S Govt proposes to classify cybersecurity or hacking tools as weapons of war
Until now only when someone possessed a chemical, biological or nuclear weapon, it was considered to be a weapon of mass destruction in the eyes of the law. But we could have an interesting – and equally controversial – addition to this list soon. The Bureau of Industry and Security (BIS), an agency of the United States Department of Commerce that deals with issues involving national security and high technology has proposed tighter export rules for computer security tools – first brought up in the Wassenaar Arrangement (WA) at the Plenary meeting in December 2013. This proposal could potentially revise an international agreement aimed at controlling weapons technology as well as hinder the work of security researchers.
At the meeting, a group of 41 like-minded states discussed ways to bring cybersecurity tools under the umbrella of law, just as any other global arms trade. This includes guidelines on export rules for licensing technology and software as it crosses an international border. Currently, these tools are controlled based on their cryptographic functionality. While BIS is yet to clarify things, the new proposed rule could disallow encryption license exceptions.
At the meeting, a group of 41 like-minded states discussed ways to bring cybersecurity tools under the umbrella of law, just as any other global arms trade. This includes guidelines on export rules for licensing technology and software as it crosses an international border. Currently, these tools are controlled based on their cryptographic functionality. While BIS is yet to clarify things, the new proposed rule could disallow encryption license exceptions.
The new proposal is irking security researchers, who find exporting controls on vulnerability research a regulation of the flow of information. You see, these folks need to use tools and scripts that intrude into a protected system. If the proposal becomes a law, it will force these researchers to find a new mechanism to beat the bad guys.
As per the agreement, the new definition of ‘intrusion software’ refers to a tool which is capable of extraction or/and modification of data or information from a computer or network-enabled device. The modification also includes tweaking of the standard execution path of a program. In addition, the tool could also be designed to avoid detection by “monitoring tools” (software or hardware devices such as antivirus products that monitor system behaviors or processes running on a device). Tools including hypervisors, debuggers and others that are used for reverse engineering software won’t be considered as “intrusion software”.
Security items being exported to government users in Australia, Canada, New Zealand, or the UK – or the “Five Eyes" nations – would get some leeway and looser restrictions. This is because the intelligence agencies in these five nations collaborate closely. BIS is seeking comments on the proposed rule – available to all in the Federal Register – with a deadline of July 20, 2015.