We covered this Wassenaar Arrangement thing before. The latest version of the agreement included 0-days, exploits, and backdoors as regulated and export-controlled “dual-use” technologies. Previously, the US wasn’t recognizing these most recent additions but that is all changing come later this month according to a recent Federal Register notice (pdf). The notice states that the US will be adopting changes made to the list of dual-use items made in December 2013 as of August 4th. The cybersecurity category is getting a bit more time with further guidance and details coming in a separate “rule” in September. So … it looks like you’ll soon need an export license to sell your 1337 0-days to foreign entities.
The Bureau of Industry and Security (BIS) maintains, as part of its Export Administration Regulations (EAR), the Commerce Control List (CCL), which identifies certain of the items subject to Department of Commerce jurisdiction. (This final rule revises the CCL to implement changes made to the Wassenaar Arrangement’s List of Dual-Use Goods and Technologies (Wassenaar List) maintained and agreed to by governments participating in the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (Wassenaar Arrangement, or WA) at the December 2013 WA Plenary Meeting (the Plenary).) The Wassenaar Arrangement advocates implementation of effective export controls on strategic items with the objective of improving regional and international security and stability. (This rule harmonizes the CCL with the changes made to the WA List at the Plenary by revising Export Control Classification Numbers (ECCNs) controlled for national security reasons in each category of the CCL, as well as amending the General Technology Note, WA reporting requirements, and definitions section in the EAR. However, BIS intends to publish a separate rule in September setting forth changes to the CCL resulting from the WA agreements for cybersecurity.) …
Today’s post pic is from Ifex.org. See ya!