Pardon the “intrusion”: advancing the dialogue on export controls and “intrusion software”

Since I wrote about Microsoft’s comments on the Proposed Rule under the Wassenaar Arrangement, Microsoft has been continuing to work with the Wassenaar member states and the security community to find a balance between the needs of security researchers and regulators. Today, Microsoft is furthering the conversation by publishing a whitepaper entitled “Rethinking Intrusion Software: Ideas for a more sustainable approach”.

In 2013, members of an export control regime known as the Wassenaar Arrangement were concerned about hackers using certain types of tools to violate human rights and threaten national security, and they agreed to create a “control” on the creation and use of intrusion software. The control was created within the confidential confines of the member states’ deliberations and started gaining public attention in late 2014 and early 2015, when member states began its implementation.

Over the past two years, the global security community has expressed concern about the overbroad controls and lack of clarity about how intrusion software will be regulated under export control laws in the 41 Wassenaar member states, which include all nations in Europe. Many in the security community are still struggling to understand what the new laws mean, and how to apply them, given the variety in implementation processes across the Wassenaar member states.

At the heart of the regulatory challenge now being faced by security experts is what I describe as the “what if” problem. Software developers and security engineers are no different from engineers in other disciplines. They ask “What if…?” and go explore new ideas, and push new boundaries in order to innovate. Wassenaar would oblige those software developers and security engineers to push pause on that “what if” and go find an export control expert (assuming the company is large enough to have one) and ask whether the work could continue, or whether it needed an export control review, or license. What if that software engineer, working to fix a vulnerability exploit, or analyzing a computer hack, had to wait several weeks to finish that research to complete a license review?

The security community is encouraged by reports that governments are starting to realize the “what if” problem and are responding accordingly. Wassenaar members met in June, with states agreeing to revisit certain parts of the intrusion software control language.

This September, representatives from Wassenaar member states will continue deliberations on the “intrusion software” control. The upcoming meeting will hopefully build on progress that the governments made in June, and result in a more narrowly tailored control that supports cybersecurity response, development, and innovation.

To support member states in this process, Microsoft is issuing a new white paper entitled “Rethinking Intrusion Software: Ideas for a more sustainable approach”. The paper lays out principles for developing cybersecurity controls, including: (1) Focusing on a publicly-articulated problem; (2) Creating controls to address the articulated problem; and (3) Committing to transparency throughout the process to review and create the new control. We also provide context about how developers and responders leverage different types of technology in order to respond to new threats and create new ideas.

We continue to commit working with Wassenaar member states and with the security community worldwide to find better solutions to balance the needs of security researchers and innovators against the needs of the export control regulators. We hope that next week’s Wassenaar discussions continue to highlight the challenges of balancing the needs of security responders and researchers to advance cybersecurity and the interests of government in regulating certain categories of security tools. This may be a multi-year conversation, but it is one that Microsoft will continue to help advance.


Cristin Goodwin
General Manager, Digital Security Unit

Cristin Flynn Goodwin is the Assistant General Counsel for Cybersecurity in Microsoft’s Trustworthy Computing division, supporting Microsoft's security business. Since 2008, she has been Microsoft’s lead counsel for all aspects of Microsoft’s security incident response processes and security updates for over a billion customers around the world. Cristin also provides legal counsel for Microsoft’s cyber security public policy worldwide, supporting her clients and legal and policy experts in Microsoft’s subsidiaries worldwide.