The Wassenaar effect

J Prasanna | Updated on January 22, 2018

Responding to the new cyber security rules

In December 2013, the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies extended its reach to the cyber world. The extension seemed to signal a broad attack on the export of many categories of cyber security software, including commercially available penetration testing and network monitoring products, zero days and other computer exploits. These changes have emerged after media reports of US government purchases of zero day computer exploits or vulnerabilities, that is, security vulnerabilities previously unknown, by the NSA for use by its hacking team.

Cyber security experts have revolted against the Wassenaar changes and the US department of commerce’s Bureau of Industry and Security’s proposals for their implementation.

More dangerous?

The general impression is that implementing the Wassenaar changes would actually make the internet more dangerous to users. Google has been quoted as saying the rules “are dangerously broad and vague and would have a significant, negative impact on the open security research community. They would also hamper our ability to defend ourselves, our users and make the Web safer. It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure.”

The fierce criticism and public protest has had a temporary impact. The US has now committed to drafting new rules to replace/amend the earlier draft. VUPEN, a well known zero-day exploit firm, announced its decision to restrict exploit sales only to approved government agencies in approved countries.

While the Wassenaar Arrangement might have worked in the physical world, will it work in the borderless cyber world? Will a country like Russia, a leading global supplier of cyber security software and tools implement rules to accommodate it, especially at a time when it is facing sanctions from the US and the EU? It does not seem to be in Russia’s interest at all.

India must be alert

India cannot afford to speculate on which way the wind will blow. The ongoing transformation of India into a digital economy implies the need for strong cyber security defences. Imagine a situation where a commercial or defence software is found to have vulnerabilities, whether accidental or deliberate, and the country lacks the tools to test for and mitigate such vulnerabilities.

Clearly, India needs to build its own cyber security defences and fast. Some expertise is available in the country, and needs to be complemented with global talent. The government, leading software companies, defence companies and major users need to invest in funding and supporting talented cyber security professionals.

The government should support some aggression in sourcing relevant tools, technology and talent from around the world. Israel’s export of cyber security software now exceeds that of physical weapons systems, and there’s a lesson here in the form of a military/industrial cyber security professionals complex to meet India’s needs.

India has faced serious problems in the past with respect to import of critical technologies in the areas of defence, space and the nuclear sector. In the context of cyber security, we now have advance warning about problems that are around the corner. It makes no sense to run into a wall all over again and as such, a proactive and immediate national response is called for.

The writer is the founder of Cyber Security & Privacy Foundation

Published on September 03, 2015

Follow us on Telegram, Facebook, Twitter, Instagram, YouTube and Linkedin. You can also download our Android App or IOS App.

This article is closed for comments.
Please Email the Editor