Limiting 'Intrusion Software' ExportsPlan Aims to Foil Adversaries from Buying Zero-Day Exploits
A U.S. Department of Commerce proposal to restrict the export of so-called "intrusion software" to prevent foreign adversaries from acquiring zero-day exploits has raised concern in the developer community.
The agency earlier this week proposed export controls on intrusion software similar to those imposed on weaponry. In the proposed rule, the Commerce Department says intrusion software is being added to the list of technologies that could be used in warfare, as defined by an international pact known as the Wassenaar Agreement, a multilateral export control regime.
If adopted, the rule would require sellers of intrusion software to acquire an export license from the Commerce Department's Bureau of Industry and Security, a complex process in which the developer must first register the product with the government. Developers could face felony charges if they sell restricted software without an export license to buyers in most nations, with the exception of a handful of U.S. allies.
The proposed rule covers zero-day exploits and other vulnerabilities developers create and then sell, often to government agencies such as the National Security Agency and software manufacturers. The rule also says it would cover penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices. Some encryption products already require export licenses, including penetration testing tools that incorporate encryption.
Defining Intrusion Software
Intrusion software is defined in the proposed rule as software specially designed or modified to avoid detection by monitoring tools or to defeat proactive countermeasures of a computer or network-capable device, and that performs the following:
- Extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or
- Modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.
Thomas Rid, a professor at King's College in London, tweeted that the proposed regulation seems "too broad" and "could even damage cybersecurity."
Independent security researcher and software developer Adam Caudill offered a gloomy assessment of the proposal in a tweet: "If this is as bad as it sounds, the U.S.'s place in open crypto and data security research is dead."
Requiring export licenses for intrusion software is seen as harming independent developers and small and midsize firms, which, unlike large companies and defense contractors, lack legal resources to manage export licenses, says Collin Anderson, a computer scientist focused on Internet controls and human rights activist. "They don't have the expertise; they don't have the money to navigate this complex system," he says.
Expanding Rule's Coverage
Anderson says the original intent of the Wassenaar Agreement was to keep spying software out of the hands of oppressive regimes that used it to abuse their citizens. But he says the Commerce Department is interpreting the agreement too broadly, expanding the coverage to include offensive cyberweaponry. "All of a sudden, it changed from a scope of human rights to a scope of broader, cybersecurity interests in the United States," he says. "That is a huge and very weighty topic that these controls weren't designed to address."
The Commerce Department is seeking public comment on the proposed rule by July 20. The agency did not respond to a request to explain why the rule is necessary.