The purpose of this post is to help answer questions about the Wassenaar Arrangement. You can find the US proposal for implementing the Arrangement here, and an accompanying FAQ from the Bureau of Industry and Security (BIS) here. For Rapid7's take on Wassenaar, and information on the comments we intend to submit to BIS, please read this companion piece. If you would like to propose a question to be added to this FAQ, please email us, or post it in the comments section below.
1. What is the Wassenaar Arrangement and who are its members?
The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (“Wassenaar” or the “Arrangement”) is a voluntary, multilateral export control regime whose member states exchange information on transfers of conventional weapons and dual-use goods and technologies. The Arrangement's purpose is to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies (i.e., items with predominantly non-military applications that nonetheless may be useful for certain military purposes) to prevent destabilizing accumulations of those items. Wassenaar establishes lists of items for which member countries are to apply export controls. Member governments implement these controls to ensure that transfers of the controlled items do not contribute to the development or enhancement of military capabilities that undermine the goals of the Arrangement, and are not diverted to support such capabilities. In addition, the Wassenaar Arrangement imposes certain reporting requirements on its member governments.
The participating states of the Wassenaar Arrangement are Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Mexico, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Russian Federation, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, Ukraine, United Kingdom and United States.
2. What are the members’ obligations under Wassenaar?
The Wassenaar control lists do not have binding legal force throughout the member states. All Wassenaar controls must be implemented through national legislation and policies to have effect and the member states have full discretion with respect to whether and how the controls are implemented. Because member states enjoy discretion as to whether and how to implement the Wassenaar controls, there are variations in the specific export control laws and regulations among the members.
3. What are the Export Administration Regulations?
With respect to dual use goods and technology, the United States generally implements the Wassenaar control lists through the Export Administration Regulations (“EAR”). The EAR regulate exports of commercial and “dual-use” goods, software and technology. These regulations are administered by the Commerce Department’s Bureau of Industry and Security (“BIS”).
Exports of items controlled under the EAR may require a specific license from the Commerce Department, depending upon the reasons for control applicable to the particular items, the country of destination and the purposes for which the items will be used. In certain instances, a license exception may be available under the EAR.
4. What is an export?
Under the EAR, the term “export” is broadly defined. It includes: (1) an actual physical shipment or transmission of controlled items out of the United States; and (2) any written, oral, or visual release or disclosure of controlled technology, information, or software to a non-U.S. person either inside or outside the United States. Therefore, transmissions to a non-U.S. person within the United States, e.g., a person working in a U.S. company or participating in a university research project involving controlled technology, are also covered by the EAR and may require a license. Such transmissions are called “deemed exports.” Non-U.S. persons include anyone other than a U.S. citizen, a lawful permanent resident of the United States (such as individuals with Green Cards), or a “protected individual” (e.g., refugees or persons seeking asylum). In addition, taking along controlled technology (e.g., laptops and software) during travel to a foreign country may also raise export control issues.
A software export under the EAR includes “any release of technology or software subject to the EAR in a foreign country,” or any release of “source code subject to the EAR to a foreign national.” The actions comprising a release of software and technology are broad, extending beyond the physical export of tangible goods or electronic transmissions. These actions include the visual inspection by foreign nationals, exchanges of information, or the application abroad of personal knowledge or technical experience acquired in the United States.
5. How will the proposed regulations relating to cybersecurity items effect the export licensing requirements for Metasploit and similar products?
On May 20, 2015, BIS published a proposed rule (the “Proposed Rule”) imposing a restrictive license requirement on exports, reexports, and transfers (in-country) of systems, equipment and software for the “generation, operation or delivery of intrusion software” (“Intrusion Items”) and Internet Protocol (IP) Network communication surveillance systems or equipment (“Surveillance Items),” as well as related software that is specially designed for such items and technology for the development and production of such items.. As published in the Proposed Rule, the terms “intrusion software” and “surveillance systems and equipment” are broadly defined and would restrict exports of many commercially available penetration testing and network monitoring products, including commercial versions of Metasploit.
Most of the cybersecurity items covered by the Proposed Rule are currently controlled as encryption items. However, the Proposed Rule would subject cybersecurity items with encryption functionality to overlapping regulatory requirements and increase the compliance burden for exporters, who would have to comply with the requirements of both the existing encryption controls and the Proposed Rule.
In addition, the Proposed Rule would render covered cybersecurity products ineligible for most license exceptions under the EAR, including License Exception ENC. License Exception ENC currently permits the export of encryption items to foreign subsidiaries of U.S. companies as well as deemed exports to foreign national employees of U.S. companies. However, the Proposed Rule would require an export license in those instances.
