The cybersecurity industry and the government have been struggling over proposed export rules that researchers say could end up making the Internet less safe. And now the government says it will try again and give the public another chance to weigh in.
Earlier this year, the Department of Commerce's Bureau of Industry and Security released a proposal for how to implement restrictions on exporting so-called "intrusion software" in order to comply with an international arms control agreement known as the Wassenaar Arrangement. The list of items covered by the agreement was updated in December of 2013 to include some surveillance and intelligence-gathering tools and the proposed rules were meant to ensure the U.S. meets its obligations under the pact.
But the proposal drew criticism from big tech companies and independent researchers alike, who argued that they were too broad and would end up stymieing defensive cybersecurity research. Security professionals warned that licensing requirements in the proposed regulations could limit the use of so-called "penetration testing" -- tools designed to help researchers discover problems in computers systems or even make it more difficult for researchers to disclose vulnerabilities they uncover to software makers so they can be fixed.
"We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community," Google said on its security blog earlier this month. "They would also hamper our ability to defend ourselves, our users, and make the web safer. It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure."
The Commerce Department received more than 250 comments on the proposed regulation, with many groups raising concerns about the rules.
In a recent interview on a cybersecurity podcast produced by the D.C. lawfirm Steptoe & Johnson, Deputy Secretary of Commerce Bruce Andrews hinted that the agency would be going back to the drawing board. "I think you will see a very strong effort to be responsive to those comments and to try to figure out what the next iteration of this is -- and frankly to give people another opportunity to comment."
At a meeting Wednesday, representatives from the Department of Commerce told industry stakeholders that there would be a new version of the proposed rules incorporating industry feedback, as well as more time for the public and industry to weigh in, said attendee Jen Ellis, the head of communications for cybersecurity firm Rapid7.
An official at the agency's Bureau of Industry and Security, who declined to be named because he is not the official media spokesperson, confirmed that it was working on a updated version of the rules and there would be a second comment period, but said it was unclear exactly when the new version would be ready. The initial round of comments closed on July 20th.
"They are doing a lot industry outreach -- which is overdue, but welcome," said Stewart Baker, a partner at Steptoe & Johnson, who hosts the cybersecurity podcast and is a former general counsel to the National Security Agency.
Collin Anderson, an independent security researcher who has expressed concerns over the rules, said that the proposed regulations reflect the the difficulty of separating offensive and defensive uses of cybersecurity tools.
"I don't think that BIS was out to destroy the cybersecurity profession, it's just that this is not an issue where they have traditionally engaged," he told the Post in an interview. "They believed that vulnerability disclosure was a lot more clean cut process than it turns out to be."
And because the actual international policy debate over the rules occurred some two years ago and the U.S was already committed to the agreement, the agency was put in a particularly tough spot, Anderson said.
Now the good news, Baker said, is that the next version of the rules will likely have much more input from cybsecurity practitioners on the affect of the regulation. The bad news, he said, was that some in the industry now lack confidence the government will get it right on the second pass "since they made such a hash out of it the first time."