidManiyar
 
Delivering an Oral StatementYou will need to deliver an oral sta.docx
Delivering an Oral StatementYou will need to deliver an oral sta.docxDelivering an Oral StatementYou will need to deliver an oral sta.docx
Delivering an Oral StatementYou will need to deliver an oral sta.docxcuddietheresa
 
Computer ForensicsDiscussion 1Forensics Certifications Ple.docx
Computer ForensicsDiscussion 1Forensics Certifications Ple.docxComputer ForensicsDiscussion 1Forensics Certifications Ple.docx
Computer ForensicsDiscussion 1Forensics Certifications Ple.docxdonnajames55
 
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Black Duck by Synopsys
 
Open Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated CompaniesOpen Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated Companiesiasaglobal
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
 
Patni wp data management implications of forthcoming systemic risk regulations
Patni wp data management implications of forthcoming systemic risk regulationsPatni wp data management implications of forthcoming systemic risk regulations
Patni wp data management implications of forthcoming systemic risk regulationsPhilip Filleul
 
6APPLYING GENEVA CONVENTION STRATEGIES TOWARDS ACCOMPL.docx
6APPLYING GENEVA CONVENTION STRATEGIES TOWARDS ACCOMPL.docx6APPLYING GENEVA CONVENTION STRATEGIES TOWARDS ACCOMPL.docx
6APPLYING GENEVA CONVENTION STRATEGIES TOWARDS ACCOMPL.docxalinainglis
 

More Related Content

Viewers also liked

PrzemyslSpotkanwPolsce2016
PrzemyslSpotkanwPolsce2016PrzemyslSpotkanwPolsce2016
PrzemyslSpotkanwPolsce2016Polen Toerisme
 
Презентация вебинара "Подготовка к IELTS"
Презентация вебинара "Подготовка к IELTS"Презентация вебинара "Подготовка к IELTS"
Презентация вебинара "Подготовка к IELTS"EnglishDom
 
Christmas traditions
Christmas traditionsChristmas traditions
Christmas traditionsEnglishDom
 
Siemens 350 Generator Shipment Survey Report
Siemens 350 Generator Shipment Survey ReportSiemens 350 Generator Shipment Survey Report
Siemens 350 Generator Shipment Survey ReportDavid Sun
 
Garland_Solutions_Brochure0315
Garland_Solutions_Brochure0315Garland_Solutions_Brochure0315
Garland_Solutions_Brochure0315Tom Townsend
 
Гомельский лицей приборостроения
Гомельский лицей приборостроенияГомельский лицей приборостроения
Гомельский лицей приборостроенияglpribor
 

Viewers also liked (9)

7 ways to grow love
7 ways to grow love7 ways to grow love
7 ways to grow love
 
PrzemyslSpotkanwPolsce2016
PrzemyslSpotkanwPolsce2016PrzemyslSpotkanwPolsce2016
PrzemyslSpotkanwPolsce2016
 
Презентация вебинара "Подготовка к IELTS"
Презентация вебинара "Подготовка к IELTS"Презентация вебинара "Подготовка к IELTS"
Презентация вебинара "Подготовка к IELTS"
 
Christmas traditions
Christmas traditionsChristmas traditions
Christmas traditions
 
Прайс на услуги
Прайс на услугиПрайс на услуги
Прайс на услуги
 
Siemens 350 Generator Shipment Survey Report
Siemens 350 Generator Shipment Survey ReportSiemens 350 Generator Shipment Survey Report
Siemens 350 Generator Shipment Survey Report
 
Garland_Solutions_Brochure0315
Garland_Solutions_Brochure0315Garland_Solutions_Brochure0315
Garland_Solutions_Brochure0315
 
Presentación1
Presentación1Presentación1
Presentación1
 
Гомельский лицей приборостроения
Гомельский лицей приборостроенияГомельский лицей приборостроения
Гомельский лицей приборостроения
 

Similar to Wassenaar Agreement

UNITED NATIONS INTER-AGENCY SMALL ARMS CONTROL STANDARDS DEVELOPMENT
UNITED NATIONS INTER-AGENCY SMALL ARMS CONTROL STANDARDS DEVELOPMENTUNITED NATIONS INTER-AGENCY SMALL ARMS CONTROL STANDARDS DEVELOPMENT
UNITED NATIONS INTER-AGENCY SMALL ARMS CONTROL STANDARDS DEVELOPMENTswilsonmc
 
154522243 united-nations-inter-agency-small-arms-control-standards-development
154522243 united-nations-inter-agency-small-arms-control-standards-development154522243 united-nations-inter-agency-small-arms-control-standards-development
154522243 united-nations-inter-agency-small-arms-control-standards-developmentJohn Hutchison
 
Net neutrality reloaded: zero rating, specialised service, ad blocking and tr...
Net neutrality reloaded: zero rating, specialised service, ad blocking and tr...Net neutrality reloaded: zero rating, specialised service, ad blocking and tr...
Net neutrality reloaded: zero rating, specialised service, ad blocking and tr...FGV Brazil
 
Artificial Intelligence - An Outline ( Eng.EmadFaragHABIB)- Ver 0.1.pdf
Artificial Intelligence - An Outline ( Eng.EmadFaragHABIB)- Ver 0.1.pdfArtificial Intelligence - An Outline ( Eng.EmadFaragHABIB)- Ver 0.1.pdf
Artificial Intelligence - An Outline ( Eng.EmadFaragHABIB)- Ver 0.1.pdfEmadfHABIB2
 
Delivering an Oral StatementYou will need to deliver an oral sta.docx
Delivering an Oral StatementYou will need to deliver an oral sta.docxDelivering an Oral StatementYou will need to deliver an oral sta.docx
Delivering an Oral StatementYou will need to deliver an oral sta.docxcuddietheresa
 
Computer ForensicsDiscussion 1Forensics Certifications Ple.docx
Computer ForensicsDiscussion 1Forensics Certifications Ple.docxComputer ForensicsDiscussion 1Forensics Certifications Ple.docx
Computer ForensicsDiscussion 1Forensics Certifications Ple.docxdonnajames55
 
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Black Duck by Synopsys
 
Open Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated CompaniesOpen Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated Companiesiasaglobal
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
 
Patni wp data management implications of forthcoming systemic risk regulations
Patni wp data management implications of forthcoming systemic risk regulationsPatni wp data management implications of forthcoming systemic risk regulations
Patni wp data management implications of forthcoming systemic risk regulationsPhilip Filleul
 
6APPLYING GENEVA CONVENTION STRATEGIES TOWARDS ACCOMPL.docx
6APPLYING GENEVA CONVENTION STRATEGIES TOWARDS ACCOMPL.docx6APPLYING GENEVA CONVENTION STRATEGIES TOWARDS ACCOMPL.docx
6APPLYING GENEVA CONVENTION STRATEGIES TOWARDS ACCOMPL.docxalinainglis
 
Fake news Detection using Machine Learning
Fake news Detection using Machine LearningFake news Detection using Machine Learning
Fake news Detection using Machine LearningIRJET Journal
 
Blockchain Case studies.pdf
Blockchain Case studies.pdfBlockchain Case studies.pdf
Blockchain Case studies.pdfSushminSaha1
 
Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...
Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...
Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...Cade Zvavanjanja
 
Open source software in government challenges and opportunities
Open source software in government challenges and opportunitiesOpen source software in government challenges and opportunities
Open source software in government challenges and opportunitiesLuke Fretwell
 
Blockchain final 25112015 v1.1
Blockchain final 25112015 v1.1Blockchain final 25112015 v1.1
Blockchain final 25112015 v1.1Andrew Coakley
 
wp-us-cities-exposed
wp-us-cities-exposedwp-us-cities-exposed
wp-us-cities-exposedNumaan Huq
 
Cybersecurity and Policy Kafayat Omotayo WRTG 112
Cybersecurity and Policy Kafayat Omotayo WRTG 112 Cybersecurity and Policy Kafayat Omotayo WRTG 112
Cybersecurity and Policy Kafayat Omotayo WRTG 112 OllieShoresna
 

Similar to Wassenaar Agreement (20)

