Google Fights Export Controls For 'Intrusion Software' - InformationWeek
Government // Cybersecurity
06:05 AM
Connect Directly
Ransomware: Latest Developments & How to Defend Against Them
Nov 01, 2017
Ransomware is one of the fastest growing types of malware, and new breeds that escalate quickly ar ...Read More>>

Google Fights Export Controls For 'Intrusion Software'

Proposed export rules could hobble cybersecurity research, Google claims.

14 Security Fails That Cost Executives Their Jobs
14 Security Fails That Cost Executives Their Jobs
(Click image for larger view and slideshow.)

Google on Monday asked the US Commerce Department to alter proposed rules that would restrict cyber security research.

The rules reflect US participation in the Wassenaar Arrangement, a multilateral export-control agreement that includes 41 countries. As it is not a formal treaty, it requires participating states to separately implement their own interpretation of the Arrangement.

Google's objection to the rules being considered in the US reflects unease over the addition of "intrusion software" to the list of goods subject to export limitations.

Intrusion software is defined as software designed or modified "to avoid detection by 'monitoring tools,' or to defeat 'protective countermeasures,' of a computer or network-capable device, and performing: a) the extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or b) the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions."

It specifically excludes: hypervisors, debuggers, or software reverse engineering (SRE) tools; digital rights management (DRM) software; asset-tracking software; and network-capable devices like mobile phones and smart meters.

Neil Martin, Google export compliance counsel, and Tim Willis, "hacker philanthropist" on the Chrome security team, in a July 20 blog post argue that the proposed rules, if adopted as presently written, would hinder open security research and limit the ability of organizations to find and fix security vulnerabilities in software.

"It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure," Martin and Willis write.

(Image: Public Domain)

(Image: Public Domain)

In a letter sent to the US Commerce Department's Bureau of Industry and Security (BIS), Google argues that the proposed rules are too broad and vague, requiring potential export licenses for email, code review systems, instant messages, and perhaps even in-person conversation, despite assurances to the contrary.

The rules, suggest Martin and Willis, could require an export license to report a bug and could limit the ability of companies to share information about intrusion software.

Jeffrey L. Vagle, executive director of the Center for Technology, Innovation, and Competition at the University of Pennsylvania Law School, said in a blog post earlier this month that the government's impulse to limit the flow of potentially dangerous software, while understandable, is fraught with difficulties.

Governments naturally want to control potentially dangerous technologies, Vagle contends, yet they also want to use these same technologies for intelligence and surveillance. The problem with this approach is that offensive and defensive cyber-security research often depend on each other.

The US government's proposed cure might just make its own networks, already compromised too often, less secure.

"Regulating offensive research through limits on international collaboration could very well make impotent an important component in our ongoing struggle to fix buggy code," Vagel wrote. "If the true goal is to maximize information security in our everted cyberspace, the better solution is one that incentivizes defense rather than arbitrarily punishes offense."

Vagel suggests liability for vulnerabilities would offer an incentive for greater defensive investment in software.

Google has requested that the Commerce Department address the problems with its rules at the annual meeting of Wassenaar Arrangement members in December.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/22/2015 | 11:23:50 AM
This is what lobbyists are for
And i doubt that Google is the only large tech company with concerns; so I figure it's time for Larry Page to start enlisting the aid of his fellow tech CEOs, to include the one in Redmond (it's amazing how quickly rivalries can be put aside on matters of common self-interest).
User Rank: Ninja
7/21/2015 | 7:16:07 AM
I imagine it's difficult for the politicians to know who to listen to with this debate. The people who dont want more regulation tend to know the most, but also stand to financially benefit the most if the legislation isn't implemented, so it probably seems like quite a biased opinion.

On the other hand, those calling for no more zero day exploits probably don't understand them well enough. 

I'll be watching the results of these debates closely though as the outcome could have a big impact on how secure we all are. 
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll