The 2013 amendment of the Wassenaar Agreement threatens the free exchange of threat intelligence information internationally. This concept is an example of the naïveté of lawmakers when it comes to understanding cyber security, information sharing and who will feel the impact of this legislation. The original purpose of the amendment was to prevent Western technology companies from selling surveillance technology to governments known to abuse human rights. The major issue is that the term “surveillance technology” also lumps in intrusion detection systems and the sharing of zero day exploits. Violations of this agreement result in a $250,000 fine and five years in jail.
Sometimes we, as humans, fail to learn from lessons of those that came before us. When Sun Tzu wrote “The Art of War,” there is no way he could have imagined that his words would translate into today’s modern, high tech world. The education Sun Tzu teaches that applies here is, “know thy enemy.” The complete quote is “if you know your enemies and know yourself, you will not be imperiled in a hundred battles.” Although battles take place in different venues, with new tools and among varied enemies, this concept remains unchanged for thousands of years.
The need for threat intelligence
Since the early days of Internet threats such as SQL Slammer or the Melissa virus, having reliable, specific details about a threat was a high priority. Even before the days of Twitter, texting, or smartphones, we, as security professionals, coveted threat content details and found ways to obtain them. While the sharing of these details has stayed the same, the way we consume this data has changed in our industry.
Usually, we all have two or three reliable sources of information. These sources may change over time, but the concepts remain the same. Information sharing about potential zero day attacks or the latest phishing campaign is a tool in the security professional’s toolbox. How could the government think it’s a good idea to remove this capability? Also, what gives them the right to limit our ability to obtain knowledge?
It would be a different story if governments, in general, shared the information they have with the IT security industry, but they don’t. Government agencies share information through public releases, but cyber security notices from the U.S. government are often “old news” by the time they are delivered. Threat intelligence information sharing is a “right now, on demand” practice and the government appears to be the opposite of “right now, on demand.” Even if there was a nationwide cyber threat notification system, I feel that bureaucracy would impair its ability to provide efficient and timely information.
Hackers gonna hack
For just a minute, let’s consider who would be impacted by this proposal. Hackers gonna hack, so we know the threat isn’t going away. Do you think a hacking group in Brazil is worried about the Wassenaar Agreement? International law enforcement already struggles to coordinate, track and apprehend cyber criminals. While international efforts are improving—as seen with the recent Darkode bust—they are still a long way from successfully enforcing cyber laws globally.
So, if security professionals know they can’t get reliable, actionable threat intelligence from government entities and hackers gonna hack, who does the Wassenaar proposal really help? Will this proposal change the threat intelligence community?
According to this article, there is a chance to change the language of the proposal and allow reason and logic to prevail. We need security professionals to take up this cause and have their voices heard.
This is a call to action, be a game changer. Here is the plan:
- Read about the proposal
- Share it within your sphere of influence
- Make sure your legal team is informed
- Discuss the topic at local chapter meetings
- Use social media to spread the word
Active threat intelligence is one of the most valuable tools in the information security toolbox and it benefits the entire community; let’s work together to protect each other.
Check out the great panel that provided a great discussion forum on this subject at the Black Hat USA Conference: https://www.blackhat.com/latestintel/07172015-wassenaar.html.