In spite of self-congratulatory pats on the back from several corners of the security world, this week’s decision from the Commerce Department’s Bureau of Industry and Security (BIS) to rewrite the proposed U.S. implementation of the Wassenaar Arrangement rules was an expected outcome—albeit an unusual one.
A 60-day comment period ended on July 20 and an outpouring of opposition from more than 300 technology companies and individual researchers against the first round of rules helped sway BIS. The rules, most argued, were too broad, sweeping up legitimate technologies such as penetration testing software, as well as encompassing white-hat research that involves the development of proof of concept exploits for new vulnerabilities.
