Until now nuclear, radiological, chemical and biological weapons considered to be a Weapon of Mass Destruction(WMD).
The Bureau of Industry and Security (BIS), an agency of the United States Department of Commerce that deals with issues involving national security and high technology, is proposing to classify cyber security tools as weapons of War in an attempt to control the distribution.
The tools used for extraction of data or information, from a computer or network-capable device, or the modification of system or user data, will come under this law and is being classified as Intrusion software. Also, the tools designed to avoid detection by ‘monitoring tools'( Antivirus, IDS/IPS,End point security products) will be considered as a weapon.
Any penetration testing products designed to identify security Vulnerabilities of computers and network-capable devices falls under this category.
“The proposal is not beneficial. Most vulnerability scanners and penetration testing products come under it. The proposal means tools from US companies which have been used to do assessments and audits in corporate will need to go through the clearance. It could also lead to corporate getting tracked” says J.Prasanna, founder of Cyber Security and Privacy Foundation(CSPF).
Most of these Cyber Security firms either should convince their world wide clients to go through the process or shift their head quarter out of USA.
Prasanna pointed out that US government tried to stop the export of cryptography in the past. But, Russian, European and Israeli companies got advantage by the cryptography restriction.
He said that the new proposal is a bad news for the cyber security researchers. If it becomes a law, it will force them to find a new way to beat the Cyber Criminals.
“Hackers are already may steps ahead of us. Some tools like canvas and Metasploit Pro are important tool for penetration testing” said Prasanna.
Thomas Dullien, Google Researcher, said “addition of exploits to the Wassenaar arrangement is an egregious mistake for anyone that cares about a more secure and less surveilled Internet” in his personal blog.
“The addition of exploits to the Wassenaar arrangement is an egregious mistake for anyone that cares about a more secure and less surveilled Internet” Thomas said.
Rapid7, a Boston-based cybersecurity firm, well known for its Metasploit Pentesting framework, said that they are investigating implications of Wassenaar for Metasploit and security research, and working on comments for the consultation.
According to the proposal, the governments of Australia, Canada, New Zealand or the UK will get favorable treatment for license applications, as they have partnered with the US on Cyber Security Policy and issues.
The BIS is seeking comments before 20th July 2015 on the proposed rule. You can submit the comments here.