Bureau of Industry and Security export restriction proposal and my comments below …
The Bureau of Industry and Security (BIS) proposes to implement the agreements by the Wassenaar Arrangement (WA) at the Plenary meeting in December 2013 with regard to systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software; software specially designed or modified for the development or production of such systems, equipment or components; software specially designed for the generation, operation or delivery of, or communication with, intrusion software; technology required for the development of intrusion software; Internet Protocol (IP) network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor. BIS proposes a license requirement for the export, reexport, or transfer (in-country) of these cybersecurity items to all destinations, except Canada. Although these cybersecurity capabilities were not previously designated for export control, many of these items have been controlled for their “information security” functionality, including encryption and cryptanalysis. This rule thus continues applicable Encryption Items (EI) registration and review requirements, while setting forth proposed license review policies and special submission requirements to address the new cybersecurity controls, including submission of a letter of explanation with regard to the technical capabilities of the cybersecurity items.
BIS also proposes to add the definition of “intrusion software” to the definition section of the EAR pursuant to the WA 2013 agreements.
Attention: United States Federal Industry & Security Bureau
Subject: Comment For Public Record
RE: BIS Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items
My company strongly advises against adoption of the proposed rule to include ‘intrusion software’ in the list of controlled exports.
We routinely interface as part of our practice with US domestic entities looking to manage the financial risks and direct economic impacts associated with information security and risk (infosec or cyber-security).
While it is important for the United States and its allies to maintain a leading posture in the field of cyber security the class of restrictions proposed will in my view have an entirely detrimental effect to that end. Additionally it will disproportionately disadvantage domestic commercial interest where such entities depend on publicly disclosed security information.
Unlike the vast majority of current commercial software vendors (which are primarily based domestically or within allied borders); the security community (both individuals and incorporated entities) is distributed evenly across the industrialized world.
The vast majority of anti-malware and anti-virus vendors (US based or otherwise) leverage research teams around the world in the most suitable labor markets. It is likely that markets outside the US export wall will become politically unreachable for US-based infosec vendors under a restricted export regime. This would both increase the cost of these mitigative products as well as reduce the efficacy.
It has already been proven by private industry that “taking vulnerabilities off the table” with commercial bug-bounty programmes is highly effective in increasing the overall security quality of otherwise vulnerable products. Commercial web properties and software vendors now depend on international support to support their security programmes and cannot maintain or improve their infosec postures independently.
Of those information security research community members based internationally many have voiced or otherwise indicated a disinterest in responsible disclosure under restrictive conditions. Security researchers are often motivated by perceived ethical or moral objectives in addition to financial reward; restricting information sharing to the greater international community makes responsible disclosure a less ethical choice when considering the impact to external communities. For these individuals or groups responsibly disclosing to US companies that are in turn restricted from sharing information; the black-markets for zero day vulnerabilities are an extremely profitable alternative.
Further, fragmenting the marketplace for security products and the knowledge-base of security vendors will undoubtedly hinder the overall security posture of both civilian and defense systems at home by degrading the overall quality and diversity of available tools and products.
I highly recommend the interested rule-making parties reconsider such attempts to classify cyber-security tools and knowledge of exploitation kits or methods as potential arms. While responsible researchers, vendors, and professionals will be handicapped by a limited ability to freely coordinate cross borders; nefarious actors will have no such restrictions and meet no resistance crossing borders digitally.
The only proven effective defense against information security threats is a strong investment in the strength of defenses. Do not weaken our security community.
Drafted 5/20/2015
Matthew Fisch
Chief Technology Officer
Kinetic Platforms Incorporated
Original: KPI_BIS_COMMENT_20150520.pdf
Update (July 30th 2015):
Positive response.
http://www.reuters.com/article/2015/07/29/us-software-exports-regulation-idUSKCN0Q32OQ20150729
http://www.theregister.co.uk/2015/07/30/us_to_rethink_wassenaar
ps, my letter scored “first post” status at the department of commerce.
