Licensed to Pwn: The Weaponization and Regulation of Security Research presented at Defcon 2015

by Dave Aitel, Matt Blaze, Nate Cardozo, Jim Denaro, Mara Tam, Catherine Wheeler,

Summary : Security research is under attack. Updates to the Wassenaar Arrangement in 2013 established among its 41 member nations an agreement to place a variety of previously undesignated “cybersecurity items” under export control. After 18 months and a half-dozen open advisory meetings, the U.S. has taken the entire security research community by surprise with its proposed rule; we are confronted by a sweeping implementation with profound consequences for academia, independent research, commercial cybersecurity, human rights, and national security.
While the outcome of this round of regulatory intervention is still uncertain, the fact that there will be more is not. This panel of experts will discuss the context, history, and general process of regulation, as well the related question of “weaponized” research in regulatory discourse.
There is significant daylight between the relatively lax text of the Wassenaar Arrangement itself and the extraordinarily broad implementation proposed in the U.S. What will the practical effects of those differences be, and why did the U.S. diverge from the Wassenaar text? Regulators are, even now, still struggling to comprehend what the consequences of this new “cyber rule” might be. So, how are we to understand this regulatory process? What are its objectives? Its impacts? Its limits? How can we influence its outcomes?
Eleventh-hour interventions are quickly becoming a hallmark of regulatory activities with implications for the wider world of information security; the fight here is almost exclusively a rearguard action. Without resorting to the usual polemics, what failures of analysis and advice are contributing to these missteps – on both sides? What interests might encourage them? How are security researchers being caught so off-balance? Come victory or despair in the present case, this panel aims to answer the question of whether there is a solution that prevents technology transfer to hostile nations while still enabling free markets, freedom of expression, and freedom of research.