The Wassenaar Arrangement can be a difficult topic to approach because it deals with “good guys” vs the “bad guys”. The problem is, everyone has different definitions of “good guy” vs “bad guy”.

This international arrangement is officially defined as “Export Controls for Conventional Arms and Dual-Use Goods and Technologies”.

So what does that mean?

If you are old enough, or are familiar with the Cold War, it was a time when the United States and the Soviet Union kept a close eye on each other in order to make sure each one doesn’t have more power than the other in terms of weapons. The United States did all it can to make sure the Soviet Union did not start to amass a large depot of nuclear missiles, and the Soviet Union did all it can to make sure the United States didn’t do the same. Each one wanted to make sure it did not have an advantage over the other. This is a very BASIC overview, as the Cold War was much more complicated and spread out over multiple geographic regions.

Countries that participate in The Wassenaar Arrangement – Source: Wikipedia

But it’s not just missiles that can cause one country to have a greater advantage over another country.

Real-World Example

Suppose SNT Corporation has just been awarded a contract to develop modular weapons systems and accompanying technology for the Defense Advanced Research Projects Agency (DARPA). SNT Chief Engineer Oscar Vailich, using Soviet designs developed during the darkest days of the Cold War, builds a completely self-mobile nuclear launch platform capable of traversing even the harshest mountain terrain.

This modular combat unit contains sophisticated rail gun technology to launch a nuclear-armed intercontinental ballistic missile capable of avoiding RADAR and without the use of rocket propulsion. This makes the actual launch event undetectable by satellite thermal imaging.

The United States Defense Department cuts a secret deal to sell 10 of these mobile nuclear launch units to Ukraine, giving the embattled former Eastern Bloc nation a considerable strategic advantage in its current territorial squabble with the Russian Federation.

This is a direct violation of The Wassenaar Arrangement, as the USA has given the Ukraine an unfair advantage over Russia.

How It Relates To the CISSP

For the CISSP exam, The Wassenaar Arrangement has to do with cryptography. If you’re a CISSP consultant working for a business that deals with customers around the world, you’ll have to be familiar with import/export laws as it pertains to The Wassenaar Arrangement.

What if you went to another country, setup a very strong cryptographic mechanism such as an IPSec VPN in your local headquarters, and it was somehow stolen?

Now, there is a potential of someone in that foreign country with access to the encryption algorithm to hide their own messages that could not be read by the authorities. What if the ones that stole this technology used it to encrypt messages to attack something, someplace, or someone?

Because you didn’t research the import/export laws of that country, and did not choose to possibly avoid the risk, you may be held liable, or worse, blamed for the foreign entity’s unfair advantage and ability to successfully attack the United States.

For example, just look at what it says on the Cisco website in regards to their IPS and ASA Firewalls.

***NOTICE*** This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to export@cisco.com.

Serious stuff.

Before implementing any cryptographic mechanisms in other countries, always make sure you know the laws FIRST.

Remember, cryptography can be a weapon!

This is a very testable concept on the CISSP exam.