How the Wassenaar Agreement Affects the Free Exchange of Threat Intelligence

How the Wassenaar Agreement Affects the Free Exchange of Threat Intelligence

The 2013 amendment of the Wassenaar Agreement threatens the free exchange of threat intelligence information internationally. This concept is an example of the naïveté of lawmakers when it comes to understanding cyber security, information sharing and who will feel the impact of this legislation. The original purpose of the amendment was to prevent Western technology companies from selling surveillance technology to governments known to abuse human rights. The major issue is that the term “surveillance technology” also lumps in intrusion detection systems and the sharing of zero day exploits. Violations of this agreement result in a $250,000 fine and five years in jail.

Sometimes we, as humans, fail to learn from lessons of those that came before us. When Sun Tzu wrote “The Art of War,” there is no way he could have imagined that his words would translate into today’s modern, high tech world. The education Sun Tzu teaches that applies here is, “know thy enemy.” The complete quote is “if you know your enemies and know yourself, you will not be imperiled in a hundred battles.” Although battles take place in different venues, with new tools and among varied enemies, this concept remains unchanged for thousands of years.

The need for threat intelligence

Since the early days of Internet threats such as SQL Slammer or the Melissa virus, having reliable, specific details about a threat was a high priority. Even before the days of Twitter, texting, or smartphones, we, as security professionals, coveted threat content details and found ways to obtain them. While the sharing of these details has stayed the same, the way we consume this data has changed in our industry.

Usually, we all have two or three reliable sources of information. These sources may change over time, but the concepts remain the same. Information sharing about potential zero day attacks or the latest phishing campaign is a tool in the security professional’s toolbox. How could the government think it’s a good idea to remove this capability? Also, what gives them the right to limit our ability to obtain knowledge?

Information sharing

It would be a different story if governments, in general, shared the information they have with the IT security industry, but they don’t. Government agencies share information through public releases, but cyber security notices from the U.S. government are often “old news” by the time they are delivered. Threat intelligence information sharing is a “right now, on demand” practice and the government appears to be the opposite of “right now, on demand.” Even if there was a nationwide cyber threat notification system, I feel that bureaucracy would impair its ability to provide efficient and timely information.

Hackers gonna hack

For just a minute, let’s consider who would be impacted by this proposal. Hackers gonna hack, so we know the threat isn’t going away. Do you think a hacking group in Brazil is worried about the Wassenaar Agreement? International law enforcement already struggles to coordinate, track and apprehend cyber criminals. While international efforts are improving—as seen with the recent Darkode bust—they are still a long way from successfully enforcing cyber laws globally.

So, if security professionals know they can’t get reliable, actionable threat intelligence from government entities and hackers gonna hack, who does the Wassenaar proposal really help? Will this proposal change the threat intelligence community?

According to this article, there is a chance to change the language of the proposal and allow reason and logic to prevail. We need security professionals to take up this cause and have their voices heard.

This is a call to action, be a game changer. Here is the plan:

  1. Read about the proposal
  2. Share it within your sphere of influence
  3. Make sure your legal team is informed
  4. Discuss the topic at local chapter meetings
  5. Use social media to spread the word

Active threat intelligence is one of the most valuable tools in the information security toolbox and it benefits the entire community; let’s work together to protect each other.

Check out the great panel that provided a great discussion forum on this subject at the Black Hat USA Conference: https://www.blackhat.com/latestintel/07172015-wassenaar.html.

About the Author

Paul Fletcher - Cyber Security Evangelist at Alert Logic

Paul Fletcher

Paul Fletcher has over 20 years of experience in information technology and security. Prior to joining Alert Logic, Fletcher advised executives in the energy, retail, and financial sectors regarding emerging security threats and mitigation strategies. Additionally, he has worked with Fortune 50 organizations, the Department of Defense, and critical infrastructure organizations to implement risk management plans and security solution designs. His other specialties include network security, customer data integrity, application security, forensics investigation, threat intelligence, and incident response. Fletcher holds a Master of Arts and Bachelor of Science degree and is a Certified Information Systems Security Professional (CISSP).

@_PaulFletcher | More Posts by Paul Fletcher