SoylentNews

U.S. Mulls Export Controls on Zero-Days

posted by n1 on Thursday May 21 2015, @06:55PM   
from the what-is-this-bis dept.

takyon writes:

The Register and Threatpost report that the U.S. Department of Commerce may enshrine the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies into law, banning the export of zero-day vulnerabilities without permission:

The Bureau of Industry and Security (BIS) proposes to implement the agreements by the Wassenaar Arrangement (WA) at the Plenary meeting in December 2013 with regard to systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software; software specially designed or modified for the development or production of such systems, equipment or components; software specially designed for the generation, operation or delivery of, or communication with, intrusion software; technology required for the development of intrusion software; Internet Protocol (IP) network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor.

BIS proposes a license requirement for the export, reexport, or transfer (in-country) of these cybersecurity items to all destinations, except Canada. Although these cybersecurity capabilities were not previously designated for export control, many of these items have been controlled for their "information security" functionality, including encryption and cryptanalysis.

This rule thus continues applicable Encryption Items (EI) registration and review requirements, while setting forth proposed license review policies and special submission requirements to address the new cybersecurity controls, including submission of a letter of explanation with regard to the technical capabilities of the cybersecurity items. BIS also proposes to add the definition of "intrusion software" to the definition section of the EAR pursuant to the WA 2013 agreements.

A 60-day comment period ends July 20th.

• Why not send in a comment? (Score: 3, Insightful) by bradley13 on Friday May 22 2015, @06:36AM

  by bradley13 (3053) on Friday May 22 2015, @06:36AM (#186339) Homepage Journal

  Send a comment to publiccomments@bis.doc.gov referencing rule BIS-2015-0011. Why not - it can do no harm, and might do some good.

  I just sent the following:

  Ladies and gentlemen

  Rule BIS-2015-0011 is essentially proposing export restrictions on information. While it may refer to software products, in fact, there is no practical difference between controlling software and controlling the concepts that it implements: given the concepts, anyone can write the software.

  This rule is reminiscent of the one-time export controls on cryptographic products. This proposed rule would be counterproductive, just as those export controls were. In fact, we are still paying the price of those one-time export controls: just this month, a widespread security problem (“Logjam”) was identified, which can be directly blamed on those futile attempts to control encryption technology.

  Rules like this are proposed by well-meaning but arrogant government agencies. You presume much more power and control than you actually have. In today's society, no one can control the flow of information in this way (or, indeed, in any realistic way). All that such rules accomplish is to hamper law-abiding companies and individuals, thereby benefiting illegal actors.

  Rule BIS-2015-0011 is a bad idea. Scrap it.

  Yours sincerely

  Of course, they'll stop reading when they get to the bit about "arrogant government agencies", but it's impossible not to point that out...

  --
  Everyone is somebody else's weirdo.

  Starting Score:	1		point
  Moderation		+1
  Insightful=1, Total=1
  Extra 'Insightful' Modifier		0
  Karma-Bonus Modifier		+1
  Total Score:		3