Google Fights Export Controls For 'Intrusion Software' - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Cybersecurity
News
7/21/2015
06:05 AM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Google Fights Export Controls For 'Intrusion Software'

Proposed export rules could hobble cybersecurity research, Google claims.

14 Security Fails That Cost Executives Their Jobs
14 Security Fails That Cost Executives Their Jobs
(Click image for larger view and slideshow.)

Google on Monday asked the US Commerce Department to alter proposed rules that would restrict cyber security research.

The rules reflect US participation in the Wassenaar Arrangement, a multilateral export-control agreement that includes 41 countries. As it is not a formal treaty, it requires participating states to separately implement their own interpretation of the Arrangement.

Google's objection to the rules being considered in the US reflects unease over the addition of "intrusion software" to the list of goods subject to export limitations.

Intrusion software is defined as software designed or modified "to avoid detection by 'monitoring tools,' or to defeat 'protective countermeasures,' of a computer or network-capable device, and performing: a) the extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or b) the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions."

It specifically excludes: hypervisors, debuggers, or software reverse engineering (SRE) tools; digital rights management (DRM) software; asset-tracking software; and network-capable devices like mobile phones and smart meters.

Neil Martin, Google export compliance counsel, and Tim Willis, "hacker philanthropist" on the Chrome security team, in a July 20 blog post argue that the proposed rules, if adopted as presently written, would hinder open security research and limit the ability of organizations to find and fix security vulnerabilities in software.

"It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure," Martin and Willis write.

(Image: Public Domain)

(Image: Public Domain)

In a letter sent to the US Commerce Department's Bureau of Industry and Security (BIS), Google argues that the proposed rules are too broad and vague, requiring potential export licenses for email, code review systems, instant messages, and perhaps even in-person conversation, despite assurances to the contrary.

The rules, suggest Martin and Willis, could require an export license to report a bug and could limit the ability of companies to share information about intrusion software.

Jeffrey L. Vagle, executive director of the Center for Technology, Innovation, and Competition at the University of Pennsylvania Law School, said in a blog post earlier this month that the government's impulse to limit the flow of potentially dangerous software, while understandable, is fraught with difficulties.

Governments naturally want to control potentially dangerous technologies, Vagle contends, yet they also want to use these same technologies for intelligence and surveillance. The problem with this approach is that offensive and defensive cyber-security research often depend on each other.

The US government's proposed cure might just make its own networks, already compromised too often, less secure.

"Regulating offensive research through limits on international collaboration could very well make impotent an important component in our ongoing struggle to fix buggy code," Vagel wrote. "If the true goal is to maximize information security in our everted cyberspace, the better solution is one that incentivizes defense rather than arbitrarily punishes offense."

Vagel suggests liability for vulnerabilities would offer an incentive for greater defensive investment in software.

Google has requested that the Commerce Department address the problems with its rules at the annual meeting of Wassenaar Arrangement members in December.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Whoopty
100%
0%
Whoopty,
User Rank: Ninja
7/21/2015 | 7:16:07 AM
Difficult
I imagine it's difficult for the politicians to know who to listen to with this debate. The people who dont want more regulation tend to know the most, but also stand to financially benefit the most if the legislation isn't implemented, so it probably seems like quite a biased opinion.

On the other hand, those calling for no more zero day exploits probably don't understand them well enough. 

I'll be watching the results of these debates closely though as the outcome could have a big impact on how secure we all are. 
jries921
50%
50%
jries921,
User Rank: Ninja
7/22/2015 | 11:23:50 AM
This is what lobbyists are for
And i doubt that Google is the only large tech company with concerns; so I figure it's time for Larry Page to start enlisting the aid of his fellow tech CEOs, to include the one in Redmond (it's amazing how quickly rivalries can be put aside on matters of common self-interest).
Commentary
The Best Way to Get Started with Data Analytics
John Edwards, Technology Journalist & Author,  7/8/2020
Slideshows
10 Cyberattacks on the Rise During the Pandemic
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/24/2020
News
IT Trade Shows Go Virtual: Your 2020 List of Events
Jessica Davis, Senior Editor, Enterprise Apps,  5/29/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Slideshows
Flash Poll