Professional security researchers concerned about proposed changes to the Computer Fraud and Abuse Act (CFAA) that include stiff penalties for what today is considered legitimate offensive research, are worried about another impending punch to the gut.
The Commerce Department’s Bureau of Industry and Security today made public its proposal to implement the controversial Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies in the U.S. In a computer security context, the agreement imposes export controls on certain dual-use technologies; for some these rules are a harkening back to the Crypto Wars of the ’90s. A 60-day comment period opens today and ends July 20.
Specifically, the BIS proposal seeks to regulate and control the export of what it calls intrusion software, providing a broad definition of such in the process, something that some researchers and experts fear could not only further chill legitimate vulnerability analysis, but also impact sales of some security software.
The newly defined term “intrusion software,”–whose intent is to implement and enforce controls on the delivery of surveillance software such as FinFisher and tools developed by Hacking Team, as two examples–also seems to encompass commercial penetration-testing tools that include encryption.
“Vulnerability research is not controlled nor would the technology related to choosing, finding, targeting, studying and testing a vulnerability be controlled,” said Randy Wheeler, director of the BIS, today during a conference call. “The development, testing, evaluating and productizing of an exploit or intrusion software, or of course the development of zero-day exploits for sale, is controlled.”
Experts, as well as the BIS, hope that researchers will submit comments to the proposed rule inside the 60-day window.
The European Parliament implemented new language in Wassenaar, presented in December 2013, to stem the use by governments of targeted surveillance malware to spy on activists, journalists and others, which they said was a violation of their human rights.
“This was perhaps a way to stop companies like FinFisher and Hacking Team from being able to export targeted surveillance software to governments like Bahrain, which does not seem unreasonable to me,” said Electronic Frontier Foundation global policy analyst Eva Galperin. “But one of the things they did was write the language messily and broadly, and open to troublesome interpretation. It’s important to tread carefully.
“One of the biggest problems is that people who are writing this language are not security researchers and likely have a limited understanding of how security research is conducted and how threats and exploits are shared,” Galperin said. “This is why they have a comment period. What I would like the security community to understand is that this is the junction to step in and set them straight.”
Intrusion software, defined in Wassenaar, is:
“Software ‘specially designed’ or modified to avoid detection by ‘monitoring tools,’ or to defeat ‘protective countermeasures,’ of a computer or network-capable device, and performing any of the following:
(a) The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or
(b) The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.”
The proposed rules also identify network penetration testing products as intrusion software, especially those currently classified as encryption products.
“The definition is too broad. It includes the fundamental components of all vulnerability research in the definition, and will hinder the sharing and publication of important security research,” said Katie Moussouris, chief policy officer at HackerOne and former senior security strategist at Microsoft, where she was instrumental in developing the company’s numerous vulnerability bounties and awards for defensive technologies.
“The intent here is to regulate surveillance software, like FinFisher. Instead of focusing on data exfiltration, which is what FinFisher and other software like it does to the victim, these proposed definitions erroneously focus on the ‘intrusion’ piece,” Moussouris said. “That’s where it veers sharply off target, and onto controlling the wrong technology.”
Wheeler said BIS hopes to see particular comments on the impact on vendors due to the licensing burden that would accompany such controls. Also, within scope for comments is the impact on legitimate vulnerability research and software audits, Wheeler said.
“Vendors who make software that fall under these broad definitions will have additional overhead in applying for export licenses, potentially creating a trade disadvantage for US-based companies dealing with the burden of compliance,” said Moussouris. “This will favor larger companies who can absorb the overhead, also possibly affecting market competition and ultimately, innovation in US security technology could suffer.”
This is the second time this year that researchers are facing legislative and regulatory threats to legitimate offensive research.
In January, the Obama administration, in response to the damaging Sony hack and massive Target and Home Depot data breaches of late 2013 and 2014, turned its attention to the CFAA. Proposed amendments redefined what it means to exceed authorized access to a system, adding vagaries to the language that would put legitimate research in the crosshairs, while expanding its scope.
“Exceeds authorized access means to access a computer with authorization and to use such access to obtain or alter information in the computer (a) that the accesser is not entitled to obtain or alter; or (b) for a purpose that the accesser knows is not authorized by the computer owner.”
In addition, the CFAA amended its punishments, with stiffer penalties for those convicted of hacking, doubling some sentences while elevating other offenses to felonies.
“Researchers are already discouraged from discussing their tools and vulnerability research by existing laws like CFAA and DMCA in the U.S.,” Moussouris said “The additional requirement of applying for an export license and having to share source code during the application process will discourage them further.”
The EFF’s Galperin, however, hopes that researchers pump the brakes on some of the early consternation.
“Some of the misconceptions come from a lack of understanding of what Wassenaar is, what it does and how it’s implemented,” she said. “A lot of people see these proposals and assume that now it’s law. At the end of 2013, Wassenaar made changes to the language that include limitations on and licensing requirements on the export of certain types of surveillance and intrusion equipment. It’s possible that language was not entirely clear, so obviously the security industry went wild and said it’s illegal to export exploits, that we are doomed. That’s absolutely not the case.
“Every country that signed on to Wassenaar (the U.S. included) had to implement this language in a way it felt the language was meant to be implemented. Now with the U.S., this is what the Department of Commerce thinks Wassenaar means, and this is how it proposes to change export rules to be line with what Wassenaar says.”