Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

05:45 PM
Connect Directly

U.S. Vuln Research, Pen Test Firms Protest Impending Export Controls

American security companies have the most to lose from new rules that would restrict the export of tools and information about network surveillance and 'intrusion software.'

Time is running out to register comments and complaints about proposed controls on the international export of "intrusion software," and data related to it. Critics in the security community say the regulation could have broad damaging effects on vulnerability research and hinder American security companies' ability to compete.  

The proposed regulation is an update to the Wassenaar Arrangement of 1996, an international arms agreement between 41 countries. The original Agreement did not cover "cyber weapons;" the updates are a broadly written effort to do that.

[Head to Las Vegas next month to see "How the Wassenaar Arrangements Export Control of Intrusion Software Affects the Security Industry," just added to the Black Hat schedule. Kim Zetter, senior writer for WIRED will moderate a panel discussion with Collin Anderson, researcher for CDA.io, Dino Dai Zovi, mobile security lead at Square, Nate Cardozo, staff attorney for the Electronic Frontier Foundation, and Katie Moussouris, chief policy officer for HackerOne.]

The new rules would require U.S. companies to obtain licenses to export (or re-export or transfer) tools related to IP surveillance and the "generation, operation or delivery of, or communication with, 'intrusion software'" to anywhere outside the U.S. or Canada. The controls also apply to "information 'required for' developing, testing, refining and evaluating 'intrusion software,'" which could extend to vulnerability research as well as penetration testing. The U.S. Department of Commerce's Bureau of Industry and Security (BIS) has proposed to implement the rules, but is accepting public comments through July 20.

The timing is somewhat ironic, considering recent news that the United States government (FBI) purchased surveillance and exploit tools from an Italian firm (Hacking Team); both countries are parties to the Wassenaar Agreement.

American security companies -- particularly those that specialize in malware research and penetration testing -- would need to obtain a license to conduct some standard functions, like network monitoring and IP blocking, if working with clients outside the U.S. or Canada.

Because the export controls also apply to "information 'required for' developing, testing, refining, and evaluating 'intrusion software', in order, for example, technical data to create a controllable exploit," American companies would need to obtain licenses to share information with researchers outside the United States and Canada. However, there is an exemption for "technology or software that is made publicly available."

This could leave American companies even shorter on security talent, which is already in short supply. 

It could also have a stifling impact on vulnerability disclosure. Will the public disclosure exemption allow researchers to first privately disclose vulnerabilities to affected software vendors -- and perhaps earn a bug bounty for it -- before it goes public? Must all the data provided, including proof-of-concept code, be published in order for the exemption to apply?

The rule certainly would apply to tools like those sold by Hacking Team; but only if they were being sold by an American company. BIS may choose to implement the rules, but that does not mean that any other nations party to the Wassenaar Agreement need to do the same.

For all these reasons, U.S. security companies like Symantec, FireEye, and White Hat Security could be at a competitive disadvantage while they wade through red tape. This week, a group of them formed the Coalition for Responsible Cybersecurity to collectively oppose the proposed rules. 

“These rules, if they were adopted as they stand today, would put the entire U.S. cybersecurity industry—and everyone who relies on that industry for protection—at risk,” said Cheri McGuire, Vice President, Global Government Affairs & Cybersecurity Policy of Symantec Corporation in a release. “The rule as written is going to hurt cybersecurity research, slow innovation in cybersecurity technology, and put a damper on cybersecurity information sharing.”

Today, Katie Moussouris, chief policy officer for HackerOne and one of the former leaders of Microsoft's bug bounty program, urged the security community to submit their comments to BIS, in a piece she wrote for Wired.

"I personally believe that BIS and other regulators are sincere in their willingness to listen," wrote Moussouris. "It’s up to us to highlight points they may have overlooked or misunderstood."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...