Commerce Dept. Caves on Security Export Rules

Some proposed federal rules on the export of security tools created a tumult in cybersecurity circles — a tumult that’s pushed the rules into limbo.

The comment period for the rules, which the U.S. Department of Commerce first aired in May, ended July 20 — and although the regulations have noble intentions, they also could have dire consequences.

“We don’t believe we need these rules,” said Cheri McGuire, vice president for global government affairs and cybersecurity policy at Symantec.

“The Department of Commerce’s intention here is to prevent basic testing and technology tools and research from getting into the hands of nefarious individuals who may use it for criminal activity,” she told TechNewsWorld.

“But at the same time,” she continued, “it has the unintended consequence of preventing all of us who use these tools — and share vulnerability research in order to protect ourselves — from using these commercial technologies freely.”

The comments did not go unheeded.

“In light of the high volume of comments received, it is likely we will publish a second proposed rule,” department spokesperson Eugene Cottilli told TechNewsWorld. “We have no timetable for that action.”

Rules Too Broad

In proposing the new rules, the Commerce Department is cooperating with something called the “Wassnaar Arrangement” — a multilateral voluntary agreement supported by 41 nations and aimed at controlling certain dual-use technologies, such as guns, landmines and fissile material.

However, the list of controlled technologies in late 2013 was expanded to include surveillance systems. That was done largely in response to reports linking exports of Western surveillance technologies to human rights abuses in countries such as Bahrain, the UAE, Turkmenistan and Libya.

“Unfortunately, as always with these sorts of government-created restrictions, they can cast an extremely wide net with tremendous unintended consequences if they’re actually implemented,” said Richard Stiennon, chief research analyst at IT-Harvest.

That breadth of coverage will be harmful to two critical cybersecurity areas, maintained Mark Kuhr, CTO of Synack.

“They will eliminate our ability to innovate and perform research that’s necessary for us to stay ahead of our adversaries,” he told TechNewsWorld.

“The intent of the rules are good, but they should make them more narrow,” he added.

Tanks, Guns and Crypto

Ambiguity in the rules also will harm the cybersecurity industry.

“The ambiguity in the definitions used in these rules creates an extraordinary gray area which makes it difficult for independent researchers and small companies to determine what is included under the proposed controls, especially the technology category,” said Adam Ghetti, CTO of Ionic Security.

“It will have a disproportionate impact on those who are not well versed in export controls and do not have the resources to be able to comply with these complex and ambiguous rules,” he told TechNewsWorld.

That ambiguity could have a Hamlet effect in some quarters of the industry.

“It is not clear how technical or specific a discussion would have to be before it would be considered controlled technology — a level of uncertainty that would be sure to chill important activity in this area,” Ghetti explained.

This isn’t the first time the U.S. has tried to control cybersecurity tools. In the 1990s, the U.S. State Department tried to stop the export of strong encryption software by putting it on the International Traffic in Arms Regulations, along with chemical and biological weapons, tanks, heavy artillery and military aircraft.

“They put strong encryption on the ITAR schedule, and the unintended consequence was that vendors outside the U.S. got a stronger foothold in the technology space, IT Harvest’s Stiennnon told TechNewsWorld.

“It was a disaster,” he added.

Won’t Affect Black Hats

There would be similar consequences if the Commerce rules were adopted as proposed, maintained Pat Clawson, CEO of the Blancco Technology Group.

“It would make companies massively less competitive from an antimalware perspective, because you get less of a global view,” he told TechNewsWorld.

The regulations also could worsen manpower problems in the industry.

“If the U.S. increases regulation with rules such as these, it will drive expertise to overseas countries — including those which are our national strategic competitors,” Ionic’s Ghetti said.

Worse yet, the rules may not address the problem they’re intended to address.

“The bad guys aren’t going to be applying for export licenses in order to use this technology, and those of us who need to use it for legitimate purposes are going to be handcuffed,” Symantec’s McGuire said.

Cybercriminals aren’t using off-the-shelf commercial solutions for their activity, added Ed Goodman, chief privacy officer at IDT911.

“What they’re using are open source solutions — stuff out there for free — and software and rootkits traded illicitly on the Dark Net or pirated versions of legitimate software,” he told TechNewsWorld.

“As with a lot of infosecurity issues to date, it’s just the government peeing in the ocean,” said Goodman. “Export controls aren’t going to be very effective in stopping Chinese or Russian hackers from using rootkits and getting access to U.S.-based systems.”

Breach Diary

  • July 20. U.S. appeals court reinstates lawsuit dismissed by a lower court stemming from 2014 data breach that compromised credit card data of 350,000 Nieman Marcus customers. Appeals court found there was still substantial risk of harm to consumers even though they were reimbursed for fraudulent charges by credit card issuers.
  • July 20. Michael Allen, a former patient at the UCLA Medical Center, files lawsuit seeking class action in a California state court alleging facility failed to adequately protect patient information compromised in date breach acknowledged by the university July 17.
  • July 20. Microsoft releases emergency patch to address vulnerability in Windows revealed in the Hacking Team data breach. Flaw allows attacker to gain control of a system through a specially crafted document or an infected Web page.
  • July 20. Ashley Madison, an extramarital affair website, offers free deletion of profiles following data breach that compromised information of its 37 million users.
  • July 21. Among four people U.S. authorities arrested in Israel and Florida for stock manipulation are some believed to be tied to computer hacks of JPMorgan Chase and other financial institutions which compromised tens of million accounts, USA Today reports.
  • July 21. Costco, Rite Aid and Sam’s Club join Walmart and CVS in taking down photo websites serviced by Staples-owned PNI Digital Media due to data breach.
  • July 21. Amherst, Massachusetts, begins notifying some of its online bill payers that their information may have been stolen in a data breach.
  • July 23. AppRiver reports that spam volumes for the 2015 second quarter exceeded 80 percent. That contrasts with an earlier report from Symantec that pegged volumes at 49.7 percent.
  • July 24. Chrysler recalls 1.4 million vehicles following demonstration that hackers could gain unauthorized remote control of the cars through its UConnect system.
  • July 24. Medical Informatics Engineering, of Fort Wayne, Indiana, announces it has reset the passwords of all its users following a data breach that may have compromised personal information stored on its systems.

Upcoming Security Events

  • Aug. 1-6. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before June 6, US$1,795; before July 25, $2,195; after July 24, $2,595.
  • Aug. 4-5. B-Sides Las Vegas. Tuscany Hotel and Casino, 255 E. Flamingo Rd., Las Vegas, Nevada. Free.
  • Aug. 6-9. Defcon 23. Paris Las Vegas, 3655 S. Las Vegas Blvd., Las Vegas, Nevada, and Bally’s, 3645 S. Las Vegas Blvd., Las Vegas, Nevada. $230, cash only at the door.
  • Aug. 24-25. Gartner Security & Risk Management Summit. Hilton Hotel, 488 George St., Sydney, Australia. Registration: prior to June 27, AU$2,475; after June 26, AU$2,875; public sector, AU$2,375.
  • Sept. 12. B-Sides Augusta. GRU Harrison Education Commons Building, 1301 R.A. Dent Blvd., Augusta, Georgia. Free.
  • Sept. 16. ISMG Data Breach Prevention and Response Summit. The Westin San Francisco Airport, 1 Old Bayshore Highway, Millbrae, California. Registration: $695.
  • Sept. 16-17. SecureWorld Detroit. Ford Motor Conference & Event Center, Detroit. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 18. B-Sides Cape Breton. The Verschuren Centre, Cape Breton University, Sydney, Nova Scotia, Canada. Free.
  • Sept. 22-23. SecureWorld St. Louis. America’s Center Convention Complex, St. Louis. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 28-Oct. 1. ASIS 2015. Anaheim Convention Center, Anaheim, California. Through May 31: member, $895; nonmember, $1,150; government, $945; student, $300. From June 1 through Aug. 31: member, $995; nonmember, $1,250; government, $1,045; student, $350. From Sept. 1 through Oct. 1: member, $1,095; nonmember, $1,350; government, $1,145; student, $400.
  • Oct. 2-3. B-Sides Ottawa. RA Centre, 2451 Riverside Dr., Ottawa, Canada. Free with registration.
  • Oct. 6. SecureWorld Cincinnati. Sharonville Convention Center, 11355 Chester Rd., Sharonville, Ohio. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 9-11. B-Sides Warsaw. Pastwomiasto, Anders 29, Warsaw, Poland. Free with registration.
  • Oct. 12-14. FireEye Cyber Defense Summit. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Registration: before Sept. 19, $1,125; after Sept. 18, $1,500.
  • Oct. 15. SecureWorld Denver. The Cable Center, 2000 Buchtel Blvd., Denver, Colorado. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 28-29. SecureWorld Dallas. Plano Centre, 2000 East Spring Creek Parkway, Plano, Texas. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Nov. 4. Bay Area SecureWorld. San Jose Marriott, 301 South Market St., San Jose, Calif. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Nov. 11-12. Seattle SecureWorld. Meydenbauer Center, 11100 NE 6th St., Bellevue, Wash. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels