Cybersecurity firms submitted their final comments to the Commerce Department before midnight Monday on a proposal to restrict exports of tech designed to test and detect hacker intrusions — a move companies and industry reps say will severely weaken global cybersecurity.
The Commerce Department’s Bureau of Industry and Security proposed implementing the multinational Wassenaar Arrangement in May. The rule change would amend the department’s Export Administration Regulations to limit the global sale of cyber surveillance and intrusion technology, and force companies to acquire a license to export the tech anywhere overseas with the exception of Canada.
Both the 2013 international agreement and Commerce’s proposal are intended to reduce the spread of weaponized software, but as companies including Cisco and Symantec have pointed out in the last week, the same technology is used in cybersecurity research to surveil and prevent attacks.
According to the Federal Register, the rule change applies to technology incorporating “encryption and cryptanalysis,” and requires manufacturers to register such products with Commerce. In some cases, companies would have to provide the source code for products in applications for export.
“Cisco needs access to the very tools and techniques that attackers use if we have any hope of maintaining the security of our products and services throughout their anticipated lifecycles,” Eric Wenger, Cisco’s director for cybersecurity and privacy, wrote in a blog post Monday.
“The development of new export control requirements must, therefore, be done carefully and based upon the needs of legitimate security researchers. Otherwise, we will leave network operators blind to the attacks that may be circulating in the criminal underground — and ultimately blind to the very weaponized software that the proposed rule intends to constrain.”
Symantec, FireEye, WhiteHat, Iconic Security, Synack, Global Velocity and others made similar criticisms last week with the launch of their new trade group, the Coalition for Responsible Cybersecurity.
“The current threat landscape requires real-time security analysis, testing and deployment of protections,” Cheri McGuire, Symantec’s vice president of global government affairs and cybersecurity policy, said in a statement from the group. “Asking a multinational corporation who is at risk of a cyberattack to wait months for a license to be able to test its network defenses, or to receive the latest protections because its security provider is hampered from communicating across borders, is downright dangerous.”
Activist organizations including the Electronic Frontier Foundation, the Center for Democracy and Technology, Human Rights Watch, New America Foundation’s Open Technology Institute and others jointly filed their own comments shortly before the deadline Monday night, and urged the department to tailor the rule more narrowly to keep exported tech out of the hands of repressive governments with a poor track record of surveilling citizens and violating privacy.
In its filing the group asked Commerce “to narrow application of the rule only to those circumstances that implicate the human rights and foreign intelligence concerns” and “reduce the likelihood of adverse effects on security research and practices.”
The NGOs went on to point out the export restriction’s relevance to another recent cybersecurity issue — requests by the FBI and other law enforcement agencies for back doors into consumer encryption products.
“There has long been apprehension about export controls among those in the technical community who remember the ‘Crypto Wars’ of the 1990s: an infamous battle over the broad and messy restrictions placed on cryptography exports,” the group recalled, adding that the rule should not limit the global community’s access to encryption products meant to safeguard privacy and security online.
“Although the United States has relaxed most limits on the export of encryption since 1999, further liberalization of encryption controls is still required and similar concerns about complexity and the risk of overreach with export controls should not be overlooked.”
Conservative tech policy think tank TechFreedom asked BIS in a Tuesday statement to “weigh the costs and benefits of its proposed rule, share that analysis in a public report,” and “seek public comment on both before issuing its final rule.”
“As with all regulation, intentions matter less than results,” TechFreedom President Berin Szoka said. “Restricting the sharing of cybersecurity technologies across borders is a double-edged sword. The intention is noble: to prevent repressive governments from acquiring technologies that can be used as instruments of cyberwarfare or to spy on and censor their own citizens.”
“It’s difficult, if not impossible, to restrict the sharing of offensive capabilities without restricting defensive capabilities, too. One person’s weapon is another’s countermeasure.”
The Commerce Department did not respond to a request for comment.