Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

05:45 PM
Connect Directly

U.S. Vuln Research, Pen Test Firms Protest Impending Export Controls

American security companies have the most to lose from new rules that would restrict the export of tools and information about network surveillance and 'intrusion software.'

Time is running out to register comments and complaints about proposed controls on the international export of "intrusion software," and data related to it. Critics in the security community say the regulation could have broad damaging effects on vulnerability research and hinder American security companies' ability to compete.  

The proposed regulation is an update to the Wassenaar Arrangement of 1996, an international arms agreement between 41 countries. The original Agreement did not cover "cyber weapons;" the updates are a broadly written effort to do that.

[Head to Las Vegas next month to see "How the Wassenaar Arrangements Export Control of Intrusion Software Affects the Security Industry," just added to the Black Hat schedule. Kim Zetter, senior writer for WIRED will moderate a panel discussion with Collin Anderson, researcher for CDA.io, Dino Dai Zovi, mobile security lead at Square, Nate Cardozo, staff attorney for the Electronic Frontier Foundation, and Katie Moussouris, chief policy officer for HackerOne.]

The new rules would require U.S. companies to obtain licenses to export (or re-export or transfer) tools related to IP surveillance and the "generation, operation or delivery of, or communication with, 'intrusion software'" to anywhere outside the U.S. or Canada. The controls also apply to "information 'required for' developing, testing, refining and evaluating 'intrusion software,'" which could extend to vulnerability research as well as penetration testing. The U.S. Department of Commerce's Bureau of Industry and Security (BIS) has proposed to implement the rules, but is accepting public comments through July 20.

The timing is somewhat ironic, considering recent news that the United States government (FBI) purchased surveillance and exploit tools from an Italian firm (Hacking Team); both countries are parties to the Wassenaar Agreement.

American security companies -- particularly those that specialize in malware research and penetration testing -- would need to obtain a license to conduct some standard functions, like network monitoring and IP blocking, if working with clients outside the U.S. or Canada.

Because the export controls also apply to "information 'required for' developing, testing, refining, and evaluating 'intrusion software', in order, for example, technical data to create a controllable exploit," American companies would need to obtain licenses to share information with researchers outside the United States and Canada. However, there is an exemption for "technology or software that is made publicly available."

This could leave American companies even shorter on security talent, which is already in short supply. 

It could also have a stifling impact on vulnerability disclosure. Will the public disclosure exemption allow researchers to first privately disclose vulnerabilities to affected software vendors -- and perhaps earn a bug bounty for it -- before it goes public? Must all the data provided, including proof-of-concept code, be published in order for the exemption to apply?

The rule certainly would apply to tools like those sold by Hacking Team; but only if they were being sold by an American company. BIS may choose to implement the rules, but that does not mean that any other nations party to the Wassenaar Agreement need to do the same.

For all these reasons, U.S. security companies like Symantec, FireEye, and White Hat Security could be at a competitive disadvantage while they wade through red tape. This week, a group of them formed the Coalition for Responsible Cybersecurity to collectively oppose the proposed rules. 

“These rules, if they were adopted as they stand today, would put the entire U.S. cybersecurity industry—and everyone who relies on that industry for protection—at risk,” said Cheri McGuire, Vice President, Global Government Affairs & Cybersecurity Policy of Symantec Corporation in a release. “The rule as written is going to hurt cybersecurity research, slow innovation in cybersecurity technology, and put a damper on cybersecurity information sharing.”

Today, Katie Moussouris, chief policy officer for HackerOne and one of the former leaders of Microsoft's bug bounty program, urged the security community to submit their comments to BIS, in a piece she wrote for Wired.

"I personally believe that BIS and other regulators are sincere in their willingness to listen," wrote Moussouris. "It’s up to us to highlight points they may have overlooked or misunderstood."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.