Many of you may have heard about the recent debate regarding the U.S. Department of Commerce’s proposed rule to implement the Wassenaar Arrangement 2013 plenary agreement on intrusion and surveillance software (RIN 0694-AG49), as published in 80 Fed. Reg. 28853 on May 20, 2015. The SAFECode community recognizes that the proposed rule was originally meant to protect human rights and protect national security. Unfortunately, as written, the practical result of implementing the rule would require a bevy of new export licenses for legitimate testing tools and the sharing of research information beyond the U.S. and Canada borders. This will have negative consequences on the cybersecurity industry by stifling legitimate vulnerability research, as well as limiting a company’s ability to conduct penetration testing to protect their own networks and those of their customers.
It is difficult to distinguish between “good” and “malicious” security tools – from a technical standpoint they are identical. For instance, a vulnerability assessment tool can be used for both legitimate and illegitimate purposes. There are immense security benefits that come from the software industry’s legitimate use of such tools to test for vulnerabilities within their own software products, systems, and networks. It is also important to note that attackers will not be bound by this rule and will still misuse technology to break into software and networks. This creates a very dangerous dynamic.
Today’s cyber threats require real-time analysis, testing and deployment of protections. For a multinational corporation to wait months for a license in order to conduct penetration tests on its own networks, or to not receive the latest protections because its security provider is waiting for licenses before it can share vulnerability and exploit information across borders, is untenable and increases the risk for the entire internet ecosystem.
In addition, many U.S.-based global companies employ foreign nationals working at home and abroad. This international workforce requires effective and efficient collaboration related to vulnerability and other cyber security research. This research and engineering is facilitated by the legitimate use of security tools, the result of which is accelerated progress critical to modern and safe IT environments. The proposed rule, as written, would require a company to get an individual license to share technical information with its non-U.S. nationals, slowing important cyber threat information exchanges. Companies and other organizations must aggressively defend themselves against cyber attacks and react to such attacks effectively in near-real-time. Delaying such collaborative processes, techniques, and related tools will have negative consequences on legitimate software vendors and their customers, leaving individuals and customers vulnerable to cyber attacks – quite the opposite of what the Wassenaar rule proposal is trying to address.
As the recent spike in security-related breach activities has demonstrated, companies must continuously test their software and networks, while consistently updating their cyber defenses. In fact, nearly one million new malware variants were created every day last year. The days of a software vendor shipping a product on a CD once every few years are long gone. Cyber attackers are becoming more and more sophisticated, leapfrogging defenses of organizations of all sizes. Recognizing the fast paced, rapidly advancing field of software security and related technologies, modern software relies heavily on short development and release cycles, and frequent software updates.
In such fast paced environments, development teams need to move quickly in order to address any newly surfaced security concerns. Using legitimate and appropriate security testing methods and tools; as well as properly collaborating with employees and vendors who are tasked with any related development, testing, and deployment activities is a fundamental and integral part of a sound software development process and lifecycle. Ultimately, under the proposed regulatory regime, vulnerabilities will go unfixed for longer periods of time, leaving customers exposed, and at much greater risk of a breach of their networks.
The scope and impact of this rule goes much further than just the cyber security industry. Certain customers of cyber security vendors and their associated industries are legally required to conduct penetration testing and other industries have implemented testing as part of their industry standards. Developing and implementing these tests would potentially be caught up in this licensing requirement. Impacted industries include: financial services, healthcare, energy, and power generation industries to name just a few.
Under the proposed rule, companies using testing tools and processes to comply with regulatory requirements and industry standards will need to implement costly and time consuming changes to their internal compliance programs in order to obtain the necessary export licenses. The unintended consequence is significantly increased risk to critical infrastructure both in the U.S. and worldwide.
Examples of industry regulatory guidelines that include references to penetration testing are:
o The Federal Financial Institutions Examination Council (FFIEC)
o The Payment Card Industry (PCI) Data Security Standard (DSS)
o The North American Electric Reliability Corporation (NERC)
o The National Electric Sector Cybersecurity Organization Resource (NESCOR)
o The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Lastly, information sharing would also be severely hampered. The rule would restrict the security community from sharing information about vulnerabilities and exploits with security professionals outside the U.S. and non-U.S. nationals inside the U.S. without first obtaining an export license. The rule will do little to stop illicit hacking and intrusions, and instead will restrain legitimate security companies and researchers from continuing to effectively innovate and provide protections. Ultimately, this will put people, businesses, and governments at greater risk of cyber attacks.
We strongly encourage the U.S. Commerce Department to reconsider the implementation of this rule and hope they will return to Wassenaar in 2016 to renegotiate an agreement that will not have such harmful effects on global cybersecurity.
About the Authors: Howard A. Schmidt is Executive Director of SAFECode. Edward Bonver is Symantec’s representative on the SAFECode Board of Directors.