XXXXXXXXXXXX and XXXXXXXXXXXX,

I'm writing you because my understanding is that BIS is currently in the process of considering implementation of the new Wassenaar controls related to "Intrusion Software." These controls have started to raise some concerns within the professional community associated with information security vulnerability research. I asked XXXXXXXXXXXXX who I might reach out to in order to provide some input and he suggested that I start by emailing the two of you.

I appreciate your time in reading this. I have some experience working with the EAR as a technical SME within export compliance programs at IBM and Internet Security Systems, and I have great deal of professional experience with security vulnerability research and coordination, so I believe I have sufficient experience to provide you with an informed perspective.

Although there are a number of different concerns that have been raised regarding these new controls, I want to focus my comments specifically on the Category 4.E.1.C controls on "technology" for the "development" of "intrusion software." I don't believe that the potential unintended consequences of the technology controls in particular have received enough emphasis in the comments that I have read to date by other parties.

Computer security professionals use the word "vulnerability" to refer to a flaw in a software system which allows another program, such as an "intrusion" program, to modify "the standard execution path of a program or process in order to allow the execution of externally provided instructions." A great deal of the work that we do in information security has to do with finding and fixing these vulnerabilities, and that work involves getting information about newly discovered vulnerabilities into the hands of people who are in a position to fix them before that information falls into the hands of computer criminals. The exchange of information about these vulnerabilities is the life blood of information security, and that exchange often happens behind closed doors, across international borders, and sometimes, in exchange for money.

Unfortunately, the technical information that you would provide another person about a security vulnerability if you wanted them to fix it is the exact same information that you would provide them if you wanted to enable them to write an "intrusion program" that exploits it. In fact, one of the jobs that I personally held at IBM and Internet Security Systems was to take information about vulnerabilities that was provided to us and use that information to implement a corresponding "intrusion program" so that we could verify that the vulnerability had been fixed properly.

Therefore, an export control on "technology" for the "development" of "intrusion software" may wind up also controlling the exchange of information needed to fix the flaws that "intrusion software" takes advantage of. Any export control regime that d... [ Read More (0.5k in body) ]