Government has sought to allay misgivings of cybersecurity industry
As concern mounts about the security risks posed by overseas hackers, the US Commerce Department’s Bureau of Industry and Security (BIS) has published revisions to its ban on certain cybersecurity exports.
Disrupt, deny, degrade
“These items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it,” reads the new and final rule, published in the Federal Register and effective from May 26.
The export ban would therefore likely cover spyware such as Pegasus, developed by Israeli firm NSO Group and controversially used by authoritarian governments to surveil journalists, activists, politicians, and business executives.
The move brings the US into line with 42 other nations that are members of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.
An earlier version of the rule, published last year, introduced a new license exception for Authorized Cybersecurity Exports (ACE). This, included in response to cybersecurity industry concern, allowed the export, re-export, and in-country transfer of ‘cybersecurity items’ to most destinations.
As a result, under last year’s draft, it was agreed that a license would only be required for exports to countries where there are concerns about national security or weapons of mass destruction, as well as countries subject to a US arms embargo.
This final version, produced following a public consultation, includes some changes to this section. These include clarifying the definition of ‘government end user’, rewriting some of the text to make it clearer, and correcting wording that, says BIS, “inadvertently” widened the scope of exceptions.
There had previously been strong opposition from the cybersecurity industry, worried that the controls covered too broad a range of tools and technologies, that the red tape involved would hamper the work of good-faith hackers and bug bounty hunters, and that the restrictions on the development of intrusion software would hold back international cybersecurity research.
“This rule is meant to be a framework to understand and deter the export of cyber capability – mostly exploits, but also potentially TTPs, IOCs, et cetera – to governments in Country Group D,” Casey Ellis, founder and CTO of Bugcrowd, tells The Daily Swig.
“Export control is difficult enough with physical weapons – cryptographic export controls have already illustrated the idea that regulating export in the cyber domain is difficult, and the implementation of the Wassenaar Agreement to include cyber in the USA has been no exception.”
There are still some concerns about the rule, with a number of commenters on the draft suggesting that it presents compliance difficulties and isn't necessarily always clear – for example, on the question as to whether it would control cybersecurity incident detection and monitoring software.
BIS is attempting to deal with this through the regular publication of FAQs, and says it plans to provide more guidance over time.
“The good and clear thing here is that the BIS has listened to and actively worked to consider feedback from the security, research, and bounty hunter communities,” says Ellis.
“An important section to keep an eye on will be the scope of license requirements, which they’ve committed to outlining and maintaining through FAQs. These FAQs will ultimately dictate who is required to pursue licensing under the ruling, and who is carved out.”