Stakeholders have warned the United States its proposed export controls on digital intrusion and surveillance technology for the international Wassenaar Arrangement are much too broad.
Legislators, industry officials, and open internet non-government organizations (NGO) warned the U.S. in July 20 comments for the Commerce Department’s Bureau of Industry and Security proposed export controls. The Commerce Department issued a proposed rule on May 20 to govern the export of intrusion software. The category of software was added to the list of controlled technologies by the Wassenaar Arrangement Plenary in 2013.
The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is a multilateral export control regime established in 1996 to contribute to international security and stability by promoting responsibility and transparency in transfers of arms and dual-use technologies to prevent destabilizing accumulations. Participating counties operate through internal national policies to ensure certain technologies do not contribute to the development of military capabilities that undermine the groups’ goals.
A bipartisan group of legislators; Reps. Jim Langevin (D-RI), member of the House Committee on Homeland Security and the Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies; Committee Chairman Michael McCaul (R-Texas); David Schweikert, (R-Ariz.); and Ted Lieu (D-Calif.); wrote a comment to the department that “while we are sympathetic to BIS’ goals in implementing the 2013 additions, we are deeply concerned that the regulations could unintentionally weaken our security posture.”
“Unfortunately the agreed upon definition for intrusion software is quite broad, embracing a number of products that are solely intended for research.”
BIS’ proposed implementation, while recognizing potential problems, exacerbates it by drawing a misguided line between offensive and defensive cyber tools, the comment said. The representatives added the lack of a waiver of deemed export rules was another factor that “could have a chilling effect on research, slowing the disclosure of vulnerabilities and impairing our nation’s cybersecurity.”
Specifically, the comment highlights the treatment of zero-day and rootkit capabilities. Noting these terms are not defined by BIS, zero-day capabilities could be useful in assessing how a system responds to a novel threat beyond testing perimeter defenses, the comment said. Similarly, rootkits could be used to test vulnerabilities related to an operating system based on privilege escalation. “Any related demonstration code would necessarily be considered a rootkit.”
Langevin clarified in a statement that “The proposed rule could have unintended consequences, negatively impacting a number of products that are solely intended for research. The change would draw a misguided line between offensive and defensive cyber tools, and I fear it would weaken our nation’s cybersecurity and overall national security posture.”
The rule attempts to prevent export of tools with zero-day and rootkit capabilities, but it would also inhibit the comprehensive testing of risk management frameworks and cybersecurity evaluation. Additionally, applying the “deemed export” regime to intrusion software could impede research and disrupt the cyber reporting system.
Addressing the deemed export regime, Langevin added “even sharing vulnerabilities within a company would require licensing if a foreign national would come into possession of the exploit and American companies with international affiliates would be more open to attack.”
Eric Wenger, director of global government affairs for cybersecurity and privacy policy at Cisco Systems, Inc. [CSCO], agreed in another BIS comment.
Although the focus on limiting cross-border trafficking of weaponized software is well-intentioned, Wenger said “if implemented in its current form, the proposed rule would present significant challenges for security firms that leverage cross border teams, vulnerability research, information sharing, and penetration testing tools to secure global networks.”
Many of the activities needed to respond to cyber threats would be restricted to subject to onerous licensing requirements in the BIS rule were adopted, Wenger explained.
“It is unrealistic to expect that all of the resources necessary to secure complex networks will sit inside one country,” he said.
Further comments citing similar industry concerns were submitted by the Information Technology Industry Council and a coalition of industry organizations including the U.S. Chamber of Commerce, the Telecommunications Industry Association (TIA), Computer & Communications Industry Association, and National Foreign Trade Council.
A group of open technology and privacy NGOs agreed the BIS rules are over broad, making recommendations to focus the rule on human rights and foreign intelligence concerns that spurred the original Wassenaar Arrangement controls.
The comment by Access, the Center for Democracy & Technology, Collin Anderson, the Electronic Frontier Foundation, Human Rights Watch, and New America’s Open Technology Institute recommended that cybersecurity software be subject to a license exception TSU (Technology and Software – Unrestricted).
“A license exception for mass-market cybersecurity software will help ensure that the new control categories do not adversely affect the distribution of penetration testing tools, network security tools, or other categories of items that may be inadvertently caught by these controls,” the group said.
This exception would also address many of the deemed export and inter-company/university transfer issues that threaten an onerous burden on international companies and educational institutions, the NGOs said.
They explained mass-market software does not present the same level of threat to human rights as systems designed for and marketed to state-level actions. The NGO group noted the danger of state-level software in the case of Hacking Team, the Italian vendor of intrusion software recently hacked itself, exposing its alleged connections to countries with repressive policies and international sanctions against them like Sudan (Defense Daily, July 10).
Other narrowing rule changes the group proposed include creating a license exception for cybersecurity items that, while not qualifying for the previous exception, are exported to non-government ends users for defensive use; revising the licensing policy for items not included in above exceptions to tailor it specifically to human rights concerns and issuing clear guidance on terminology introduced in the text of the rule to minimize ambiguity.
The Wassenaar Arrangement currently has 41 participating states including the U.S., Australia, Canada, France, Germany, Italy, Japan, Mexico, Norway, Poland, South Korea, Russia, South Africa, Spain, Sweden, Turkey, and the United Kingdom.