Cisco Blogs

Cisco Blog > High Tech Policy

Concerns about the Department of Commerce’s Proposed Export Rule under the Wassenaar Arrangement

Today, Cisco filed comments on a Proposed Rule published by the Department of Commerce’s Bureau of Industry and Security (BIS) in an effort to comply with an international agreement called the Wassenaar Arrangement. The proposal would regulate a wide array of technologies used in security research as controlled exports, in the same manner as if they were munitions. Cisco, along with many other stakeholders in the cybersecurity research field, has identified a number of significant concerns that we believe require BIS to revisit the text of the Proposed Rule.

BIS’ focus on limiting the cross-border trafficking of weaponized software is well-intentioned, but the current text would cause significant unintended consequences that must be addressed in a revised draft of the Proposed Rule. If implemented in its current form, the Proposed Rule would present significant challenges for security firms that leverage cross border teams, vulnerability research, information sharing, and penetration testing tools to secure global networks, including Cisco. The result would be to negatively impactrather than to improvethe state of cybersecurity.

The goal of regulating the export of weaponized software is understandable. However, many of the same techniques used by attackers are important to developers testing their defenses and developing new effective responses. Cisco needs access to the very tools and techniques that attackers use if we have any hope of maintaining the security of our products and services throughout their anticipated lifecycles. The development of new export control requirements must, therefore, be done carefully and based upon the needs of legitimate security researchers. Otherwise, we will leave network operators blind to the attacks that may be circulating in the criminal underground—and ultimately blind to the very weaponized software that the proposed rule intends to constrain.

The requirements in the Proposed Rule are far broader than necessary to address BIS’ stated intent—controlling the export of weaponized software. We look forward to working with the Department of Commerce to ensure that the goals of the proposal can be met in a manner that is technology neutral, narrowly tailored to the actual risks faced by the nation, and reflective of the needs of legitimate security researchers seeking to protect the information technologies upon which we increasingly rely.

We look forward to continuing the conversation.


Tags: , , ,

November 20th Webinar: Protecting Industrial Control Systems Using Cisco IPS

We invite you to join us for a webinar scheduled for 20 November 2012 where we’ll discuss how to protect Industrial Control Systems using Cisco Intrusion Prevention Systems (IPS).

Industrial control systems is the term used to identify several types of control systems, including supervisory control and data acquisition (SCADA) systems, process control systems (PCSs), and other smaller control system types, such as programmable logic controllers (PLCs), used in critical infrastructure such as power plants, oil and gas pipelines, electrical power distribution, and manufacturing facilities.

Historically these control systems were kept separate from the corporate network.  Because of this isolation they were traditionally difficult to break into because of their separation for health and safety reasons.

More recently, control systems may be running Windows or Linux, using the Internet Protocol (IP) to communicate, giving direct access to SCADA networks via the Internet. Wireless and Bluetooth capabilities allow remote management and diagnosis. These connections to the outside create a massive challenge from a security perspective for the following reasons:

Read More »

Tags: , , ,