Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Regulators seek to limit security software exports

Maria Korolov | July 20, 2015
The rules, as written, would severely restrict international sales, deployment, research and even discussion of cybersecurity tools and exploits, experts say.

But even companies that aren't in the business of selling software could be affected, said Symantec's McGuire.

For example, current rules requiring export licenses for certain types of encryption software have an exclusion for internal use, she said.

"Without an intra-company exception, companies will not be able to effectively research vulnerabilities and exploits," she said. "Companies must have the ability to get such vulnerabilities and associated exploits, technology, and technical details to the most knowledgeable expert within their companies quickly and effectively. Otherwise the industry is crippled."

And then there are multinational companies that either have government mandates to do penetration testing, or are doing it for their own security.

Now these companies will have to apply for export licenses, McGuire said. "The unintended consequences of this proposed rule will mean higher risk and more frequent security breaches."

Symantec is one of the companies that recently joined a coalition comprised mostly of security vendors who are working to put a stop to the proposed regulations.

Another member is Ionic Security.

The proposed regulations apply to exports to every country except Canada, said Ionic founder and CEO Adam Ghetti. And they are written so broadly that they could be read to apply to almost any kind of software, as well as to research, collaboration -- even discussions.

"If I just wanted to have a conversation with a customer about the capabilities my tool provides, I would have to get a license," he said.

China and Russia and other international cyber-threats

At its core, the regulations seem to be designed to prevent oppressive regimes from being able to acquire zero-day exploits and ability to listen in on all the communications of their citizens.

But they're of particular significance today.

"We know we have problems with securing our networks from the Chinese and Russians and others," said Mark Kuhr, co-founder and CTO at Synack. Previously, Kuhr was a technical director for the National Security Agency.

"I agree with the intent," he said. But the way the rules are currently written will hamper legitimate uses of cyber security products, hurt competitiveness, and will not limit the black market.

"It will not make our systems more secure," he said.

In theory, the regulations could make it easier to prosecute the bad guys, said Jonathan Levine, CTO at Intermedia, which provides cloud-based business software.

"The most effective weapon against organized crime in the 40's and 50's tended to be prosecutions for tax evasion," he said. "It will be much easier to persuade juries that cybercriminals are guilty of having illegally exported some malware than that they used it for something."

On the other hand, he said, not only do cybercriminals have plenty of safe havens overseas but detecting the violations could be extremely difficult.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.