Specifically, under the Proposed Rule, exports of Metasploit would require a specific license for all destinations other than Canada. BIS has indicated that it would review favorably license requests to certain destinations, including U.S. companies or subsidiaries not located in embargoed countries (currently, the Crimea region of the Ukraine, Cuba, Iran, North Korea, Syria, and Sudan) or countries of national security concern (currently, Armenia, Azerbaijan, Belarus, Burma, Cambodia, China, Georgia, Iraq, Kazakhstan, North Korea, Kyrgyzstan, Laos, Libya, Macau, Moldova, Mongolia, Russia, Tajikistan, Turkmenistan, Ukraine, and Vietnam), commercial partners located in certain countries that are close allies of the U.S., and government end users in Australia, Canada, New Zealand, and the United Kingdom. However, BIS has also indicated that it would apply a presumption of denial to license applications for items that have or support “rootkit” or “zero-day” exploit capabilities. Depending on how these terms are applied, they could extend to Metasploit.
While BIS states that it anticipates “licensing broad authorizations to certain types of end users and destinations” to counterbalance the loss of the use of License Exception ENC, BIS has not specified any details of those authorizations.
6. How will the Proposed Rule relating to cybersecurity items effect research activities?
Research is not specifically addressed in the Proposed Rule, although BIS has stated that the intent is not to interfere with “non-proprietary research,” by which we interpret BIS to mean research activities that are intended to lead to the public identification and reporting of vulnerabilities and exploits (in contrast to bug bounties, or research relating to exploits that will be sold commercially). In the Federal Register notice announcing the Proposed Rule, BIS explained that the proposed controls on technology for the development of intrusion software would include proprietary research on the vulnerabilities and exploitation of computers and network-capable devices. BIS has since elaborated that these proposed controls would regulate, among other things, proprietary (i.e., non-public) technology relating to the development, testing, evaluating, and productizing of exploits, zero days and intrusion software.
Notably, research regarding exploits that incorporate encryption is currently (and will continue to be) regulated pursuant to the encryption controls under the EAR. These controls restrict the ability of researchers to transmit or publish exploits that utilize encryption if those exploits are not in the public domain. Under the EAR, the only way to report and publish exploits that utilize encryption without an export license is to make the exploit publicly available pursuant to License Exception Technology Software Unrestricted (TSU), whereby the exporter provides the U.S. Government with a "one-time" notification of the location of the publicly available encryption code prior to or at the time the code is placed in the public domain.
7. BIS has published an FAQ indicating that researchers can simply publish exploits without the need for a license and that published information is not subject to the EAR. Is this true?
Not entirely. BIS’s Proposed Rule focuses on the command and delivery platforms for generating, operating, delivering and communicating with “intrusion software.” The Proposed Rule does not control any “intrusion software.”
Intrusion software that does not contain any encryption functionality is currently and will remain designated for export control purposes as “EAR99” and may be exported to most destinations without an export license. Consistent with BIS’s FAQ, items that are designated EAR99 are no longer subject to the EAR once they are published.
However, most exploits utilize encryption functionality to avoid detection and to communicate with the command and delivery platform. Such exploits are subject to the encryption controls under the EAR. As explained above, the only way to report and publish exploits that utilize encryption without an export license is to make the exploit publicly available pursuant to License Exception TSU.
8. How will the Proposed Rule relating to cybersecurity items affect open source versions of Metasploit?
The Proposed Rule will have no effect on open source versions of Metasploit, which will continue to be exempt from licensing requirements under the EAR.
We intend to advocate for clear protections for activities relating to security research activities and to the public reporting of exploits.
9. What challenges will the Proposed Rule present to users of Metasploit and similar penetration testing products?
Currently, Metasploit and similar penetration test products that utilize encryption are eligible for certain license exceptions under the EAR that permit such products to be used effectively in international environments. However, under the Proposed Rule, Intrusion and Surveillance Items will not be eligible for these license exceptions. As a result, activities relating to the use of these products that are currently authorized would require a specific license under the new Proposed Rule. The following are two examples:
- Hand carriage of Intrusion Software or Surveillance Items: The hand carriage of a computer and/or software outside of the United States constitutes an export. Currently, there are several license exceptions under the EAR that authorize individuals to hand carry a computer and/or software outside of the United States provided that the conditions and limitations associated with the license exceptions are followed.
Under the Proposed Rule, however, individuals would not be able to rely on these license exceptions when traveling outside of the United States with Intrusion or Surveillance Items. In such cases, individuals would be required to obtain a specific license in advance of their trip.
- Internal Use and Dissemination of Intrusion or Surveillance Items: As noted above, penetration testing and other cybersecurity products that utilize encryption are currently subject to export restrictions under the EAR. Currently, the international deployment of such products with encryption functionality by U.S. companies and their overseas subsidiaries is authorized under a license exception. However, the Proposed Rule would eliminate this license exception and U.S. companies would need to obtain export licenses to send cybersecurity products to their overseas facilities for internal use. We believe that imposing a licensing requirement on the internal deployment of products will lead to delays in the deployment and use of new and effective cyber security products.
Again, if you would like to propose a question to be added to this FAQ, please email us, or post it in the comments section below.