Cybersecurity pros makes final push to quash proposed export restrictions
With just three days left to comment on a controversial plan to听stymie US exports of surveillance technology, many听cybersecurity professionals are making their final pleas to kill the proposed trade restrictions.听
While many in the security community agree in spirit with the plan from the听Department of Commerce鈥檚 Bureau of Industry and Security to limit overseas sales of spyware, especially to oppressive regimes, they also say the recommended pact is so broad and vague that it could harm the entire cybersecurity industry.
"Cyber is a space that is borderless and global. The rule needs to be re-looked at given the global interconnectedness of the industry," says Cheri McGuire, vice president of government affairs and security policy at the security firm听Symantec.
Rather than restrict the export of spyware technology, the current proposal restricts the export of information about malicious software, the command platforms to control it, and the tools to make it.
Many experts say the听Commerce Department proposal is written in such a way that it听would prevent even transporting critical security software for testing global networks and would limit research between security labs in different countries. The department also warned that applications for a license to export technology that could be used for surveillance would be met with a presumption of denial, making it difficult for firms to get permission to do legitimate cybersecurity business overseas.听
The proposal is "well-intentioned, but has unintended consequences that must be addressed," said听Eric Wenger, director of cybersecurity and privacy policy at Cisco, the world's largest maker of networking equipment.听
But if the policymakers at the Commerce Department go back to the drawing board, it's unclear what a replacement proposal would look like 鈥 and whether the security industry would like it any better.
The trade proposal resulted from the听41-nation Wassenaar Arrangement was originally intended to limit the sale of conventional weapons听and expanded in 2013 to include restrictions on malware sales. Europe has already implemented听the new limitations.
Instead of coming up with a new draft, the听Electronic Frontier Foundation's Nate Cardozo says he wants the US to reopen the initial discussions that led to the software restrictions with the听Wassenaar negotiators. That way, says the EFF staff attorney, the agreement could focus on actual spyware and surveillance products instead of the components that make or control those technologies. 听
"What are they actually trying to control? Are they trying to control [the notorious spyware] FinFisher?" asks Mr. Cardozo, who recently filed a lawsuit against听Ethiopia over its use of FinFisher, a maker of surveillance technology. "Why don鈥檛 they go after export of that kind of software directly?"
The idea of banning software that exfiltrates 听鈥 or steals 鈥 data without the users' knowledge is often听cited as the utopian fix for the trade proposal.听Sergey Bratus, a Dartmouth College computer science associate professor, originally suggested it in 2014 when the听Bureau of Industry and Security first asked for comments on how it should impose the Wassenaar deal.
Cardozo says that comments he will submit Monday will urge the Department of Commerce to ease existing restrictions on exporting encryption technology alongside any rule to fight militarized spyware. Cardozo believes encryption would be a more successful measure to protect targets of repressive government surveillance.
"When I submit my comments about Wassenaar to the [Bureau of Industry and Security]听on Monday,鈥 he says, 鈥渢he first point I will make is that if you think that this is a good idea, you have to remove cryptography from other export restrictions."
Restricting only exfiltration would assuage many concerns in the international community, says Ms.听McGuire of听Symantec, a听founding members of the Coalition for Responsible Cybersecurity that launched this week as a show of force against the BIS draft policy. Focusing on exfiltration, she says,听reassures foreign governments that the US isn't withholding cybersecurity tools for its own gain.听
But barring a complete renegotiation of the rule, McGuire says adding exemptions to BIS regulations for defensive cybersecurity products or research would听appease many within the industry.听
McGuire says that approach would have been taken by BIS if it had consulted the听cybersecurity industry as a whole, such as the National Institute of Standards and Technology did in preparation for recently released security best practices.
"Look at the NIST framework. It certainly went through a very lengthy process to ensure there were no consequences," she says.
Dave Aitel, chief technology officer at the security company Immunity inc.,听suggests the BIS remove the presumption of denial, and only mandate licenses for sales to hostile governments.听But he isn鈥檛 convinced that any regulations, no matter how restrictive, would make much of an impact.
The recent data breach at Italian spyware seller Hacking Team proves his point, he says. It shows that Italy was听willing to issue a 鈥済lobal license鈥 to the company to distribute its surveillance software nearly anywhere, he says. If companies such as Hacking Team cannot be controlled by the regulations, how could they be at all successful, asks Mr. Aitel.
Though Aitel says the rules would not have much听effect, he says modifying the proposal to something less 鈥渙nerous鈥 would be the end of a long struggle.
"I did not want my life to be consumed by Wassenaar for the past two years," he said. 鈥淏ut here we are. It鈥檚 an awfully important government process to have begun in such a broken way."
听
