Zero-Day Exploits as Weapons

Members of the Wassenaar Arrangement, an export control association whose 41 member states exchange information on transfers of conventional weapons, have agreed to add technologies relating to “intrusion software,” to their control list.

US companies would require a license to export security technologies or information on newly discovered vulnerabilities. IT companies say new rules will stop international collaboration when fighting cyber threats and will significantly hurt global research.

The Bureau of Industry and Security (BIS) of the US Commerce Department supports a license requirement to export cybersecurity items to all destinations, except Canada. Although the technologies were not previously designated for export control, many items have been controlled for their “information security” functionality, including encryption and cryptanalysis, according to BIS.

Why BIS thinks regulating export of malicious code or “intrusion software” is necessary:

• It stops human rights abuses by preventing detection by monitoring tools, defeating “protective countermeasures,” or executing externally provided instructions
• Criminal organizations and repressive states cannot be sold surveillance software by US companies.

Here is the list of arguments Google has sent to BIS:

• “Rules are dangerously broad and vague.The proposed rules are not feasible and would require IT companies to request thousands of export licenses. Since Google operates in many different countries, the controls could cover our communications about software vulnerabilities, including: emails, code review systems, bug tracking systems, instant messages.
• You should never need a license when you report a bug to get it fixed.There should be standing license exceptions for everyone when controlled information is reported back to manufacturers for the purposes of fixing a vulnerability. This would provide protection for security researchers that report vulnerabilities, exploits, or other controlled information to any manufacturer or their agent.
• Global companies should be able to share information globally.If we have information about intrusion software, we should be able to share that with our engineers, no matter where they physically sit.
• Clarity is crucial.Navigating these controls shouldn’t be that complex and confusing. If BIS is going to implement the proposed controls, we recommend providing a simple, visual flowchart for everyone to easily understand when they need a license.
• These controls should be changed ASAP.The only way to fix the scope of the intrusion software controls is to do it at the annual meeting of Wassenaar Arrangement members in December 2015.”

The Electronic Freedom Foundation (EFF), which advocates for greater vigilance over the potential sale of specially developed surveillance tools to regimes that use technology to commit human rights abuses, said BIS had drafted “a vague, overbroad, and contradictory set of rules that have the potential to chill legitimate research into security vulnerabilities that will keep data and devices secure from attacks.”

“We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community. They would also hamper our ability to defend ourselves, our users, and make the web safer. It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure,” Google officials added.