The cybersecurity industry is up in arms over looming export regulations that researchers warn would crush important digital defense work and empower America’s foes.
The Commerce Department is moving to add restrictions on the export of hacking tools, worried that cyber crooks and repressive regimes are getting their hands on dangerous cyber sabotage tactics.
{mosads}But the department’s proposal has been strongly rebuked by security researchers, who contend the rules could stunt growth in a burgeoning industry and weaken cybersecurity worldwide.
“We’re just going to have much more holey world that could be ripe for exploitation by the bad guys,” said Lillian Ablon, a RAND Corp expert who has researched the intrusion software market.
The issue has even reached Capitol Hill, where Rep. Jim Langevin (D-R.I.), who co-chairs the Congressional Cybersecurity Caucus, spent Monday gathering signatures on a letter he was sending to Commerce that night, the deadline to submit comments on a draft rule.
“The proposed rule has a number of flaws that could detrimentally affect our national security,” the letter reads. “This could have a chilling effect on research, slowing the disclosure of vulnerabilities and impairing our nation’s cybersecurity.”
Commerce’s desired update would alter the language of the Wassenaar Arrangement, a little-known pact 41 countries have signed to control the export of weapons and so-called “dual-use” technologies that can be corrupted.
As world leaders are increasingly confronted with the possibility that hackers could take out a power grid or a nuclear power plant, officials have scrambled to try and stave off such a shattering digital assault.
Commerce believes the rule update would help.
It would require companies to obtain licenses when exporting the technology behind “intrusion software,” which is used to sneak into computer systems. Essentially, it would classify the technology as a potential weapon.
Almost instantly, the security community went into an uproar.
“You’ve completely destroyed vulnerability research,” exclaimed Adriel Desautels, founder of security firm Netragard.
As security specialists see it, the language is “very squishy,” Ablon explained. Researchers worry it would create a licensing requirement for “zero-day exploits,” software that takes advantage of undiscovered security weaknesses.
Zero-day flaws are often how digital intruders and cyber spies infiltrate computers, phones, private companies and government agencies. But uncovering and testing potential zero-days is also essential to any digital defense strategy.
“Our global research network leverages a lot of these tools to basically ethically hack a lot of our customers and tell them if they’re vulnerable to being attacked by a nefarious actor,” said Jay Kaplan, co-founder of the security firm Synack and a former National Security Agency cyber analyst.
Under Commerce’s desired rules, Kaplan fears that the 70 percent of his research team that is based outside the U.S. would be shut out.
“As written, it makes it pretty much impossible for them to engage unless we obtain an export license for pretty much every single one of these researches in every specific scenario, which is not even feasible,” he said.
The government has tried to assure security experts it has no desire to regulate legitimate cyber stress tests.
“Vulnerability research is not controlled nor would the technology related to choosing, finding, targeting, studying and testing a vulnerability be controlled,” Randy Wheeler, who oversees technology controls for the Commerce Department’s Bureau of Industry and Security, said in May.
Regulators only want to control “the development, testing, evaluating and productizing of an exploit or intrusion software, or of course the development of zero-day exploits for sale,” he added.
It’s a muddled distinction without a difference, security specialists argue.
Studying and testing a vulnerability to prove it can be exploited is the same exact work required to develop zero-day exploits and intrusion software. The question is, how can one be controlled and the other not?
“The only difference between an academic proof of concept and a zero-day for sale is the existence of a price tag,” wrote the Electronic Frontier Foundation, a digital rights’ advocate, in a blog post.
The security community has banded together in protest.
Kaplan is part of a slate of companies that last week formed the Coalition for Responsible Cybersecurity, a single-issue group dedicated to talking Commerce down from its proposal.
“It’s going to hinder the ability of U.S. companies to compete overseas,” Kaplan said of the update. “I think it’s going to restrict some of the techniques that these tools employ to keep customers safe.”
Major digital adversaries such as China and Iran are also not part of the Wassenaar Arrangement, possibly creating a further imbalance.
“They’re going to have a major upper hand,” Desautels said, “because the flaws certainly exist everywhere, we just can’t use them now. We can’t touch them now.”
Just the specter of the rules has already spurred Desautels to alter his business strategy.
Netragard said late last week it was shuttering its division that sells zero-day exploits. Desautels explained that the looming proposal was “becoming a major distraction.”
Desautels also conceded that he was floored by the recent Hacking Team leaks, which exposed the controversial Italian surveillance firm’s connections to embargoed regimes such as Sudan and Russia.
Netragard once sold a zero-day exploit to the firm, Desautels said. Now he regrets it.
The leaks “proved that we could not sufficiently vet the ethics and intentions of new buyers,” he wrote.
That underscores the catch-22 facing regulators.
Everyone acknowledges that digital thieves and oppressive governments are using zero-day exploits to steal identities, track opponents and plan devastating cyberattacks. But there’s little consensus on how, or if, regulators can really tamp down on the flood of such exploits to the digitally destructive.
“I don’t know who they’re consulting with on the language, but they need to get some security researchers to help them,” said RAND Corp.’s Ablon.