To fight hackers and oppressive rulers, the US government struck a deal with 41 countries last May to keep dangerous software from moving from one country to another. The arrangement would try to keep viruses and spyware from spreading by requiring businesses to obtain a special license to access dangerous software from across borders.
It makes sense: keep tools that make everything from identity theft to spying on political dissidents out of the hands of organized crime rings and despots. For example, companies like the recently shamed Hacking Team in Italy couldn’t secretly sell spy software to countries like Ethiopia and Sudan, which have documented human rights abuses.
But it turns out, there’s an unintended side effect: the agreement also keeps cybersecurity researchers from doing their jobs.
An international cybersecurity agreement could keep security researchers from being able to do their jobs.
This conflict came to a head at a congressional hearing in Washington, DC earlier this month when US representatives pointedly asked the federal agencies tasked with implementing the deal, known as the Wassenaar Arrangement, how they could fix the problem. Members of Congress said the US government needs to find a way to implement the deal without stopping cybersecurity research.
“If we can’t do that,” Rep. John Ratcliffe (R-Texas) said at the January 12 hearing, “I question why as a country we are agreeing to this updated arrangement.”
Permission to hack
Nobody even noticed that the researchers would be left out in the cold until two months after the deal was signed. It was cybersecurity experts themselves who pointed out the problem in July, when the US Department of Commerce asked for feedback on the rules they wrote to implement the deal.
Under the arrangement, researchers say, the government would make it significantly harder for them to pass information back and forth across borders. Also known as, y’know, working over the Internet.
“That puts nearly all this sort of research at a stalemate,” said Willis McDonald, a senior threat researcher at cybersecurity company Damballa.
This isn’t just theory.
Earlier this month, Damballa helped Norwegian law enforcement identify a hacker who was taking control of computers remotely and using them to steal access to online gaming accounts, where gamers store characters and resources that can be sold for real money outside of a game. Sitting in the company’s office in the US, researcher Loucif Kharouni accessed the malicious software used by the hacker as it sat on a Norwegian server. After Kharouni figured out who authored the software, the hacker, whom the company declined to name, was arrested in Norway.
Both the US and Norway are participants in the Wassenaar Arrangement, so under ther new rules, Damballa would now need to get permission in the form of an export license from the Bureau of Industry and Security to conduct this kind of research. There’s no fee for the application, but it currently takes an average of more than 21 days for the bureau to process an application.
That time may even go up.
For example, Microsoft has estimated that it would need hundreds of thousands of export licenses per year for itself and the security research companies it partners with to go on with business as usual. Like many large Internet companies, Microsoft does a lot of its own cybersecurity research and contracts with other companies who work throughout the world to make sure its products are safe.
Last year, the government issued more than 37,000 export licenses in total. There’s no estimate for exactly how many new applications for the licenses the agency would have to process, but Cristin Flynn Goodwin, assistant general counsel of cybersecurity at Microsoft, told Congress that it seems likely the BIS can’t handle the oncoming flood of requests.
Critics say the government should just scrap these new rules and instead spend its time investigating hackers and bad companies.
“That seems like a more direct way to go after them,” said Ari Schwartz, a lawyer in Washington DC who until October served in the White House as the director of cybersecurity at the US National Security Council.
That’s probably a pipe dream though. By the time security experts pointed the problem out to the government, other countries already put their rules in place. Changing things means re-negotiating a deal with the other 40 countries involved.
Still, Rep. Jim Langevin (D-RI), who co-signed a letter with Rep. Michael McCaul (R-Texas) lambasting the Wassenaar Arrangement, said in an interview he didn’t see how the US could abide by the deal.
His solution: go back to the drawing board in Wassenaar, Netherlands, where the idea originated. “There might not be a way to fix it without re-negotiating it,” he said.
