For the past two months, the Department of Commerce's Bureau of Industry and Security (BIS) has been running a public consultation to solicit feedback on its proposal for implementing export controls for intrusion software under the Wassenaar Arrangement. You can read about the proposal and Rapid7's initial thoughts here. The consultation window closed on Monday, July 20th and I'm excited that numerous companies and security researchers submitted comments. It's great to see so many engaging with the process and trying to ensure we achieve the right outcome.
I also commend BIS for their engagement with the community through this process - I don't think this is an easy knot for them to untangle. It's important to remember that while the US did not propose the addition of intrusion software to the Wassenaar Arrangement controls, as a member nation of the Arrangement, the US must still try to find a way to make it work (unless and until the members of the Arrangement vote to drop intrusion software from their control agreement). Basically they're trying to make the best of a tough situation, and I believe they are striving to address the concerns of the community.
I expect we will see an updated proposal from BIS, and another public consultation period. This is an unusual measure, but warranted in this situation, and I believe it would demonstrate the desire of the Government to get the implementation right. Should we get a second consultation period, I hope even more organizations will join the discussion as the implications for their security and business become clearer.
In the meantime, attached (below) are the comments Rapid7 submitted for the consultation that just ended. Our CEO, Corey Thomas, will be speaking about some of the challenges outlined in our response at the upcoming meeting of the Information Systems Technical Advisory Committee (ISTAC), hosted by BIS. We hope to see you there.