More than six years after proposing export restrictions on “intrusion software,” the US Commerce Department’s Bureau of Industry and Security (BIS) has formulated a rule that it believes balances the latitude required to investigate cyber threats with the need to limit dangerous code.
The BIS on Wednesday announced an interim final rule that defines when an export license will be required to distribute what is basically commercial spyware, in order to align US policy with the 1996 Wassenaar Arrangement, an international arms control regime.
The rule [PDF] – which spans 65 pages – aims to prevent the distribution of surveillance tools, like NSO Group’s Pegasus, to countries subject to arms controls, like China and Russia, while allowing legitimate security research and transactions to continue. Made available for public comment over the next 45 days, the rule is scheduled to be finalized in 90 days.
Pegasus allegedly has been used by governments to spy on activists and journalists, among others. The United Nations recently called for a ban on the sale of “life threatening” surveillance technology and specifically criticized the NSO Group, which claimed it “sells its technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts.”
The Israel-based company, which is awaiting to see whether the US 9th Circuit Court of Appeals will immunize it from WhatsApp’s snooping lawsuit, subsequently said it would no longer respond to criticism.
Basically, if you want to sell Pegasus or similar device-penetration software, and you have a presence in the US, you need a license to sell to China, Russia, or the other covered governments. NSO was said to have a marketing and sales arm in the United States, a point the Israeli biz rejects.
The Commerce Department said the US government “opposes the misuse of technology to abuse human rights or conduct other malicious cyber activities, and these new rules will help ensure that US companies are not fueling authoritarian practices.”
“The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights,” said US Secretary of Commerce Gina Raimondo, in a statement.
“The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities.”
Europe took similar steps in November, 2020, with its own export limitations on cybersecurity tools.
The US in 2015 proposed placing export restrictions on cybersecurity tools, but encountered headwinds when the US cybersecurity industry objected, saying the rules were too broad and would interfere with security fixes. The government then went back to negotiate with other Wassenaar participants to come to a more workable definition of how to limit intrusion software.
Following negotiations in 2016 and 2017, the Wassenaar Agreement negotiators published changes that clarified that limited the definition of intrusion software to malicious contexts, so that it didn’t cover all command and control capability and all security research, vulnerability disclosure, incident response, or software updates.
Chris Rohlf, non-resident research fellow at the Georgetown Center for Security and Emerging Technology and a security engineer at Facebook, via Twitter characterized the revised BIS rule as a well-informed attempt to limit the distribution of intrusion software in accordance with the Wassenaar Arrangement.
“It’s hard to capture the nuance necessary to make this successful but this time around it looks to be in a better position,” he said. ®