UNITED NATIONS INTER-AGENCY SMALL ARMS CONTROL STANDARDS DEVELOPMENT
UNITED NATIONS INTER-AGENCY SMALL ARMS CONTROL STANDARDS DEVELOPMENTUNITED NATIONS INTER-AGENCY SMALL ARMS CONTROL STANDARDS DEVELOPMENT
UNITED NATIONS INTER-AGENCY SMALL ARMS CONTROL STANDARDS DEVELOPMENT
 
154522243 united-nations-inter-agency-small-arms-control-standards-development
154522243 united-nations-inter-agency-small-arms-control-standards-development154522243 united-nations-inter-agency-small-arms-control-standards-development
154522243 united-nations-inter-agency-small-arms-control-standards-development
 
Net neutrality reloaded: zero rating, specialised service, ad blocking and tr...
Net neutrality reloaded: zero rating, specialised service, ad blocking and tr...Net neutrality reloaded: zero rating, specialised service, ad blocking and tr...
Net neutrality reloaded: zero rating, specialised service, ad blocking and tr...
 
COMMON GOOD DIGITAL FRAMEWORK
COMMON GOOD DIGITAL FRAMEWORKCOMMON GOOD DIGITAL FRAMEWORK
COMMON GOOD DIGITAL FRAMEWORK
 
Artificial Intelligence - An Outline ( Eng.EmadFaragHABIB)- Ver 0.1.pdf
Artificial Intelligence - An Outline ( Eng.EmadFaragHABIB)- Ver 0.1.pdfArtificial Intelligence - An Outline ( Eng.EmadFaragHABIB)- Ver 0.1.pdf
Artificial Intelligence - An Outline ( Eng.EmadFaragHABIB)- Ver 0.1.pdf
 
Un may 28, 2019
Un may 28, 2019Un may 28, 2019
Un may 28, 2019
 
Delivering an Oral StatementYou will need to deliver an oral sta.docx
Delivering an Oral StatementYou will need to deliver an oral sta.docxDelivering an Oral StatementYou will need to deliver an oral sta.docx
Delivering an Oral StatementYou will need to deliver an oral sta.docx
 
Computer ForensicsDiscussion 1Forensics Certifications Ple.docx
Computer ForensicsDiscussion 1Forensics Certifications Ple.docxComputer ForensicsDiscussion 1Forensics Certifications Ple.docx
Computer ForensicsDiscussion 1Forensics Certifications Ple.docx
 
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
 
Open Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated CompaniesOpen Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated Companies
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
Patni wp data management implications of forthcoming systemic risk regulations
Patni wp data management implications of forthcoming systemic risk regulationsPatni wp data management implications of forthcoming systemic risk regulations
Patni wp data management implications of forthcoming systemic risk regulations
 
6APPLYING GENEVA CONVENTION STRATEGIES TOWARDS ACCOMPL.docx
6APPLYING GENEVA CONVENTION STRATEGIES TOWARDS ACCOMPL.docx6APPLYING GENEVA CONVENTION STRATEGIES TOWARDS ACCOMPL.docx
6APPLYING GENEVA CONVENTION STRATEGIES TOWARDS ACCOMPL.docx
 
Fake news Detection using Machine Learning
Fake news Detection using Machine LearningFake news Detection using Machine Learning
Fake news Detection using Machine Learning
 
Blockchain Case studies.pdf
Blockchain Case studies.pdfBlockchain Case studies.pdf
Blockchain Case studies.pdf
 
Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...
Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...
Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for cri...
 
Open source software in government challenges and opportunities
Open source software in government challenges and opportunitiesOpen source software in government challenges and opportunities
Open source software in government challenges and opportunities
 
Blockchain final 25112015 v1.1
Blockchain final 25112015 v1.1Blockchain final 25112015 v1.1
Blockchain final 25112015 v1.1
 
wp-us-cities-exposed
wp-us-cities-exposedwp-us-cities-exposed
wp-us-cities-exposed
 
Cybersecurity and Policy Kafayat Omotayo WRTG 112
Cybersecurity and Policy Kafayat Omotayo WRTG 112 Cybersecurity and Policy Kafayat Omotayo WRTG 112
Cybersecurity and Policy Kafayat Omotayo WRTG 112
 

Wassenaar Agreement

  • 1. THE WASSENAAR AGREEMENT: IMPACT ON EXPLOIT RESEARCHERS IN NON-MEMBER DEVELOPING NATIONS Rangarirai Mukora Macdonald U Bandama Information Security and Assurance Information Security and Assurance Harare Institute of Technology Harare Institute of Technology Harare, Zimbabwe Harare, Zimbabwe mukoraranga@gmail.com mubands@gmail.com Abstract Following the Cold War-era Coordinating Committee for Multilateral Export Controls (COCOM) export control regime, the United States of America together with 40 other nations formed the Wassenaar Arrangement (WA). The WA is a multidimensional politically-binding export control arrangement instigated in 1996. Its objective is to encourage transparency and nurture greater accountability in the transfer of conventional arms and dual-use goods and technologies. It is intended to daunt the transfer of sensitive military technology to non-WA states and states of concern. A study on the current literature was made to identify its implications, advantages, shortfalls and effects on non-member developing nations with special regards to Zimbabwe. Suggestions were then made both to the member and non- member states in order to provide solutions to current shortfalls of the arrangement. Keywords: Dual-Use Goods and Technologies, DNS, surveillance, intrusion software. 1. Introduction This document aims to clearly outline the Wassenaar Arrangement and how it has affected trade across the globe especially in developing countries such as Zimbabwe in particular. The WA is still being revised but so far its terms has had some effects on companies and nations. It has led to a change in the trade patterns and this motivated the writers to come up with this document in order to dissect and examine the effectiveness and extent of impact of the WA across the globe. 2. Literature Review “Sandler, Travis and Rosenberg wrote a report on the WA on Tuesday 06/01/2015. They highlighted that the WA points out new export controls of some dual-use goods but however relaxed on others. Goods were categorised with some under export controls and some were not under any export controls. The article reiterates that the WA secretariat will continue to monitor opportunities for the Arrangement to contribute to international cooperation with regard to this agreement. The WA has also made available the attached summary of changes to the List of Dual-Use Goods and Technologies and Munitions List.” [1] “According to the Treaty Compliance the WA’s goal’s is not only stimulate transparency and raise greater accountability in the transfer of conventional arms and dual-use goods and
  • 2. technologies nevertheless also to dampen the transfer of sensitive military technology to non- WA states and states of concern. Members of the Arrangement apply export controls to the items. To inspire the interchange of information on transfers and prevent disrupting build-ups of weapons. The Wassenaar Arrangement's Initial elements requests for member states to account information on certain exports to non-members semi-annually on April 30 and October 31. Member States will provide notification of denial of licenses to non-Wassenaar members of items on the list of Dual-Use Goods and Technologies and notify of licenses issued or transfers made of items in Tier 2 of the List of Dual-Use Goods and Technologies.” [2] “Michael Ossmann’s greatest concern is clarity of the proposed rule. He argues that the proposed rule directly prevents the sharing of information among those researchers, and it will have a negative impact on the security of computing systems and software for the entire world. What s Michael Ossmann urges however is to remove software from the scope of the Wassenaar Arrangement at the annual meeting of Wassenaar Arrangement members in December 2015.”[3] “Robert Graham created the first “intrusion prevention system”, as well as many tools and much cybersecurity research over the last 20 years. He articulates that he would not have done so had these rules been in place. His main point is that the rules are so vague that they become impossible for anybody to know exactly what is prohibited and therefore people have to take the conservative approach. Robert Graham however suggests that the rules be made clear especially on the software aspects.”[4] “This paper acknowledges that the Wassenaar Arrangement’s intrusion software clauses are intended to protect the activists and dissidents whose lives are endangered by government surveillance. The regulations of the Wassenaar Arrangement are intended to reverse or abate this trend, limiting the availability of computer surveillance to repressive regimes. The WA’s definitions will impose a prior restraint on the publication of security research, analogous to the export controls on strong encryption software that were in effect in the 1990s. This article demonstrates that these methods fail to cover the majority of technological artefacts and processes that are crucial to security research and defence, and are therefore insufficient to meet the intent of the Arrangement. The anti-surveillance intent of Wassenaar will, however, be fully fulfilled if surveillance-enabling software and hardware were to be addressed directly.” [5] “In this article Japan lost one if its biggest sponsors Pwn2Own hacking competition to be held at the PacSec conference in Tokyo, as Hewlett-Packard (HP) pulled out over legal concerns regarding the recent changes to the Wassenaar Arrangement governing software exploits. According to event organizer Dragos Ruiu, HP and its Zero Day Initiative (ZDI) declined to participate due to Japan’s implementation of Wassenaar. The decision was made after consulting with internal legal and compliance experts. The motive of HP’s decision was based on the real-time transfer of research from the researcher to HP ZDI to the affected vendor.” [6]
