Industry warns proposed arms export rule will thwart basic cyberdefenses
A Department of Commerce proposal that aims to keep surveillance software out of the hands of repressive regimes may inadvertently harm the security industry and chill security research efforts.
The US government is currently considering tighter export controls on software – a move that could potentially reshape the American cybersecurity industry.
Draft regulations posted by the Department of Commerce’s Bureau of Industry and Security seek to ebb the flow of intrusion or surveillance technology to keep it from getting into the hands of rogue states and oppressive regimes.
While many in the security field agree with the intent, many also complain the draft rules are written without a full understanding of the nature of current security practices, research, and the global nature of the business. As a result, they say, the proposals are full of loopholes and ambiguities as well as wording that would treat even innocuous software as having military applications.
And as the Bureau of Industry and Security has tried to clarify the proposals, concerns among security practitioners and researchers only seem to grow, especially as the clock ticks down to the end of the public comment period for the proposal next month.
"There isn’t usually this much confusion around export control regulations," says Clif Burns, a lawyer who specializes in export regulations for the firm Bryan Cave LLP.
But confusion has been pervasive around the potential rules since the BIS first published a draft of how it would implement updates to the Wassenaar Arrangement, a 41-nation arms control pact. In 2013, the pact was updated to include surveillance technologies and since then member nations have worked to put those updates into effect. The BIS began the process of applying the changes in the US; the latest round of proposals is a continuation of that process.
At its core, the BIS proposal requires a bureaucratic licensing for technology that communicates with "intrusion software" – software designed to evade computer defense mechanisms and modify programs or data. Information about how to make or analyze intrusion software would need a license, too, but not the intrusion software itself.
Mr. Burns points out that many completely legitimate programs evade countermeasures. The Chrome Web browser, for example, automatically updates without asking users' permission. But those system messages are a rudimentary way computers prevent the installation of malicious software. If a copy of Chrome updated outside the US, that update is technically a piece of computer code communicating with a program that could meet strict definitions of intrusion software.
Could the BIS really mean to be casting such a wide net? That concern was eventually quelled when the BIS clarified some of its intentions for how it would apply the export proposals.
Many issues of clarity, says Burns, stemmed from the problematic definition of intrusion software – a definition that may be nonnegotiable, having been written during the Wassenaar Arrangement talks in December 2013.
Wassenaar is a suburb of The Hague in the Netherlands where an annual conference intended to curb the arms trade was first held in 1995. Each year, the group decides on export controls that each nation will apply. The Wassenaar nations decided to include surveillance software because of the growth in sales of that technology to oppressive regimes that used it to spy on dissidents. While the arrangement is nonbinding, Burns says it would be unlikely for the BIS to stray from the language of Wassenaar.
The threat to business
"These are hostile rules towards security engineers and researchers," says Dave Aitel, chief executive officer of the security firm Immunity Inc. “There's no other way to put it."
Immunity produces penetration-testing tools, software that helps companies find unpatched vulnerabilities in their networks. Immunity also offers information security training. Both offerings could become entangled in trade restrictions if the proposed export rules are put in place.
Because penetration-testing tools mimic hacking tools, BIS has suggested that some of Immunity's products such as Swarm and Canvas may now require additional licensing to export.
"The reality is that in over a decade, there's been only one public report of Swarm being used offensively, and one report that we received privately for Canvas being used offensively," says Mr. Aitel. "These tools are almost entirely used defensively by hundreds of companies – essentially the entire Fortune 500 for defensive protection."
It's not just companies that use penetration tests. Immunity’s customers include nations and utilities such as nuclear power plants. What's more, many of the company's sales are to overseas markets.
In fact, says Aitel, around 30 percent of Immunity’s business is foreign, which could take a serious hit depending on how BIS imposes Wassenaar on domestic companies.
But it's not just the company’s core business that could struggle; the proposal has the potential to make Immunity’s training business substantially more difficult to operate, too. Carrying a laptop that contains a prohibited software tool onto foreign soil – even if it’s never opened – counts as an export. Training foreign nationals on US soil is even considered an export.
Penalties for violating Wassenaar can be steep. A single failure to receive a proper export license can result in a 20-year prison sentence and $1 million fine. Aitel says that, for some companies, the burden of regulation might necessitate moving to a less restrictive country.
"That's one of the things that I assume every company is talking to their lawyers about if this passes," he says. “Imagine trying to sell a product, but you tell your customer, ‘I don't even know if you can buy this product. I don't know if the US government's going to let me ship it to you.’ How would you possibly sell that?"
Effect on research
The BIS has attempted to assuage concerns within the security research community that Wassenaar would not hinder their work.
But Katie Moussouris isn't quite sure. Ms. Moussouris is the chief policy officer of HackerOne, a company that runs bug bounty programs for some of the computer industry’s biggest names such as Yahoo, Twitter, Square, and Dropbox.
"The way that they wrote it,” she said, “they didn't really seem to understand how security research takes place or really how vulnerability disclosure takes place.”
Bug bounty programs offer rewards to researchers who turn over the new vulnerabilities they discover to the companies who would desperately like to fix them. These programs are seen as a necessity for keeping products more secure.
It doesn't appear that a particular bug – or flaw – would need an export license, but documentation on how to find bugs might. With a vibrant international security research community that often works together, Moussouris worries that researchers won’t continue collaborating across borders.
"If there's a delay because of having to apply for these export controls of maybe three months or more, it will be a lost opportunity for security researchers who may be battling the clock for claiming a bounty," she says.
But to Moussouris, what might damage security research the most is something familiar to the legal and business aspects security community – the ambiguity of the proposed rules when they were first announced.
“Whether or not it covers security research doesn't actually prevent security researchers from feeling threatened by it," she says. “Unless there is a very clear and protected safe harbor for security research, no matter what the United States says about how it's implementing the Wassenaar Arrangement is going to have a chilling effect on security research. It's going to potentially slow down the flow of vulnerability information to the organizations that need to use that information for defense."