A large group of security companies have formed a coalition to oppose the proposed rules from the Department of Commerce that would regulate the export of so-called intrusion software, a broad term that researchers and legal experts are concerned would limit security research and development.
The rules proposed by the department’s Bureau of Industry and Security in May have caused an uproar in the security community as researchers try to figure out the implications for the work. The key portion of the BIS rules, which are part of the Wassenaar Arrangement among various countries to control the flow of certain commodities, is one that concerns the use and export of intrusion software. The rules define such tools as:
“Software ‘specially designed’ or modified to avoid detection by ‘monitoring tools,’ or to defeat ‘protective countermeasures,’ of a computer or network-capable device, and performing any of the following:
(a) The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or
(b) The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.”
The Coalition for Responsible Cybersecurity that has lined up to oppose the regulations includes WhiteHat, Synack, Ionic Security, FireEye, and others. They say that the regulations as they’re written now could prove harmful to security research.
“More than 70% of our cybersecurity researchers are from outside the United States but we will be barred from using their expertise,” said Jay Kaplan, CEO of Synack, “and this regulation could require our researchers in the United States to get a government license just to have more than a superficial conversation about new security vulnerabilities.”
The main concern among researchers is that they will not be able to collaborate with peers in other countries, sharing vulnerability and exploit information, without getting an export license. The Wassenaar Arrangement, which regulates this kind of research in European countries, has had some effects on researchers already. Two weeks ago, Grant Wilcox, a university student in the U.K., said that he had to remove some portions of his dissertation that included exploit code over concerns that they would violate the Wassenaar rules.
“Whilst it has impacted the release of my research it has not impacted my passion and I plan to continue researching such material as and when I feel like, though in an ideal world I would like clearer instructions so I can figure out how to do this appropriately (of which there seems to be some confusion),” Wilcox said in an email to Threatpost.
The BIS has opened up a public comment period on the proposed regulations, which ends July 20. The coalition says it plans to submit detailed comments to the BIS.
“This proposed rule is unacceptably restrictive and ambiguous, and it applies to an industry that has not been targeted in this way by export controls before. We would encourage the Department to reconsider in light of the negative consequences, however unintended, that would result from implementation of its current proposal,” said Adam Ghetti, CTO of Ionic Security.