Google has weighed in against a US proposal to regulate the export of intrusion software, arguing that it will harm research into new software vulnerabilities that help it protect users.
Google on Monday submitted its response to the U.S. Commerce Department’s proposal aired in May to introduce tighter rules for those who export computer security tools, such as penetration testing software as well as newly discovered software vulnerabilities, known as zero-day flaws, and rootkits.
The company said the rules are overly broad and will hinder research that keeps internet users secure.
“We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community,” said a team of Google employees, consisting of Neil Martin, an export compliance counsel, Tim Willis, a hacker philanthropist, and the Chrome Security Team.
The proposed changes stem from the U.S.’s participation in the Wassenaar Arrangement — a pact among 41 nations, including Australia, to limit the proliferation of a range of dual use goods and technologies. In 2013, members proposed regulations on trading intrusion software, including zero-day flaws and exploits for them.
The proposal is meant to tackle the frowned-upon practice among some security companies of selling information about software vulnerabilities and would require them to have a license to export that software. One example of the intended target of the new regulations is the recently breached Italian security firm Hacking Team, which held a number of flaws for Adobe's Flash Player and other popular software. It has been criticised for selling its spyware to governments that are known to violate human rights.
But as Google outlined in the blogpost, detailing parts of its submission, the rules are “dangerously broad and vague” and could ultimately make users less secure.
The search company may be required to request “tens of thousands” of export licenses due to the nature of structure of its business.
“Since Google operates in many different countries, the controls could cover our communications about software vulnerabilities, including: emails, code review systems, bug tracking systems, instant messages - even some in-person conversations!”
It may also impede Google’s well-funded bug bounties, which offer payouts to security researchers across the world who find and report flaws to Google in products such as the Chrome browser. On top of this, its own staff, such as Google security engineer Adam Langley, are often credited with finding serious bugs in widely-used software, whether it's proprietary or open source.
Google argues these researchers should be offered exemptions under the condition they report the flaw to the software maker.
“There should be standing license exceptions for everyone when controlled information is reported back to manufacturers for the purposes of fixing a vulnerability,” the Google employees said.
Langley in May said that adding exploits to the Wasssenaar Arrangement was a “an egregious mistake for anyone that cares about a more secure and less surveilled Internet.”
“The intention of those that supported the amendment to Wassenaar was to protect freedom of expression and privacy worldwide; unfortunately, their implementation achieved almost the exact opposite,” .
He said it was intended to target “cyber arms dealers” but captured white hat security researchers also.
“Security researchers face a fundamental problem: In order to prove exploitability, and in order to be 100% sure that they are not crying wolf, they need to demonstrate beyond any doubt that an attack is indeed possible and reliable. This means that the researcher needs to build something that is reliable enough to be dangerous,” he explained.
Google also argues that global companies should be able to share information about intrusion software globally with its own engineers and called for a clearer explanation of what the export controls demand.
The next annual meet up of Wassenaar Arrangement nations is in December 15, which Google notes is the only opportunity to change the scope of intrusion software controls.
This article is brought to you by Enex TestLab, content directors for CSO Australia.