Federal regulators are looking to place tighter controls on the export of cyberweapons following the megabreaches against the Office of Personnel Management and countless retailers.
The Commerce Department wants to ensure that software that can attack a network — the kind that can break in, bypass encryption and steal data — can't be shipped overseas without permission. But the cybersecurity industry is up in arms.
Companies like Finfisher and Hacking Team sell computer code to governments — that in turn use it for nefarious purposes. According to human rights reports, government agencies in Bahrain, Turkmenistan, Ethiopia and the United Arab Emirates have used spyware to monitor and crack down on activists.
In response, leaders from about 40 countries got together in December 2013 in the small town of Wassenaar, Netherlands. The U.S. and Britain participated. So did Russia. China did not.
The countries agreed on principles to control the export of software than can be used for surveillance. To make those principles binding in the U.S., the Commerce Department proposed rules in May. The department did not respond to NPR's request for an interview.
Few Controls On Software
"These rules, these controls are a reaction to what we see in the press — stories about governments that are using these tools to spy on their citizens," says attorney Kevin King of Cooley LLP, which specializes in export controls.
Until now, U.S. regulation of software exports has been light.
If a U.S. tech company wanted to ship a consumer game like Angry Birds to people in Senegal or India, King says, it doesn't need permission. If it wanted to sell encrypted software that scrambles and encodes a message, then "you have to give it some thought, but the hurdles are very low."
Compliance is easy, King says. There's a one-time registration form, a couple of pages long, and a relatively simple annual reporting requirement. Last year a subsidiary of Intel was fined $750,000 for exporting encryption software to China. But that's a rare event.
King says the proposed rules create a new and big burden for companies and researchers. For any software that could be used to break into a network or smartphone — whether or not it uses encryption — the creator has to apply for a license before exporting.
"You're going to be going in for every transaction, requesting permission to be able to release the software," he says.
Speed Bumps Could Hurt Defense
Critics say the problem is not simply, or even primarily, one of Big Government stepping on the toes of small business. It's that regulators are misunderstanding how security works in the world of software.
Katie Moussouris, chief policy officer of HackerOne, says code that can be used to break in can also be used to look for holes that need patching. It's dual use.
"If you want to make a comparison to physical weapons, a knife can be used to chop vegetables and it can be used to kill people," she says.
In practice, Moussouris says, bad guys aren't going to stop and ask for permission. So putting a public agency in the middle of private communication just slows down the good guys.
"Having any kind of speed bump to defense actually makes the entire Internet less safe for everyone," she says.
Pat Walsh, vice president of product management at Core Security, says even if regulators grant an export license under the new rules, "the months it takes to get a license may be as good as a denial — especially in an industry that has a need for real-time information sharing."
The Commerce Department rules may also require a company to get permission before sharing information with foreign employees — whether those employees are based in another country or working in the U.S. office.
Mark Kuhr, co-founder of the security firm Synack, says that would prevent his researchers in 37 countries from working together and helping clients.
"It does seem overly broad," he says. "I understand the intent, wanting to keep cutting edge cybersecurity tools and stuff in the United States to make us more secure." But he says keeping the Internet safe takes lots of emails and secure chats between coders in different countries.
Monday is the last day for public comment on the proposed new rules by the Commerce Department.