  • 3. 3. Objectives of the Study  To perform a case study analysis on the impact of Intrusion software related items as listed under the WA and proposed for regulation by BIS on developing countries.  To review literature on related cases or research to come up with solutions to the problems.  To analyze the current WA framework and refine it making it more clear. 4. Scope and Limitations of the Study There are various areas covered by the WA but our research will focus on “Intrusion software” related items as listed under the Wassenaar Agreement (WA) and proposed for regulation by BIS which severely restrict security vulnerability improvements and R&D undertaken by Zimbabwean companies, academia, NGO’s, and individuals. The proposed rule would affect entities that create or operate intrusion software and any information system that communicates with such intrusion software. The limitations of the study are that the research is based on the information provided by various international documents, newspapers and websites only. 5. Methodology The researchers came across various articles regarding the WA formation, objectives and how it operates to regulate the world on various exploit kits. Further primary investigation through the use of magazine and newspaper articles from reputable sources such as journals, articles and papers written in the WA. Important points noted are as follows:  The WA was accepted and is viewed as a noble idea.  Generally the WA is regarded as being vague in sections especially those to do with intrusion software. This highlighted a major problem especially to the developing countries regarding development of software which aid in bug hunting and zero day exploit detection as they are classified as intrusion software. This then limits software developers in developing good software that aid in vulnerability research. A number of cases were hindrance in the software development have been noted through the research. We have cases like that of HP which together with its Zero Day Initiative (ZDI) declined to participate due to Japan’s implementation of Wassenaar. The decision was made after consulting with internal legal and compliance experts. The motive of HP’s decision was based on the real-time transfer of research from the researcher to HP ZDI to the affected vendor. However, there was a certain norm followed by most of the papers. This was basically that most of the cases that the research team came across were mainly focused on the shortfalls of the WA although they acknowledged that it is a noble idea which only requires refinement. According to another paper, the vagueness of the arrangement now hinders software developers from doing their job as well as trading the new and better intrusion software. This aspect then led to the analysis of studies on how the arrangement can be refined so as not to hinder any positive development and promote zero-day bounty hunters as well as bug bounty hunters. This logically made sense since black-hats are always finding and coming up with more sophisticated ways to gain unauthorized access into networks. Security has been reduced to a
  • 4. more passive action rather than being proactive. This can only be made possible if only the WA’s rules are clearer and more permitting in terms of developing such software for the sole purposes of protecting networks. The overall findings of this research were that the WA has limitations which urgently needs attention. The analysis of the available information on the WA then led to the compilation of the problems emanating from the vagueness of the WA has led to development of a framework that is more refined, a framework that will allow software developers to develop software that will greatly aid in protecting computer networks. This framework will also try and incorporate previous non-member nations so that they may benefit as well from the WA as it is a great and noble idea that will increase global cooperation amongst nations. Nations like Zimbabwe will also have a chance to participate and also benefit from it. In the event that Zimbabwe develops its own Intrusion software which aid in protecting networks trade with other nations would be possible. 