With just three days left to comment on a controversial plan to stymie US exports of surveillance technology, many cybersecurity professionals are making their final pleas to kill the proposed trade restrictions.
While many in the security community agree in spirit with the plan from the Department of Commerce’s Bureau of Industry and Security to limit overseas sales of spyware, especially to oppressive regimes, they also say the recommended pact is so broad and vague that it could harm the entire cybersecurity industry.
"Cyber is a space that is borderless and global. The rule needs to be re-looked at given the global interconnectedness of the industry," says Cheri McGuire, vice president of government affairs and security policy at the security firm Symantec.
Rather than restrict the export of spyware technology, the current proposal restricts the export of information about malicious software, the command platforms to control it, and the tools to make it.
Many experts say the Commerce Department proposal is written in such a way that it would prevent even transporting critical security software for testing global networks and would limit research between security labs in different countries. The department also warned that applications for a license to export technology that could be used for surveillance would be met with a presumption of denial, making it difficult for firms to get permission to do legitimate cybersecurity business overseas.
But if the policymakers at the Commerce Department go back to the drawing board, it's unclear what a replacement proposal would look like – and whether the security industry would like it any better.
The trade proposal resulted from the 41-nation Wassenaar Arrangement was originally intended to limit the sale of conventional weapons and expanded in 2013 to include restrictions on malware sales. Europe has already implemented the new limitations.
Instead of coming up with a new draft, the Electronic Frontier Foundation's Nate Cardozo says he wants the US to reopen the initial discussions that led to the software restrictions with the Wassenaar negotiators. That way, says the EFF staff attorney, the agreement could focus on actual spyware and surveillance products instead of the components that make or control those technologies.
"What are they actually trying to control? Are they trying to control [the notorious spyware] FinFisher?" asks Mr. Cardozo, who recently filed a lawsuit against Ethiopia over its use of FinFisher, a maker of surveillance technology. "Why don’t they go after export of that kind of software directly?"
The idea of banning software that exfiltrates – or steals – data without the users' knowledge is often cited as the utopian fix for the trade proposal. Sergey Bratus, a Dartmouth College computer science associate professor, originally suggested it in 2014 when the Bureau of Industry and Security first asked for comments on how it should impose the Wassenaar deal.
Cardozo says that comments he will submit Monday will urge the Department of Commerce to ease existing restrictions on exporting encryption technology alongside any rule to fight militarized spyware. Cardozo believes encryption would be a more successful measure to protect targets of repressive government surveillance.
"When I submit my comments about Wassenaar to the [Bureau of Industry and Security] on Monday,” he says, “the first point I will make is that if you think that this is a good idea, you have to remove cryptography from other export restrictions."
Restricting only exfiltration would assuage many concerns in the international community, says Ms. McGuire of Symantec, a founding members of the Coalition for Responsible Cybersecurity that launched this week as a show of force against the BIS draft policy. Focusing on exfiltration, she says, reassures foreign governments that the US isn't withholding cybersecurity tools for its own gain.
But barring a complete renegotiation of the rule, McGuire says adding exemptions to BIS regulations for defensive cybersecurity products or research would appease many within the industry.
McGuire says that approach would have been taken by BIS if it had consulted the cybersecurity industry as a whole, such as the National Institute of Standards and Technology did in preparation for recently released security best practices.
"Look at the NIST framework. It certainly went through a very lengthy process to ensure there were no consequences," she says.
Dave Aitel, chief technology officer at the security company Immunity inc., suggests the BIS remove the presumption of denial, and only mandate licenses for sales to hostile governments. But he isn’t convinced that any regulations, no matter how restrictive, would make much of an impact.
The recent data breach at Italian spyware seller Hacking Team proves his point, he says. It shows that Italy was willing to issue a “global license” to the company to distribute its surveillance software nearly anywhere, he says. If companies such as Hacking Team cannot be controlled by the regulations, how could they be at all successful, asks Mr. Aitel.
Though Aitel says the rules would not have much effect, he says modifying the proposal to something less “onerous” would be the end of a long struggle.
"I did not want my life to be consumed by Wassenaar for the past two years," he said. “But here we are. It’s an awfully important government process to have begun in such a broken way."