US plans to apply export controls to 0-days put out for comment

US proposals for export controls for zero-day vulnerabilities and malware have finally been pushed forward, re-opening the fault lines of a long-running argument among security experts in the process.

The proposals (pdf) from the US Department of Commerce would introduce the Wassenaar Arrangement (WA) – an international agreement forged in December 2013 – into US law.

The Bureau of Industry and Security (BIS) proposes to implement the agreements by the Wassenaar Arrangement (WA) at the Plenary meeting in December 2013 with regard to systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software; software specially designed or modified for the development or production of such systems, equipment or components; software specially designed for the generation, operation or delivery of, or communication with, intrusion software; technology required for the development of intrusion software; Internet Protocol (IP) network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor.

BIS proposes a license requirement for the export, reexport, or transfer (in-country) of these cybersecurity items to all destinations, except Canada. Although these cybersecurity capabilities were not previously designated for export control, many of these items have been controlled for their “information security” functionality, including encryption and cryptanalysis.

This rule thus continues applicable Encryption Items (EI) registration and review requirements, while setting forth proposed license review policies and special submission requirements to address the new cybersecurity controls, including submission of a letter of explanation with regard to the technical capabilities of the cybersecurity items. BIS also proposes to add the definition of “intrusion software” to the definition section of the EAR pursuant to the WA 2013 agreements.

The document, published on Wednesday (20 May), has been opened up for 60 days of comment. Some critics compare the measures to export controls on strong encryption and attempts to curtail the distribution of PGP back in the 1990s.

Others argue it may impede the development of Bug Bounty programmes, schemes increasingly adopted by vendors as a way of accelerating the discovery and remediation of security flaws, while offering researchers who find them payment for their efforts.

Although the rules apply to exports outside North America, provision to give Australia, the UK and New Zealand favourable treatment is already written into the draft rules. There's no suggestion that the rules will do anything to interfere with the Five Eyes intel agency alliance.

Christopher Soghoian, principal technologist at the ACLU, has done more than anyone to highlight concerns over the controversial exploit vulnerability marketplace the the US regulation might affect.

He's already come in for a bit of stick for "lobbying for export controls 2.0", but has yet to respond to that criticism or the US government's plans. Soghoian has previously likened the trade in exploits to a trade in weapons, an observation that's by no means alarmist when viewed from the point of view of those such as the ACLU, fighting spyware and other privacy-invading technologies.

The shadowy exploit vulnerability marketplace appears to be growing quickly, partly driven by interest in the use of previously unknown security vulnerabilities to develop exploits for cyber-weapons such as Stuxnet and Duqu. Governmental use of Trojans, exploits and hacking is growing and this is commonly directed at internal dissidents, as well as external targets. ®