Google opposes US-Wassenaar export controls on intrusion software

Google has weighed in against a US proposal to regulate the export of intrusion software, arguing that it will harm research into new software vulnerabilities that help it protect users.

Google on Monday submitted its response to the U.S. Commerce Department’s proposal aired in May to introduce tighter rules for those who export computer security tools, such as penetration testing software as well as newly discovered software vulnerabilities, known as zero-day flaws, and rootkits.

The company said the rules are overly broad and will hinder research that keeps internet users secure.

“We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community,” said a team of Google employees, consisting of Neil Martin, an export compliance counsel, Tim Willis, a hacker philanthropist, and the Chrome Security Team.

The proposed changes stem from the U.S.’s participation in the Wassenaar Arrangement — a pact among 41 nations, including Australia, to limit the proliferation of a range of dual use goods and technologies. In 2013, members proposed regulations on trading intrusion software, including zero-day flaws and exploits for them.

The proposal is meant to tackle the frowned-upon practice among some security companies of selling information about software vulnerabilities and would require them to have a license to export that software. One example of the intended target of the new regulations is the recently breached Italian security firm Hacking Team, which held a number of flaws for Adobe's Flash Player and other popular software. It has been criticised for selling its spyware to governments that are known to violate human rights.

But as Google outlined in the blogpost, detailing parts of its submission, the rules are “dangerously broad and vague” and could ultimately make users less secure.

The search company may be required to request “tens of thousands” of export licenses due to the nature of structure of its business.

“Since Google operates in many different countries, the controls could cover our communications about software vulnerabilities, including: emails, code review systems, bug tracking systems, instant messages - even some in-person conversations!”

It may also impede Google’s well-funded bug bounties, which offer payouts to security researchers across the world who find and report flaws to Google in products such as the Chrome browser. On top of this, its own staff, such as Google security engineer Adam Langley, are often credited with finding serious bugs in widely-used software, whether it's proprietary or open source.

Google argues these researchers should be offered exemptions under the condition they report the flaw to the software maker.

“There should be standing license exceptions for everyone when controlled information is reported back to manufacturers for the purposes of fixing a vulnerability,” the Google employees said.

Langley in May said that adding exploits to the Wasssenaar Arrangement was a “an egregious mistake for anyone that cares about a more secure and less surveilled Internet.”

“The intention of those that supported the amendment to Wassenaar was to protect freedom of expression and privacy worldwide; unfortunately, their implementation achieved almost the exact opposite,” .

He said it was intended to target “cyber arms dealers” but captured white hat security researchers also.

“Security researchers face a fundamental problem: In order to prove exploitability, and in order to be 100% sure that they are not crying wolf, they need to demonstrate beyond any doubt that an attack is indeed possible and reliable. This means that the researcher needs to build something that is reliable enough to be dangerous,” he explained.

Google also argues that global companies should be able to share information about intrusion software globally with its own engineers and called for a clearer explanation of what the export controls demand.

Read more: Vale Windows Server 2003. Still using it? It's time to panic.

The next annual meet up of Wassenaar Arrangement nations is in December 15, which Google notes is the only opportunity to change the scope of intrusion software controls.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags Chrome Security TeamblogpostrootkitsWassenaar ArrangementUS-Wassenaar exportintrusion softwareHacking TeamCSO AustraliahtmlNeil Martinsurveilled Internetsecurity companiessoftware vulnerabilitiesGoogle employees

More about CSOEnex TestLabGoogleindeedTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts