Commerce Department: Tighter Controls Needed For Cyberweapons

Jul 20, 2015
Originally published on July 20, 2015 9:18 pm

Federal regulators are looking to place tighter controls on the export of cyberweapons following the megabreaches against the Office of Personnel Management and countless retailers.

The Commerce Department wants to ensure that software that can attack a network — the kind that can break in, bypass encryption and steal data — can't be shipped overseas without permission. But the cybersecurity industry is up in arms.

Companies like Finfisher and Hacking Team sell computer code to governments that in turn use it for nefarious purposes. According to human rights reports, government agencies in Bahrain, Turkmenistan, Ethiopia and the United Arab Emirates have used spyware to monitor and crack down on activists.

In response, leaders from about 40 countries got together in December 2013 in the small town of Wassenaar, Netherlands. The U.S. and Britain participated. So did Russia. China did not.

The countries agreed on principles to control the export of software than can be used for surveillance. To make those principles binding in the U.S., the Commerce Department proposed rules in May. The department did not respond to NPR's request for an interview.

Few Controls On Software

"These rules, these controls are a reaction to what we see in the press — stories about governments that are using these tools to spy on their citizens," says attorney Kevin King of Cooley LLP, which specializes in export controls.

Until now, U.S. regulation of software exports has been light.

If a U.S. tech company wanted to ship a consumer game like Angry Birds to people in Senegal or India, King says, it doesn't need permission. If it wanted to sell encrypted software that scrambles and encodes a message, then "you have to give it some thought, but the hurdles are very low."

Compliance is easy, King says. There's a one-time registration form, a couple of pages long, and a relatively simple annual reporting requirement. Last year a subsidiary of Intel was fined $750,000 for exporting encryption software to China. But that's a rare event.

King says the proposed rules create a new and big burden for companies and researchers. For any software that could be used to break into a network or smartphone — whether or not it uses encryption — the creator has to apply for a license before exporting.

"You're going to be going in for every transaction, requesting permission to be able to release the software," he says.

Speed Bumps Could Hurt Defense

Critics say the problem is not simply, or even primarily, one of Big Government stepping on the toes of small business. It's that regulators are misunderstanding how security works in the world of software.

Katie Moussouris, chief policy officer of HackerOne, says code that can be used to break in can also be used to look for holes that need patching. It's dual use.

"If you want to make a comparison to physical weapons, a knife can be used to chop vegetables and it can be used to kill people," she says.

In practice, Moussouris says, bad guys aren't going to stop and ask for permission. So putting a public agency in the middle of private communication just slows down the good guys.

"Having any kind of speed bump to defense actually makes the entire Internet less safe for everyone," she says.

Pat Walsh, vice president of product management at Core Security, says even if regulators grant an export license under the new rules, "the months it takes to get a license may be as good as a denial — especially in an industry that has a need for real-time information sharing."

The Commerce Department rules may also require a company to get permission before sharing information with foreign employees — whether those employees are based in another country or working in the U.S. office.

Mark Kuhr, co-founder of the security firm Synack, says that would prevent his researchers in 37 countries from working together and helping clients.

"It does seem overly broad," he says. "I understand the intent, wanting to keep cutting edge cybersecurity tools and stuff in the United States to make us more secure." But he says keeping the Internet safe takes lots of emails and secure chats between coders in different countries.

Monday is the last day for public comment on the proposed new rules by the Commerce Department.

Copyright 2015 NPR. To see more, visit http://www.npr.org/.

Transcript

DAVID GREENE, HOST:

Let's hear now about the U.S. government's effort to control the export of weapons - cyberweapons. There have been some high-profile hacks this year against Anthem Insurance and also the Federal Office of Personnel Management. And one thing we learned from them is how software can be used to attack a network. The Department of Commerce is considering one solution - changing the rules to prevent this kind of software from being exported without permission. As NPR's Aarti Shahani reports, this has the cybersecurity industry up in arms.

AARTI SHAHANI, BYLINE: Companies with names like FinFisher and Hacking Team sell computer code to repressive governments, who, in turn, use it for not-so-good.

(SOUNDBITE OF NEWS SHOW)

UNIDENTIFIED REPORTER: The Bahraini government is accused of using surveillance software from a U.K.-based company to spy on a leading rights activist.

SHAHANI: According to human rights reports, agencies in Bahrain, Turkmenistan, Ethiopia, the United Arab Emirates have monitored activists using spyware.

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED WOMAN: This is turning into a global phenomenon, and it's run by the private sectors...

SHAHANI: In response, back in December 2013, leaders from about 40 countries got together in a small town in the Netherlands. It's called Wassenaar. The U.S. and U.K. were there. So was Russia. China was not. The countries agreed on principles to control the export of software that can be used for surveillance. To make those principles binding in the U.S., in May, the Department of Commerce proposed rules. The agency did not respond to NPR's request for interview.

KEVIN KING: These rules, these controls are a reaction to what we see in the press.

SHAHANI: Attorney Kevin King with Cooley LLP specializes in expert controls.

KING: The stories about governments that are using these tools to spy on their citizens.

SHAHANI: Until now, U.S. regulation of software exports has been light. If I wanted to ship the game Angry Birds to people in Senegal or India, King says, I don't need permission.

KING: That's right, assuming Angry Birds isn't using encryption.

SHAHANI: If I want to sell encrypted software that scrambles and encodes a message...

KING: Well, you have to give it some thought, but the hurdles are very low.

SHAHANI: Last year, a subsidiary of Intel was fined to $750,000 for exporting encryption software to China, but that's a rare event. Compliance is easy, King says. There's a one-time registration form a couple pages long.

KING: And then maybe an annual reporting requirement.

SHAHANI: King says the proposed rules create a new and big burden for companies and researchers. For any software that could be used to break into a network or smart phone, whether or not it uses encryption, the creator has to apply for a license before exporting.

KING: You're going to be going in for every transaction, requesting permission to be able to, you know, release the software.

SHAHANI: Critics say the problem with that is not simply or even primarily one of big government stepping on the toes of small business. It's that regulators are misunderstanding how security works in the world of software. Katie Moussouris, the chief policy officer at HackerOne, says code that can be used to break in can also be used to look for holes that need patching. It's dual use.

KATIE MOUSSOURIS: If you want to make a comparison to physical weapons, a knife can be used to chop vegetables, and it can be used to kill people.

SHAHANI: And in practice, Moussouris says, bad guys aren't going to stop and ask for permission, so putting a public agency dead in the middle of private communication just slows down the good guys.

MOUSSOURIS: Having any kind of speed bump to defense actually makes the entire internet less safe for everyone.

SHAHANI: Today is the last day for public comment on the proposed new rules by the Department of Commerce. Aarti Shahani, NPR News, San Francisco. Transcript provided by NPR, Copyright NPR.