Given this morning’s Wassenaar flame-war (눈_눈 @daveaitel), let’s have a quick look at the “intrusion software” decontrol notes added at the December 2017 plenary.¹
__
¹ Follow along at pp. 77-79 here (pdf) wassenaar.org/app/uploads/20…

Before getting into the local definitions in the Technical Notes, Note 1 is a decontrol, but Note 2 is a statement of understanding.

Remembering that Wassenaar is already a voluntary Arrangement, Note 2 is pretty h*ckin’ important, as it reaffirms the right of Participating States to decide what constitutes conformity with their national implementations

Note 2 basically acknowledges the concerns of some Participating States that the following local definitions may somehow interfere in their internal affairs, violate sovereignty, &c. Which they don’t anyway because voluntary, but whatever.

As for the local definitions, here’s a colour-coded breakdown of their constituent moving parts

The fact of there being end-use/user specifications is unusual for Wassenaar. Solid WA controls are crafted from functions an item performs (things it is FOR), observable characteristics (things it is HAVING) or measurable performance levels

To get an idea of what more conventional control formulations look like, flip to Materials Processing.²
__
² From p. 24 (pdf) wassenaar.org/app/uploads/20…

Unconventional characteristics of the “intrusion software” decontrol and Technical Notes vis-à-vis the Arrangement‘s own standards aside, there’s also this problem

From an implementation perspective, nothing exists in the text of the Arrangement to preclude a Participating State from defining conformity with the 4.E.1.a. and 4.E.1.c. “Technology” controls in a way which completely ignores the decontrol note

And in fact the Statement of Understanding effectively affirms ‘Yes, you, [Participating State], can totally do that’

The changes to the “intrusion software” controls in 2016 were considered non-substantive; the 2017 changes affirm general principles about not impeding incident response and vuln disclosure, but explicitly allow for as many flavours of national enforcement as one can imagine

Having worked in real arms control, provisions like that make me fairly crunchy

We’re careening towards a world without arms control full stop, and infosec’s contributions to Wassenaar so far have been to say ‘burn it down,’ or to further damage its integrity with shitty controls

As an aside, EU recently modified sanctions against Myanmar to restrict export of communications monitoring ‘equipment that can be used for internal repression.’ ³
__
³ consilium.europa.eu/en/press/press…

UK removed Myanmar from their Sched. 2 permitted destinations list and published amended open general export licences (OGELs) 5 days later.⁴
__
⁴ gov.uk/government/pub…

EU have been using the ‘equipment that can be used for internal repression’ designation in targeted sanctions for a decade or more. These instruments are nimble and responsive in a way that Wassenaar just isn’t

Whether you care about the integrity of the Arrangement, decreasing regulatory burden and confusion, or preventing human rights abuses, this is a universally better option to advocate

However, it is politically more expensive, and that’s where it gets a little ugly — at some point it becomes a question of expenditure of political capital by foreign ministries vs regulatory burden borne by industry, academia, and individuals

Which is basically the story of export controls since beginingless time. Anyway, hard things are hard. /fin

P.S. Nobody tell @i0n1c, but I’ve been successfully using his PEGASUS writeups in policy interventions to illustrate why neither bug bounties nor compelled disclosure will ‘solve’ security.⁵
__
⁵ sektioneins.de/en/blog/16-09-…

There’s a semi-serious point to be made here about the value of great attack research + analysis to Policy People (at least the ones who know/care how computers work)