Time is running out to register comments and complaints about proposed controls on the international export of "intrusion software," and data related to it. Critics in the security community say the regulation could have broad damaging effects on vulnerability research and hinder American security companies' ability to compete.
The proposed regulation is an update to the Wassenaar Arrangement of 1996, an international arms agreement between 41 countries. The original Agreement did not cover "cyber weapons;" the updates are a broadly written effort to do that.
[Head to Las Vegas next month to see "How the Wassenaar Arrangements Export Control of Intrusion Software Affects the Security Industry," just added to the Black Hat schedule. Kim Zetter, senior writer for WIRED will moderate a panel discussion with Collin Anderson, researcher for CDA.io, Dino Dai Zovi, mobile security lead at Square, Nate Cardozo, staff attorney for the Electronic Frontier Foundation, and Katie Moussouris, chief policy officer for HackerOne.]
The new rules would require U.S. companies to obtain licenses to export (or re-export or transfer) tools related to IP surveillance and the "generation, operation or delivery of, or communication with, 'intrusion software'" to anywhere outside the U.S. or Canada. The controls also apply to "information 'required for' developing, testing, refining and evaluating 'intrusion software,'" which could extend to vulnerability research as well as penetration testing. The U.S. Department of Commerce's Bureau of Industry and Security (BIS) has proposed to implement the rules, but is accepting public comments through July 20.
The timing is somewhat ironic, considering recent news that the United States government (FBI) purchased surveillance and exploit tools from an Italian firm (Hacking Team); both countries are parties to the Wassenaar Agreement.
American security companies -- particularly those that specialize in malware research and penetration testing -- would need to obtain a license to conduct some standard functions, like network monitoring and IP blocking, if working with clients outside the U.S. or Canada.
Because the export controls also apply to "information 'required for' developing, testing, refining, and evaluating 'intrusion software', in order, for example, technical data to create a controllable exploit," American companies would need to obtain licenses to share information with researchers outside the United States and Canada. However, there is an exemption for "technology or software that is made publicly available."
This could leave American companies even shorter on security talent, which is already in short supply.
It could also have a stifling impact on vulnerability disclosure. Will the public disclosure exemption allow researchers to first privately disclose vulnerabilities to affected software vendors -- and perhaps earn a bug bounty for it -- before it goes public? Must all the data provided, including proof-of-concept code, be published in order for the exemption to apply?
The rule certainly would apply to tools like those sold by Hacking Team; but only if they were being sold by an American company. BIS may choose to implement the rules, but that does not mean that any other nations party to the Wassenaar Agreement need to do the same.
For all these reasons, U.S. security companies like Symantec, FireEye, and White Hat Security could be at a competitive disadvantage while they wade through red tape. This week, a group of them formed the Coalition for Responsible Cybersecurity to collectively oppose the proposed rules.
“These rules, if they were adopted as they stand today, would put the entire U.S. cybersecurity industry—and everyone who relies on that industry for protection—at risk,” said Cheri McGuire, Vice President, Global Government Affairs & Cybersecurity Policy of Symantec Corporation in a release. “The rule as written is going to hurt cybersecurity research, slow innovation in cybersecurity technology, and put a damper on cybersecurity information sharing.”
Today, Katie Moussouris, chief policy officer for HackerOne and one of the former leaders of Microsoft's bug bounty program, urged the security community to submit their comments to BIS, in a piece she wrote for Wired.
"I personally believe that BIS and other regulators are sincere in their willingness to listen," wrote Moussouris. "It’s up to us to highlight points they may have overlooked or misunderstood."