Wednesday, December 9, 2015

The Force Awakens: Dec 8 Wassenaar Meeting Notes

I spent my day here so you didn't have to!

So one thing you might know about spooks is that they can "Talk Around" almost any subject. Essentially by using a complex dynamically generated shared key they can sit at a table in a crowded restaurant and converse about secret things in plaintext.

Commerce Dept officials have made an art of doing something similar but without the shared key.

Kevin Wolf (Asst Secretary of Commerce Dept) started off the meeting with a clear indicator that "intrusion software" was not going to get regulated any time soon. Here's how he did it: "As you know, we're coming up to a limit because of the election as to which regulations we can implement. I think we probably have three more slots left. Obviously the Rocket Engines one is almost done, and after that I think maybe we'll work on Night Vision Sensors and Lasers, always important. Lots of good work to do in that area before we're finished. Eventually I think Vehicle Ships and Armor." (Count them - that's three and "intrusion software" is not on that list.)

He also related a story about how in early 2014 they because anxious about the proposed scope of the cyber regulations, which is why it came out as a "proposed rule" and not a finalized rule, something they've not done before. He expected a response but not the "Rather Aggressive Response about the negative unintended consequences" he got. And of course, he mentioned that while various reports (leaked from State) have pointed towards some sort of resolution of this process by tweaking the implementation, the next step won't be a final rule. In fact, he hinted towards an opening for no rule at all by saying "I'm not sure what the next step is, because we're still talking with the US Gov Agencies, going through comments, getting industry input. When there is some sort of consensus, then we'll know what the next step is, but as the person who signs the rule, I can assure you that there are no positions other than the next step won't be a final rule."

Then he left. Randy Wheeler (of Commerce) pointed out that she's glad so many people from industry showed up to talk about cyber regulations and how they realized it was because there was continued "high interest" in the proposed regulation. The next hour was devoted to the proposed Wassenaar "Intrusion Software" rule.

"NAM is National Association of Manufacturers"
Dr. Sergey Bratus did an excellent job of looking at how there is NO WAY TO DEFINE THE STANDARD EXECUTION PATH OF A PROGRAM. This is key to the language of Wassenaar. It points to a need to go back and renegotiate and remove the whole thing. He was very clear and understandable even to a non-technical audience. The one telling question he got was "Is this something we can work around in our implementation?" (Which I assume was from State Dept representation). And also of course "What about the other clauses that relate to avoiding monitoring, exfilling data - do those help?" ("No.", said Sergey)

Afterwards the National Association of Manufacturers pointed out a couple key facts.

  1. Every single one of their members, no matter how small, is international
  2. And hires security researchers to find 0day in their equipment
  3. And thinks this issue is important enough to show up and is not ... in favor of crazy regulations
Just having them there at the table was a sign that this process of getting industry input could go on forever. FS-ISAC spoke briefly over the phone at the last meeting, and there are many more ISACs left to go!

Then (Tom Millar) DHS and (Allen Friedman) NTIA (another branch of Commerce) had their say. They're not allowed to say anything about the regulation in the open. Instead they said "We feel like there may be some <pregnant pause> detrimental impact on the sharing of information in this space with the proposed regulation. "

Afterwards FireEye and IONIC presented some information about how informing their customers about intrusions would be hamstrung.
"Dear State: Your idea is bad and you should feel bad."
Then it was question and answer time, and DHS and NTIA pointed out that not only would the costs of getting a license be passed directly to them and their programs, but also that there would be a "chilling effect" on beneficial information sharing, and that the President has made "information sharing" a clear priority.

One more question that keeps coming up (from State) is "Why are we having all these problems when other countries in the Agreement have implemented the rule and don't seem to be having any issues?" It's a major sticking point for them.

The answer is four-fold.

  1. There are no like-to-like comparisons for other country's industrial bases and the US industrial base. 
  2. Other countries don't enforce export control in the extremely rigorous way the US does. They have a "default we assume you are good unless you are clearly trying to be bad" policy. The US investigates any possible violation as a super-felony with massive liability.
  3. When export control becomes inconvenient, other countries just issue blanket exceptions to local companies (F.E. HackerTeam). 
  4. We have a large level of interest from "security researchers" and our industry is not just protecting their own interests, but looking out for broader principles of freedom.

That last point is the most important, and speaks to the long history of those who are non-lawyers but heavily involved in the resistance effort. In the US, researchers have been absorbed into Govt and Industry and are in positions to make this kind of regulation difficult - but of course, more hard work needs to be done to finally kill it forever.

Keep in mind, right now State's argument is not about how beneficial the rule is. It's about how much of a pain in the ass it would be for them to go back and renegotiate.

The comment section:

Sergey's paper:


  1. Great summary, thanks for posting. I would add a fifth factor to your reasons why other countries don't seem to be having any issues: 5. Other Wassenaar countries, including many EU countries, have favorable license exceptions for exports of intrusion software to friendly countries, including the U.S. And, importantly, they don't have a policy of denial for 0-days. So in other words, if you are a company in the UK, you can export intrusion delivery software to the U.S. under a license exception, even if it supports 0-days or rootkits. But not true vise versa.

  2. Dave - thanks for taking the time and providing a useful summary - much appreciated