U.S. Vuln Research, Pen Test Firms Protest Impending Export Controls

  /     /     /  
Publicated : 22/11/2024   Category : security

U.S. Vuln Research, Pen Test Firms Protest Impending Export Controls


American security companies have the most to lose from new rules that would restrict the export of tools and information about network surveillance and intrusion software.


Time is running out to register comments and complaints about proposed controls on the international export of intrusion software, and data related to it. Critics in the security community say the regulation could have broad damaging effects on vulnerability research and hinder American security companies ability to compete.  
The proposed regulation is an update to the Wassenaar Arrangement of 1996, an international arms agreement between
41 countries
. The original Agreement did not cover cyber weapons; the updates are a broadly written effort to do that.
[Head to Las Vegas next month to see
How the Wassenaar Arrangements Export Control of Intrusion Software Affects the Security Industry,
just added to the Black Hat schedule. Kim Zetter, senior writer for WIRED will moderate a panel discussion with Collin Anderson, researcher for CDA.io, Dino Dai Zovi, mobile security lead at Square, Nate Cardozo, staff attorney for the Electronic Frontier Foundation, and Katie Moussouris, chief policy officer for HackerOne.]
The new rules would require U.S. companies to obtain licenses to export (or re-export or transfer) tools related to IP surveillance and the generation, operation or delivery of, or communication with, intrusion software to anywhere outside the U.S. or Canada. The controls also apply to information required for developing, testing, refining and evaluating intrusion software, which could extend to vulnerability research as well as penetration testing. The U.S. Department of Commerces Bureau of Industry and Security (BIS) has proposed to implement the rules, but is
accepting public comments through July 20
.
The timing is somewhat ironic, considering
recent news
that the United States government (FBI) purchased surveillance and exploit tools from an Italian firm (Hacking Team); both countries are parties to the Wassenaar Agreement.
American security companies -- particularly those that specialize in malware research and penetration testing -- would need to obtain a license to conduct some standard functions, like network monitoring and IP blocking, if working with clients outside the U.S. or Canada.
Because the export controls also apply to information required for developing, testing, refining, and evaluating intrusion software, in order, for example, technical data to create a controllable exploit, American companies would need to obtain licenses to share information with researchers outside the United States and Canada. However, there is an exemption for technology or software that is made publicly available.
This could leave American companies even shorter on security talent, which is already in short supply. 
It could also have a stifling impact on vulnerability disclosure. Will the public disclosure exemption allow researchers to first privately disclose vulnerabilities to affected software vendors -- and perhaps earn a bug bounty for it -- before it goes public? Must all the data provided, including proof-of-concept code, be published in order for the exemption to apply?
The rule certainly would apply to tools like those sold by Hacking Team; but only if they were being sold by an American company. BIS may choose to implement the rules, but that does not mean that any other nations party to the Wassenaar Agreement need to do the same.
For all these reasons, U.S. security companies like Symantec, FireEye, and White Hat Security could be at a competitive disadvantage while they wade through red tape. This week, a group of them formed the
Coalition for Responsible Cybersecurity
to collectively oppose the proposed rules. 
“These rules, if they were adopted as they stand today, would put the entire U.S. cybersecurity industry—and everyone who relies on that industry for protection—at risk,” said Cheri McGuire, Vice President, Global Government Affairs & Cybersecurity Policy of Symantec Corporation in a release. “The rule as written is going to hurt cybersecurity research, slow innovation in cybersecurity technology, and put a damper on cybersecurity information sharing.”
Today, Katie Moussouris, chief policy officer for HackerOne and one of the former leaders of Microsofts bug bounty program, urged the security community to submit their comments to BIS, in
a piece she wrote for Wired
.
I personally believe that BIS and other regulators are sincere in their willingness to listen, wrote Moussouris. It’s up to us to highlight points they may have overlooked or misunderstood.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
U.S. Vuln Research, Pen Test Firms Protest Impending Export Controls