If the private defense industry supplied weapons to our enemies, heads would roll and there would be hell to pay for sure. After all, providing any kind of military assets to countries fixed in opposition to our national interests would be unthinkable.
Cyber weapons are no different, defined as a piece of computer software or hardware used to commit cyber warfare. This can include cybersecurity asset exports to certain countries, namely China and Russia.
According to The Cyber Rule outlined by the U.S. Commerce Department’s Bureau of Industry and Security (BIS), any kind of command and control (C2) software, delivery of intrusion software, source code, or the technology for developing intrusion software is subject to control restrictions, including encryption technology.
According to the latest rule published in the Federal Register, “these items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it.”
The new rule became effective on May 26. It would go without saying that the ban would encompass spyware such as Pegasus by the Israeli firm NSO Group, which controversy has been featured in recent news for being used by various autocratic governments to spy on dozens of journalists, politicians, dissidents, clergy, and human rights activists.
The Pegasus spyware continues to be reported for wanton misuse around the world. This only covers zero-day technology that is commonly known and doesn’t include the possible sales of zero-day technology from hacking groups or State-backed threat actors. The U.S. placed the NSO Group on a U.S. trade blacklist.
It’s been a long time coming for the U.S. to take a proactive stance on its own cybersecurity interests. But as the old adage goes, “better late than never.” I say this simply because U.S.-based cybersecurity firms have enjoyed carte blanche freedom to engage in commerce of this nature for years.
Nevertheless, this certainly is a ripe opportunity to try to eliminate the possibility of unethical or harmful commerce, especially when considering that, since the U.S. placed economic sanctions on Russia, it directly involved itself with a foreign war involving its Cold War rival. A war that is dragging an uncountable army of hackers into the arena.
The Report at a Glance
The revisions to the ban have come at a time of large-scale hacking activities, due to the Russian/Ukrainian war, and the consequential “cyber war” in response from the hacker communities across the world led by Anonymous.
The prohibition was first announced last October, effectively placing embargoes on commercial exports of intrusion technology, including equipment, to China, Russia, as well as other countries. However, such exports require a license from the BIS, which will ensure that the export is not destined for ill purposes against the national interests of the U.S.
On account of this move, the U.S. has joined 42 member countries of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.
The Wassenaar Arrangement was created as an initiative to prevent the accumulation of destabilizing factors by collectively contributing to security and stability both regionally and internationally.
Through developmental transparency and by acknowledging a sense of responsibility regarding transactions of conventional arms and dual-use goods and technologies, the Wassenaar Arrangement seeks to develop and enact national policies aimed at making sure these items aren’t misused by means of proliferating military capabilities. This includes cybersecurity items that could be used for cyber warfare purposes, espionage, and illegal surveillance.
The earlier version of the prohibition, released last year, necessitated the usage of a new license expectation for Authorized Cybersecurity Exports (ACE). This permitted the exportation, re-export, and in-country transfers of cybersecurity technologies to most destinations.
Note that it was generally agreed upon that a license would only be a necessity for exports to countries that posed a national security concern as it relates to weapons of mass destruction, including nations subject to a U.S. arms embargo, such as China, Cuba, and others.
Backlash Within the Cybersecurity Industry
The cybersecurity industry has vocalized strong concerns about the language, pointing out that the restrictions are painted with too broad a stroke, covering a range of tools and technologies that are excessively vague.
Moreover, the industry is worried that the embargoes on these technologies would restrain bug bounty hunters, as well as white hat hackers acting in good faith and that the prohibitions placed on the development of intrusion detection-type software would ultimately halt the overall progress of cybersecurity research.
“This rule is meant to be a framework to understand and deter the export of cyber capability – mostly exploits, but also potentially TTPs, IOCs, et cetera – to governments in Country Group D,” said Casey Ellis, the founder and CTO of crowdsourced security platform Bugcrowd.
He also explained that export controls are arduous enough with physical weapons, saying:
“Cryptographic export controls have already illustrated the idea that regulating export in the cyber domain is difficult, and the implementation of the Wassenaar Agreement to include cyber in the USA has been no exception.”
Still, a number of commenters point out that the language is not comprehensive, which suggests that the rules present a number of difficulties when it comes to compliance. For example, commenters inquired whether the scope of the controls also encompasses cybersecurity incident detection and monitoring tools.
However, an important thing to note is that the BIS has considered the thoughts and concerns of the cybersecurity community and listened to the feedback from researchers, as well as the bug bounty hunting communities.
“An important section to keep an eye on will be the scope of license requirements, which they’ve committed to outlining and maintaining through FAQs," says Ellis. “These FAQs will ultimately dictate who is required to pursue licensing under the ruling, and who is carved out.”
An article by