The draft changes add intrusion technologies to the ‘weapons' restricted by the US under the so-called ‘Wassenaar 41-country export pact'. But Google fears the rules are so vaguely worded they will accidentally stifle white-hat threat intelligence sharing - with potentially “disastrous” results.
In a 20 July blog post, Google lawyer Neil Martin and Chrome security team member Tim Willis say the plans will have “a significant negative impact on the open security research community”, including malware hunters in the UK and elsewhere who have benefited from millions of pounds worth of bug bounty payments from US firms.
“Global companies should be able to share information globally. These controls should be changed ASAP,” they say.
Google's condemnation has gone to the US Commerce Department, just as a 60-day consultation into the changes ends today. And its criticism echoes that of the recently formed Coalition for Responsible Cybersecurity, which includes Symantec, FireEye, Ionic Security and others.
In a strongly worded statement last week, the Collation said: “These rules, if they were adopted as they stand today, would put the entire US cyber-security industry - and everyone who relies on that industry for protection - at risk.”
Supporting their fears, earlier this month Wassenaar was blamed when Northumbria University student Grant Wilcox was forced by his college ethics board to censor part of his final-year dissertation into exploits that bypass Microsoft's EMET 5.1 security tool – in case sharing this knowledge breached the rules.
Wilcox said last week that he has since has asked the UK Government for advice on whether he can release the code, but is still no further forward.
“I have stated my case as to why I believe the exploits, and subsequently the whole research, should be published in full,” he said.
But when he approached HMRC and the Department for Business, Innovation and Skills: “Despite my repeated questioning, all I got as an answer was ‘look at the export guidelines', without stating whether or not my research actually falls within the tolerances of the export control lists or not. Therefore at the moment I can't really do anything.”
In its blog, Google says the “dangerously broad and vague” rules could require US security firms to get thousands of export licences covering “communications about software vulnerabilities, including emails, code review systems, bug tracking systems, instant messages - even some in-person conversations!”
Speaking to SCMagazineUK.com, UK cyber-expert Professor Alan Woodward of Surrey University agreed with the stance.
“The US has basically included zero-days in the same category as bombs and bullets, “he said.
“Most people in the security industry would agree that full disclosure has always proven to be the best approach. The problem is there is a possibility that the Wassenaar agreement, as interpreted by the US, could prevent that.
“What the American government is saying is that ‘for research purposes we don't have a problem with disclosure, it's about selling it'. But I do wonder if someone just discloses it, they could potentially fall foul of the legislation.”
Woodward also said the difficulties encountered by Grant Wilcox are “a troubling sign”.
He explained: “The intention was to stop people like Hacking Team selling these things. And you can see if someone's selling to some despotic regime, what the Americans are saying is ‘under the Wassenaar agreement we don't want that coming out of America'.
“I kind of sympathise with that. But at the same time we have to hope that it's not interpreted in such a way as to restrict security research - that really would be a retrograde step.”
The Coalition for Responsible Cybersecurity warned: “The rule will put the US and the world at greater risk from hackers – exactly the opposite of what it seeks to accomplish. Cyber-security research will be curtailed, cyber-security tool availability will be constrained and cyber-security collaboration will be harmed.
“The rule will not stop the spread of malware or curtail illicit hacking and intrusions in any way. In fact, it would hinder research and the development of effective tools to combat attackers. This actually makes the proposed rule very dangerous for companies and industries throughout the world.”
Coalition member Jay Kaplan, CEO of Synack, added: “More than 70 percent of our cyber-security researchers are from outside the US but we will be barred from using their expertise.”