6. Analysis of the Wassenaar Arrangement Due to the nature of the Wassenaar Arrangement’s General Software Note, which exempts software that is publicly-available without the need for substantial support from the vendor, these controls will not regulate the open market for commonplace spyware sold in a near retail manner to individuals attempting to monitor children, spouses and others, though in the United States and other countries the sale of such software is regulated under other statutes. Both controls limit themselves to highly-professionalized systems of surveillance that are often only provided to government agencies and telecommunications companies, with little legitimate use outside of law enforcement and intelligence mandates. The effectiveness of both Intrusion Software and IP Network Surveillance systems are dependent on their invisibility and unavailability to the general public, especially to avoid the reach of the security and antivirus research communities that might interfere with their operations. Manufacturers of both types of equipment also avoid sales that may run afoul of wiretapping statutes and restrict access to information on their use to only government customers. However, law enforcement intrusion and surveillance systems are also highly dependent on supplier support, including for integration into telecommunications networks, after sales service, and continuing updates. The design of Intrusion Software does not constitute a highly sophisticated or exclusive field of knowledge, and thus it would not benefit the objective of the control to regulate research that is not performed for the sole purpose of deployment of a commercial product. Moreover, we do not believe that the exploit or vulnerability market is covered under the definition of Intrusion Software. While exploitation is a common mechanism for the circumvention of protective and monitoring measures, it is not concomitant to intrusion nor is vulnerability research necessarily Intrusion Software development. Whether or not particular tools are appropriated by malicious actors, it remains in the interest of export control authorities to promote the availability of information security tools and not chill their development. Instead, the primary focus for export control authorities in the application of the Technology classification should be oversight of the consultative services that are rendered prior to or in support of the deployment of Intrusion Software. The exemptions under both Intrusion Software (for debuggers, software reverse engineering, digital rights management, and asset recovery) and IP Network Surveillance (marketing and
  • 5. network management) appear to be narrowly-defined and are unlikely to present significant short-term risk of relabelling by companies that may want to apply avoid scrutiny. For example, asset tracking, which most closely resembles the tracking function of Intrusion Software, implies ownership of the device. It should not require the opaque behaviour that necessitates bypassing security countermeasures or evasion of antivirus applications. Similarly, marketing equipment generally maintains an active presence on the network with limited inspection of content, inserting tracking code for the purpose of advertising, as opposed to passive interception and retention of all Internet traffic. In order to avoid the possible misuse of exemptions, it is important that export control authorities maintain an expectation about how exempted devices should operate in order to achieve the strict definition of a legitimate objective. As export control authorities consider license applications and industry education, it is incumbent on them to ensure that these new regulations are narrowly applied to control equipment, software, and technologies that are substantially designed for surveillance, while not chilling research and work that is fundamental to the promotion of Internet security. In the process of determining the applicability of the control language in licensing determinations and pursuing enforcement actions, export control authorities should: The new Wassenaar Arrangement controls represent the recognition of an increasing need for export control Authorities and private industry to limit the proliferation of sensitive technologies to bad faith actors. Clearly defined and well enforced Intrusion Software and IP Network Surveillance controls can lay the groundwork for a constructive and expansive role for export controls in the promotion of human rights and cyber security goals. Diagram for the WA Dual-Use Licensing Process
  • 6. For trade in goods of interest applications have to be made and depending on the goods of interest the timeline for the approval process varies form 9 days to 90 days. There are various boards which the application has to go through for it to be approved which can either approve or deny the trading licence. For the licence to be approved it can be noted that the chain is just too long and it may take months or even a year before any meaningful action has been made this can be seen as one of the drawbacks of the WA’s system. 7. SWOT Analysis The researchers performed a SWOT analysis on the case and this was the result from the analysis STRENGHTS  Security researchers routinely explore techniques for bypassing system protections  Centralised control of weaponry  Enhanced national security WEAKNESSES  Hinders creation of new software technologies in developing countries  Non-member States have no say and are suppressed  The vagueness of the WA control lists has real world chilling effects on fundamental academic research.  Makes it more difficult to address zero-day vulnerabilities and other exploits.  Unilateral global restrictions are ineffective OPPORTUNITIES  Expand the controlled technologies to include exported security exploits to governments for surveillance THREATS  The more sophisticated the technology the more less controllable states will be  A cornerstone of new economic world order  Delay in addressing genuine security risks.
