Comments on BIS Wassenaar Proposed Rule
Art Manion and I recently submitted comments to the Department of Commerce Bureau of Industry and Security on their proposed rule regarding Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items. While our detailed comments are lengthy, we summarize our contributions here.
We're experienced in the security research field, but not in the export control field. We reviewed the proposed rule carefully, but we don't understand some important aspects of it. We recommend creating a second draft and establishing a corresponding comment period.
We are concerned about the likely chilling effects on vulnerability discovery and disclosure. Such effects could impair vulnerability remediation and management.
Difficulty and ambiguity in defining what software (technology) is meant to be covered by the proposed rule is likely to have the unintended consequence of chilling beneficial public security research. To ease this risk, we recommend the following:
- Avoid the use of the terms "zero-day exploit capability" and "rootkit capability" entirely as (1) they are not well defined and (2) they do not sufficiently define a certain class of intrusion software.
- Define "carrier class IP network" clearly using well-defined technical metrics.
- Clarify what is meant by "externally provided instructions."
Our detailed comments are also available.