The US Wants to Regulate Surveillance Software Like Weapons

Proposed rules on spyware have the right idea but are too broad, experts say.

May 20 2015, 3:00pm

Image: Chicandyoushallfind

Today, software can be a weapon. Malware has been used to spy on activists from Bahrain, and the Ethiopian government has targeted journalists while they were in the United States. Today, the United States is moving towards making sure surveillance software doesn't fall into the wrong hands. But according to security experts, the proposed rules are too broad and are likely to interfere with research, therefore making computer systems less secure in the long run.

The Bureau of Industry and Security (BIS) today posted its proposed implementation of the Wassenaar Arrangement. That Arrangement would require anyone based in the US to get a license before exporting or transferring data used to create "intrusion software," or network surveillance systems, outside of North America.

The Arrangement would be analogous to the International Traffic in Arms Regulations (ITAR), which the US government uses to control the export of weapons and materials used in weapons (until 1997, strong cryptography was even classified as arms and prohibited from export).

The EU is already ahead of the US in the area of regulating surveillance software, having introduced its own measures late last year. This came shortly after human rights groups asked governments to take seriously the proliferation of surveillance software, the likes of which "often leads to further human rights violations including invasions of privacy, arbitrary arrest and detention, torture and other cruel, inhuman or degrading treatment or punishment, the silencing of free expression, preventing political participation, and crushing offline and online dissent," according to Humans Rights Watch.

Indeed, that is the positive side of the Wassenaar Arrangement: the intention is to make sure that things such as exploits and computer vulnerabilities, which can be used to spy on political dissidents, won't be provided to authoritarian regimes, for example.

This could have a knock-on effect on software reliability and security

But the Wassenaar Arrangement has problems, and ones that could cause real interference in the security industry as a whole.

"The Wassenaar definitions of intrusion software are overbroad, applying almost universally to elementary building blocks of security research," according to a paper written by security researchers Sergey Bratus, D J Capelis, Michael Locasto and Anna Shubina. That paper was published back in October 2014, during an earlier round of public commentary on the Wassenaar Arrangement.

Although there are slight differences between the version of the Arrangement that the researchers commented on earlier and this latest one, "At a first glance, our previous concerns stand," Bratus told me over Twitter.

The Wassenaar Arrangement, in an attempt to not interfere with legitimate work involving intrusion software outright, such as the research of discovering new computer vulnerabilities, does not put controls on intrusion software as a whole. Instead, it issues controls on software that is for the "generation, operation or delivery of, or communication with" intrusion software, or in other words, the foundations of such software.

But that approach is arguably even more problematic, according to Bratus' paper. The tools used to "develop, generate, automate and deploy" very important computer products such as antivirus, remote management software, and even operating systems are swept up in the language used in the Wassenaar Arrangement. In turn, this could have a knock-on effect on software reliability and security, and ironically, the research of "anti-surveillance measures" and "the discovery of existing vulnerabilities—and thus on fixing vulnerable systems," the authors note.

Rob Graham, a security research from Errata Security, tweeted that if the Arrangement became law in the US, then it would be "illegal" for him to export his code. Graham has produced various pieces of software in the past, including BlackICE, a firewall product used to defend computer systems from attack. BlackICE is given as an example of the kind of software that would fall into the regulated category of the Wassenaar Arrangement, according to Bratus' paper, because it modified part of the Windows operating system.

Bratus and the other researchers have thought of a solution though.

"The anti-surveillance intent of Wassenaar will, however, be fully fulfilled if surveillance-enabling software and hardware were to be addressed directly. We propose such a direct approach: targeting exfiltration, which is a key part of surveillance, rather than the vague and overbroad intrusion."

Whereas intrusion is the act of getting into a system, exfiltration is the taking of data. "In nearly all of surveillance scenarios, surveillance software sends sensitive data to a command-and-control center operated by the government," the researchers continue. So, instead of surveillance software being defined as something that breaks into a computer, it should be seen as software that secretly steals sensitive information from a target, the authors argue.

Members of the public can comment until July 20 to raise any concerns they have about the Arrangement. Judging by the security community's reaction, plenty will be doing so.