  • 7. 8. Findings  The WA’s rules are vague especially in clauses which address software.  The design of Intrusion Software does not constitute a highly sophisticated or exclusive field of knowledge, and thus it would not benefit the objective of the control to regulate research that is not performed for the sole purpose of deployment of a commercial product  The exploit or vulnerability market is not covered under the definition of Intrusion Software  The exemptions under both Intrusion Software (for debuggers, software reverse engineering, digital rights management, and asset recovery) and IP Network Surveillance (marketing and network management) appear to be narrowly-defined and are unlikely to present significant short-term risk of relabeling by companies that may want to apply avoid scrutiny.  The new Wassenaar Arrangement controls represent the recognition of an increasing need for export control Authorities and private industry to limit the proliferation of sensitive technologies to bad faith actors. 9. Suggestions  The WA conditions for a country to be able to participate are rather segregatory. They should lessen the strictness or prerequisites for countries to qualify  The WA should not be like any private treaty between only a few select nations as is the current situation. It should include as many nations as possible so as to create a global village guided by the same principles and rules in terms of trade.  If developing nations, Zimbabwe in particular ever wish to be part of governing bodies like the WA they should consider abiding to its regulations. That way it is easier for them to be accommodated in the arrangement.  It was noted that one of the major weaknesses of the WA is that its definitions especially on clauses that have to do with “Intrusion Software” are vague. Therefore they should be revised and made clear. As it is they are too vague to such an extent that they are now limiting software developers in coming up with more “Intrusions Software” which are rather important and therefore depriving the security field of the necessary software.  The chain taken to approve trade in goods of interest should by all means be made shorter so as avoid too much unnecessary delays. 10. Conclusion Having researched on several articles and journals on the WA it is evident that the idea behind the formation of the arrangement is a very noble idea. Today’s peace is threatened by so much technological advancements and there is no telling what the other person or corporate is producing and for what reasons. There was therefore a great need to at least set ground rules as to what to produce and what is allowed to trade. Some “dual use goods” truly pose a threat if trade on those items is left uncurbed. However it has been discovered that most views and concerns are on the vagueness of the rules. They do not clearly state what exactly is prohibited and also in the case of software it is really tricky to label them as intrusive as the same “intrusive software used by hackers are also used by legitimate corporates to discover and participating member states to eliminate vulnerabilities in their systems. So to prohibit their trade would be
  • 8. literally leaving organisations vulnerable with no capability of protecting themselves which becomes a bigger concern. So there is therefore great need for the participating states to take all these comments and views and make amendments on the WA. Also in terms of participation something needs to be done so they can accommodate countries which may seems not to qualify developing nations) to participate at the moment because if left out it they are deprived of some great technological advancements they greatly need.
  • 9. References: [1] Sandler, Travis and Rosenberg report dated 06/01/2015 http://www.strtrade.com/news-publications-dual-use-export-controls-Wassenaar-010615.html [2] Treaty Compliance http://www.acq.osd.mil/tc/treaties/wass/execsum.htm [3] Michael Ossmann Wassenaar Comments Posted at: 20 July 2015 22:36 by Michael Ossmann, https://greatscottgadgets.com/2015/07-20-wassenaar-comments/[1] [4] Robert Graham Creator of BlackICE, side jacking, and masscan. Frequent speaker at cybersecurity conferences. [5] Sergey Bratus, D J Capelis, Michael Locasto, Anna Shubina October 9, 2014 Why Wassenaar Arrangement’s Definitions of Intrusion Software and Controlled Items Put Security Research and Defence at Risk—And How to Fix It. [6] HP Pulls Out of Hacking Contest, Citing Changes to Wassenaar Arrangement, Posted in Vulnerabilities & Exploits. [7] Achieving Non-proliferation Goals: Moving from Denial to Technology Governance June 2009 Dr. Elizabeth Turpen pdf [8] Uncontrolled Global Surveillance, Updating Export Controls to the Digital Age by Tim Maurer, Edin Omanovic, and Ben Wagner March 2014 pdf [9] Strict Controls Proposed on the Export of Cybersecurity Items by Brian Finch and Sanjay Mullick May 28 2015 pdf [10] “Structural conflict” was coined by Stephen D. Krasner in Structural Conflict: The Third World against Global Liberalism (University of California Press, Berkeley; 1985), which discusses the North-South divide extensively, including the formation of the Group of 77 and the subsequent calls for a New International Economic Order. [11] Michael Moodie, “Beyond Proliferation: The Challenge of Technology Diffusion—A Research Survey” in: Weapons Proliferation in the 1990s, Brad Roberts, ed. (Cambridge, MA: MIT Press, 1996), pp. 71-92, and Brad Roberts,