In a recent post, Google said the newly proposed export controls for vulnerability research from the U.S. Commercial Department would make finding bugs and reporting them much more difficult. Instead of the new rules protecting Internet users, they might even have the opposite effect and make the Web less secure overall.
The Wassenaar Arrangement is a multilateral association that controls a wide range of goods, software, and information, including technologies such as "intrusion software."
Yesterday was the final day for comments on the new export control proposals, and Google submitted its own comments to the United States Commerce Department's Bureau of Industry and Security (BIS).
In summary, Google's main suggestions on how to fix the proposed export control rules are the following:
- The rules should be less vague. Google operates in many different countries, and the new rules could force it to obtain thousands of different export control licenses to cover all the times its security experts exchange information about vulnerabilities across countries over email, bug tracking systems and so on. BIS' FAQ said that information about vulnerabilities and their causes wouldn't be controlled, but Google believes the new rules don't make it clear enough and may, in fact, affect such a situation, as well.
- Licenses to report bugs shouldn't be required. Believe it or not, the new export rules require researchers to get a license before they are even allowed to report a bug to a company. This makes it rather obvious just how much more difficult they could make bug fixing, because the rules would make it too cumbersome for researchers to even bother reporting the bugs back to companies.
- Companies should be able to share information globally. Google believes that its security employees should be able to share information about bugs with other Google employees, wherever they may be. In a time when the White House has been proposing a higher degree of "cyber threat information sharing" with the U.S. agencies such as the DHS and NSA, it's surprising to see that the government is also trying to restrict companies from sharing information even internally. If the idea here is that more sharing of threats equals better security, then the new rules are doing exactly the opposite.
- The rules should be easier to follow. Google said that although it can afford to have a team of lawyers look at all the rules and evaluate them, the government should make the rules much clearer so that it's easy for everyone to understand them. The company said they should be as easy to follow as reading a flowchart.
- Rapid change is necessary. Google asked the government to institute the necessary changes as soon as possible at the annual meeting of Wassenaar Arrangement members in December.
The recent Hacking Team hack showed that companies that sell zero-day vulnerabilities to the highest bidder, including oppressive regimes which then use their tools to spy on dissidents and journalists, should be stopped. Sale of zero-day vulnerabilities that are then used to spy or hack other individuals, organizations or governments should probably be outright banned. There's very little room in this situation to argue that they can be used for "good."
The Hacking Team's sale of surveillance and hacking tools should also make it more clear exactly what kind of companies need to be controlled and which don't. Not everyone that deals with zero-days is a bad actor, and the U.S. government's export control rules shouldn't treat them as such.
Otherwise, it risks making the Web less secure for everyone if researchers can't even talk to the companies that have software vulnerabilities, or even colleagues from the same company from another region, without going through a strict licensing process.
The new rules also somehow exempt the NSA from sharing vulnerabilities with other agencies from the Five Eyes nations, which makes the whole controlling of zero-day vulnerabilities rather hypocritical on the part of the U.S. government ("Do as I say, not as I do.").
For those who are worried about NSA surveillance and hacking, things could get even worse if only the companies that share zero-day vulnerabilities with the NSA can get those licenses. The White House recently complained about a recent similar plan from the Chinese government, but it now seems willing to turn around and do the same thing at home. This could make it seem that, once again, the U.S. government's "cyber" policies are not really about increasing everyone's security, but about increasing its own surveillance capabilities, even if that happens to the detriment of actual online security, as Google seems to suggest here.