Zero-Day Export Regulation Proposal Released for Public Comment

Monday, June 01, 2015

Anthony M. Freed


The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) has released the proposal for regulatory control of the export of malware and zero-day exploits for a sixty-day public comment period, and the reaction from the security community and other interested parties is already definitively negative.

The proposal would make new listings from 2013 of controlled items in the Wassenaar Arrangement (WA) on Export Controls for Conventional Arms and Dual-Use Goods and Technologies part of U.S. law.

“The Bureau of Industry and Security (BIS) proposes to implement the agreements by the Wassenaar Arrangement (WA) at the Plenary meeting in December 2013 with regard to systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software; software specially designed or modified for the development or production of such systems, equipment or components; software specially designed for the generation, operation or delivery of, or communication with, intrusion software; technology required for the development of intrusion software; Internet Protocol (IP) network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefore,” the proposal states.

“BIS proposes a license requirement for the export, reexport, or transfer (in-country) of these cybersecurity items to all destinations, except Canada. Although these cybersecurity capabilities were not previously designated for export control, many of these items have been controlled for their “information security” functionality, including encryption and cryptanalysis.”

Critics say the proposal would be a blow to security efforts by hindering the advancement of penetration testing, bug bounty programs, and independent security research into vulnerabilities and associated exploits.

The intent to implement export controls on the the newly listed items in the WA has been likened to efforts in the 1990’s to regulate the the export of strong encryption mechanisms and limit the the distribution of PGP technology.

This was cross-posted from the Dark Matters blog.

Operating Systems SPAM Viruses & Malware Budgets Enterprise Security Policy Security Awareness Security Training
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.