You are here

Concerns About Proposed US Rules on Cybersecurity Products

Dr Cherian Samuel is Research Fellow at Manohar Parrikar Institute for Defence Studies and Analyses, New Delhi. Click here for detailed profile.
  • Share
  • Tweet
  • Email
  • Whatsapp
  • Linkedin
  • Print
  • July 20, 2015

    The United States has effectively used a mix of national export controls laws and multilateral export control regimes to control and regulate the flow of technology that could be weaponised. International regimes in this regard include the Nuclear Suppliers Group (NSG), Australia Group (AG) (for regulation of chemical and biological technology), Missile Technology Control Regime and the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. Given that these regimes come with many layers of red tape and bureaucratic oversight, the recent expansion of the Wassenaar Arrangement to cover surveillance and intelligence gathering software has been met with concern in the information security community.

    The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, as the name suggests, is an export control instrument agreed to between 41 countries in 1996, with the objective of "promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies." This is done through two lists: 1) a munitions list largely consisting of conventional military equipment; and, 2) a dual-use Goods and Technologies List of items that can have both civilian and military use listed under various categories ranging from avionics to navigation and propulsion.

    While the Wassenaar Arrangement has instant recall in nuclear circles, it has only recently become a source of turmoil in cybersecurity, after the US Bureau of Industry and Security (BIS) published rules1 that are applicable to cyber technologies. This followed from the expansion of the Wassenaar Arrangement in December 2013 to cover new "areas including surveillance and law enforcement/intelligence gathering tools and Internet Protocol (IP) network surveillance systems or equipment, which, under certain conditions, may be detrimental to international and regional security and stability."2 This was itself on the back of pressure from human rights activists who were concerned about IP surveillance software being used to locate anti-government activists in authoritarian countries. Intrusion tools such as Finfisher, or the remote Remote Control Software (RCS) from the Hacking Team had been found to have been used by oppressive regimes to locate anti-government protestors by tracing their digital footprints. According to campaigners, these companies operated completely in the dark and with no oversight despite the fact that these technologies could be reverse-engineered and proliferated easily once they fell in the hands of terrorists and criminals.

    While the focus of the updated Wassenaar Arrangement Control was on such surveillance products, the proposed BIS rules have been criticised for going beyond IP surveillance and placing greater emphasis on licensing the export of software classified as intrusion malware and intrusion exploits as well as software that could conceivably go into the production of such malware. Violation of these rules could result in a 20-year jail term and a fine of USD one million. The software research community in the United States has been protesting against the new regulations since they were opened for comments. Their objections are that these rules are so vague as to make even legitimate research into vulnerabilities a possible violation. This would have a chilling effect on such research, and would in fact have the opposite effect of prolonging the vulnerabilities in software. Digital rights advocates such as the Electronic Frontier Foundation have highlighted the various anomalies in the BIS rules as well as the subsequent explanatory notes and clarifications issued by the BIS.3

    In point of fact, the BIS rules, if implemented, would deal a body blow to the entire security research ecosystem, affecting everything from bug bounty programmes to cross-border research on vulnerabilities. If anything, this will only make it more difficult for genuine security researchers to carry out legitimate research activities into defensive products while creating an underground market for offensive products. This also creates a problem for information security companies, some of which have as much as 70 per cent of their workforce outside the United States.4

    As far as intrusion exploits are concerned, it has been pointed out that the National Security Agency has also been in the market for 0-days, and would effectively get free access to these exploits via the new rules. The rules would also have the intended or unintended effect of driving production of cybersecurity software into the hands of those who already have experience with export-control rules, namely, the large military equipment producers who are already buying out smaller companies in their quest to dominate the cyber security market.

    It is not just US companies and researchers that are bothered about the new rules. As early as June 2014, the Indian government had formed an inter-ministerial panel to study the impact of the new rules on procurement of software and cybersecurity products.5 The security of such products is impacted by these rules, even post-purchase, since even something as common-place as auto-updating of browsers is deemed illegal. There might well be a chilling effect on the procurement of cybersecurity products from US companies given that a preliminary reading of these rules indicate that the source code of sensitive products should be examined by the relevant authorities prior to export. These are but a few of the issues that are of concern. While the government would raise these issues with the appropriate authorities, the rules are presently in a commenting period that ends on 20 July 2015. It is hoped that Indian companies that will be impacted by these rules as well as information security professionals have used the opportunity to raise concerns. Equally, the BIS would be well advised to take these concerns on board and improve on these rules before finalising them.

    Views expressed are of the author and do not necessarily reflect the views of the IDSA or of the Government of India