Over the last several months, security researchers, private firms and some governmental organizations have expressed alarm at federal rules intended to prevent proliferation of offensive cyber tools. They worry the regulations would cripple the technologies and techniques companies and government agencies rely on to defend themselves against those same weapons while doing almost nothing to hamper potential attackers.
Officials in the Commerce and State departments, the two agencies with primary responsibility for the regulations, have not determined what their next steps will be other than to say there’s much more work to do before they issue a final rule.
At issue is U.S. participation in an international framework called the Wassenaar Arrangement, a 41-country pact initially devised in 1996 to control conventional weapons proliferation, then expanded in 2013 to cover “cyber weapons.”
When Commerce issued a proposed rule last summer to implement the agreement in the U.S., the government received 264 formal public comments. Many were withering critiques from industry and researchers who said the rules would do severe harm to cybersecurity research and information sharing.
Insight by AT&T: Learn how the urgency caused by the pandemic put DOT on an accelerated IT modernization path in this free webinar.
“It is clear from the comments that the first version of the proposed U.S. rule to implement the Wassenaar control missed the mark, and the interagency continues to work through the concerns raised,” said Vann Van Diepen, the principal deputy assistant secretary for international security and nonproliferation at the State Department. “Fortunately, the cyber control is included on the least sensitive portion of the Wassenaar list. This provides us with substantial flexibilities we can employ in the process of implementing that control nationally, just as most other Wassenaar members have done in already having implemented the cyber control for over a year without apparent controversy.”
But substantial variance exists in how different countries have interpreted the arrangement, according to the companies who are subject to its rules.
The U.S. interpretation, as currently proposed, would require companies to apply for licenses from the Commerce Department any time they intended to “export” software or technology that can intrude into computer networks. They would also apply to any technology that can “communicate with” that type of software.
Critics say the Wassenaar rules are so broad that they would sweep in the penetration testing technologies federal agencies and private companies routinely use to check the cybersecurity of their own networks and could create a chilling effect for the development of a broad array of anti-hacking tools.
“This requirement to apply for and obtain licenses during critical, time-sensitive responses to security vulnerabilities, which may already be under active exploitation, creates an asymmetry that is to an attacker’s advantage. Unlike the defender, the attacker has few such constraints,” said Iain Mulholland, the vice president for engineering trust and assurance at VMware.
He said the licensing requirement would be especially troublesome for cybersecurity companies who operate across international boundaries, as virtually every security firm does. Much of their work involves identifying and detecting computer code that’s intended to exploit accidental security holes in a computing system’s operating system or the applications that run atop it.
“Exploit code is often key in accelerating the speed with which our engineers are able to understand the flaw and develop a patch to protect our customers. If a picture paints a thousand words, exploit code is our picture.” Mulholland said. “In one recent example, the security researcher was in Poland, his parent company in the Netherlands, the coordinating VMware incident response team was in the U.S. and Canada, and the team responsible for developing the security patch was in in India. Under the new rules, we would have required multiple licenses: one from Poland to the Netherlands, from Poland to the U.S., from the Netherlands to the U.S., from the U.S. to Canada, and several more just to share information across cubicle walls between U.S. and non-U.S. persons based in the United States.”
Dr. Phyllis Schneck, the Homeland Security Department’s deputy undersecretary for cybersecurity and communications, said the proposed rule needs to be reexamined in light of the impact it might have on the government’s ability to coordinate responses to cyber incidents via its National Cybersecurity Communications Integration Center and the U.S. Computer Emergency Response Team.
“In this environment, researchers and developers need to be able to work together with alacrity,” she said. “We need to be able to work together at the very speed — and hopefully greater — than the speed at which our adversaries are working today. Our cybersecurity companies are global. Our government needs to work with other governments, and our adversaries work without lawyers. They have plenty of money and they have no boundaries. We need the ability to share threat information across the globe, which is the main thing our adversaries cannot do, and that’s the product set that our companies can build for us.”
But other experts from the cybersecurity industry said there’s little the U.S. can do on its own to change the portions of the new rules that they view as troublesome.
The main flaws, they said, are found not in the regulations Commerce and State proposed, but in the underlying international agreement the U.S. signed up for in 2013. Since the language is fairly broad, different nations’ implementing bodies have interpreted it in different ways, leading to confusion about what’s a “controlled” cyber weapon and what constitutes legitimate security research.
Also, the 41 countries who were concerned about conventional weapons proliferation in the 1990s don’t necessarily comprise the same countries who are of most interest when it comes to cyber matters, said Dean Garfield, the president and CEO of the Information Technology Industry Council.
“There are a number of nations that are a critical part of advancing cybersecurity that are not a part of the Wassenaar Arrangement, including Brazil, India and China, he said. “So what do we do? Our recommendation is to go back to go back and renegotiate those fatal defects. From our perspective, it’s truly an opportunity to exercise U.S. leadership, because there are a number of countries that are struggling with these same issues.”