Google Fights Export Controls For 'Intrusion Software' - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity
06:05 AM
Connect Directly

Google Fights Export Controls For 'Intrusion Software'

Proposed export rules could hobble cybersecurity research, Google claims.

14 Security Fails That Cost Executives Their Jobs
14 Security Fails That Cost Executives Their Jobs
(Click image for larger view and slideshow.)

Google on Monday asked the US Commerce Department to alter proposed rules that would restrict cyber security research.

The rules reflect US participation in the Wassenaar Arrangement, a multilateral export-control agreement that includes 41 countries. As it is not a formal treaty, it requires participating states to separately implement their own interpretation of the Arrangement.

Google's objection to the rules being considered in the US reflects unease over the addition of "intrusion software" to the list of goods subject to export limitations.

Intrusion software is defined as software designed or modified "to avoid detection by 'monitoring tools,' or to defeat 'protective countermeasures,' of a computer or network-capable device, and performing: a) the extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or b) the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions."

It specifically excludes: hypervisors, debuggers, or software reverse engineering (SRE) tools; digital rights management (DRM) software; asset-tracking software; and network-capable devices like mobile phones and smart meters.

Neil Martin, Google export compliance counsel, and Tim Willis, "hacker philanthropist" on the Chrome security team, in a July 20 blog post argue that the proposed rules, if adopted as presently written, would hinder open security research and limit the ability of organizations to find and fix security vulnerabilities in software.

"It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure," Martin and Willis write.

(Image: Public Domain)

(Image: Public Domain)

In a letter sent to the US Commerce Department's Bureau of Industry and Security (BIS), Google argues that the proposed rules are too broad and vague, requiring potential export licenses for email, code review systems, instant messages, and perhaps even in-person conversation, despite assurances to the contrary.

The rules, suggest Martin and Willis, could require an export license to report a bug and could limit the ability of companies to share information about intrusion software.

Jeffrey L. Vagle, executive director of the Center for Technology, Innovation, and Competition at the University of Pennsylvania Law School, said in a blog post earlier this month that the government's impulse to limit the flow of potentially dangerous software, while understandable, is fraught with difficulties.

Governments naturally want to control potentially dangerous technologies, Vagle contends, yet they also want to use these same technologies for intelligence and surveillance. The problem with this approach is that offensive and defensive cyber-security research often depend on each other.

The US government's proposed cure might just make its own networks, already compromised too often, less secure.

"Regulating offensive research through limits on international collaboration could very well make impotent an important component in our ongoing struggle to fix buggy code," Vagel wrote. "If the true goal is to maximize information security in our everted cyberspace, the better solution is one that incentivizes defense rather than arbitrarily punishes offense."

Vagel suggests liability for vulnerabilities would offer an incentive for greater defensive investment in software.

Google has requested that the Commerce Department address the problems with its rules at the annual meeting of Wassenaar Arrangement members in December.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/22/2015 | 11:23:50 AM
This is what lobbyists are for
And i doubt that Google is the only large tech company with concerns; so I figure it's time for Larry Page to start enlisting the aid of his fellow tech CEOs, to include the one in Redmond (it's amazing how quickly rivalries can be put aside on matters of common self-interest).
User Rank: Ninja
7/21/2015 | 7:16:07 AM
I imagine it's difficult for the politicians to know who to listen to with this debate. The people who dont want more regulation tend to know the most, but also stand to financially benefit the most if the legislation isn't implemented, so it probably seems like quite a biased opinion.

On the other hand, those calling for no more zero day exploits probably don't understand them well enough. 

I'll be watching the results of these debates closely though as the outcome could have a big impact on how secure we all are. 
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll