A new interim final rule proposed Wednesday by the Commerce Department cracks down on the export of surveillance technologies and hacking tools used for malicious activities.
The aim of the export controls is to curb technology being misused to abuse human rights and to ensure that U.S. companies are not fueling authoritarian practices, according to a Wednesday statement.
The interim final rule from the Commerce Department’s Bureau of Industry and Security (BIS) - a bureau charged with advancing national security by ensuring an effective export control and treaty compliance system - establishes a license requirement for items “that can be used for malicious cyber activities” being sold to “countries of national security or weapons of mass destruction concern.”
“The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights,” said U.S. Secretary of Commerce Gina M. Raimondo in a statement. “The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities.”
Latest Negotiations in the Wassenaar Arrangement
The proposed export rule, first reported by the Washington Post, represents the BIS’s latest negotiations as part of the Wassenaar Arrangement. Formally established in 1996, the Wassenaar Arrangement is a voluntary export control regime made up of 42 countries that exchange information about the transfer of conventional weapons and dual-use goods. In 2013, Wassenaar Arrangement members added cybersecurity items - and how they should be licensed when crossing international borders - to the list.
An export rule subsequently proposed by BIS in 2015 described hardware and software controls on the command and delivery platforms for - and the development of - "intrusion software." The vague definition of “intrusion software” sparked concerns in the security industry, with critics saying this term could include legitimate tools that are commonly used in security research, such as penetration testing and network security tools.
Technology firms like Google also took issue with the initially proposed export controls, as well as the Electronic Frontier Foundation (EFF), who at the time said that the draft represented a “vague, overbroad, and contradictory set of rules that have the potential to chill legitimate research into security vulnerabilities that will keep data and devices secure from attacks.”
On the heels of this backlash, the U.S. returned to the WA in 2017 to negotiate changes to the text. Fast forward to this week, the BIS is publishing Wednesday’s interim final rule to implement these WA changes from 2017.
Interim Final Rule: Distribution of Licenses
The interim final rule incorporates several sweeping changes. The changes include tweaking the control language from “command and control” to specify control tools that can be used maliciously; specifying that the “development of intrusion software” does not include technology that is exchanged for vulnerability disclosure or cyber incident response; and specifying that rules regarding “software” generation, command and control, or delivery do not include providing basic software updates and upgrades.
According to the BIS, the interim final rule creates a new License Exception Authorized Cybersecurity Exports (ACE), which aims to avoid impeding legitimate cybersecurity research and incident response activities by authorizing exports of cybersecurity items, such as software designed for providing basic upgrades, as well as certain IP network surveillance products.
The restricted end users targeted by this interim final rule would include government end users “of countries of concern for national security reasons or those subject to an arms embargo,” according to the BIS. The rule also places restrictions in circumstances where the exporter knows that the item “will be used to affect the confidentiality, integrity or availability of information or information systems, without authorization by the owner, operator or administrator of the information system.”
“The modifications will allow for vulnerability disclosure and incident response to take place freely without having to apply for an export license, so that is very important,” said Katie Moussouris, founder and CEO of Luta Security. Moussouris participated in the discussions to officially update the language of the Wassenaar Arrangement in 2017, lending her technical expertise in security vulnerability disclosure and cyber incident response.
“In the explanation from the Commerce Department for this proposed rule, it's very clear to me that... they are honoring the hard won agreement for those defensive exemptions for vuln disclosure and for incident response,” she said.
Crackdown on Surveillance Tools
Surveillanceware tools have come under scrutiny over the past few years, particularly as they are utilized by law enforcement agencies. In 2019, WhatsApp and its parent Facebook filed a lawsuit against NSO Group, the Israeli maker of the Pegasus spyware tool used by governments globally, alleging that NSO Group operators created and used WhatsApp accounts that were leveraged to target victims with the malware.
Christoph Hebeisen, director of security intelligence research at Lookout, said the interim final rule represents a concerted effort to control advanced surveillance software - like Pegasus - without hindering defenses against cyber attacks.
“Since there is offensive software out there that is used to test the legitimacy of cyber defense systems, the new rules attempt to distinguish between that and legitimately invasive malware,” said Hebeisen. “Putting rules like this in place is a key step to limit the distribution of advanced surveillanceware. Past experience has shown that authoritarian governments are prone to using these capabilities against political enemies to devastating effect.”
Federal agencies are asking for public comment and will potentially make changes to the rules depending upon that feedback. These comments must be received within 45 days, and the rule will be effective in 90 days.
“The comment period is open for 45 days, and it's very important, if folks want to have something to say about the proposed rule, to get the written comments in as soon as possible,” said Moussouris. “The devil is in the details of the wording, so if anyone is unclear about the wording now would be a time to propose specific wording changes.”