Wassenaar Arrangement – Wording is Everything

By John Atienza on March 4, 2016


  1. https://threatpost.com/white-house-wants-to-renegotiate-u-s-implementation-of-wassenaar/116531/
  2. http://www.theverge.com/2015/7/20/9005351/google-wassenaar-arrangement-proposal-comments
  3. http://thehill.com/regulation/cybersecurity/248579-cyber-industry-assails-anti-hacking-regulations

The Wassennaar Arrangement is a deal meant to control the exportation of conventional firearms, dual-use goods, and dual-use technologies.
The cybersecurity problem that this creates is the fact that the wording of a particular section of the arrangement is too broad. There’s a section in the deal that refers to cybersecurity tools as intrusion technologies. Unfortunately this term covers a broad spectrum of tools that cybersecurity professionals use to research vulnerabilities/attacks, perform penetration tests, and make security assessments. Many of these “intrusion technologies” actually play a role in governance and compliance with respect to PCI-DSS, HIPAA, SOX; etc… The troubling thing is that this arrangement may not have enough time to go through another rewrite and place this draft through another comment period before the Wassenaar meeting in December.