The Bureau of Industry and Security (BIS) has proposed tighter regulations around security tools which may mean classifying existing cybersecurity tools as “weapons of war”.
This proposal could potentially revise an international agreement aimed at controlling weapons technology as well as hinder the work of security researchers.
At the meeting, a group of 41 like-minded states discussed ways to bring cybersecurity tools under the umbrella of law, just as any other global arms trade. This includes guidelines on export rules for licensing technology and software as it crosses an international border.
Currently, these tools are controlled based on their cryptographic functionality. While BIS is yet to clarify things, the new proposed rule could disallow encryption license exceptions.
The new proposal is irking security researchers, who find exporting controls on vulnerability research a regulation of the flow of information. You see, these folks need to use tools and scripts that intrude into a protected system. If the proposal becomes a law, it will force these researchers to find a new mechanism to beat the bad guys.
As per the agreement, the new definition of ‘intrusion software’ refers to a tool which is capable of extraction or/and modification of data or information from a computer or network-enabled device.
The modification also includes tweaking of the standard execution path of a program. In addition, the tool could also be designed to avoid detection by “monitoring tools” (software or hardware devices such as antivirus products that monitor system behaviors or processes running on a device). Tools including hypervisors, debuggers and others that are used for reverse engineering software won’t be considered as “intrusion software”.
Security items being exported to government users in Australia, Canada, New Zealand, or the UK — or the “Five Eyes” nations — would get some leeway and looser restrictions. This is because the intelligence agencies in these five nations collaborate closely. BIS is seeking comments on the proposed rule — available to all in the Federal Register — with a deadline of July 20, 2015.