A new coalition made up of the U.S.’s leading cybersecurity firms launched a campaign this week to combat newly proposed Commerce Department regulation aimed at limiting the export of cyber intrusion technologies — an issue that’s recently risen in importance since the massive hack of 22.1 million people’s personal data from the U.S. Office of Personnel Management.
“These rules, if they were adopted as they stand today, would put the entire U.S. cybersecurity industry — and everyone who relies on that industry for protection — at risk,” Cheri McGuire, Symantec vice president of global government affairs and cybersecurity policy, said in a statement Tuesday. “The rule as written is going to hurt cybersecurity research, slow innovation in cybersecurity technology, and put a damper on cybersecurity information sharing.”
The U.S. Department of Commerce’s Bureau of Industry and Security proposed the rule change in the form of amendments to the Export Administration Regulations in May. If adopted, the new rules would establish tougher limitations on the global sale of tech commonly associated with “intrusion software,” forcing companies to acquire a license to export such technology anywhere else in the world, with the sole exception of Canada.
“Implementation of this rule as written will significantly weaken the technology, processes, and tools industry uses to maintain state of the art defenses against intrusions, and all other hacking activities,” the group, dubbed the Coalition for Responsible Cybersecurity, said in a press release Tuesday. “The rule will put the United States and the world at greater risk from hackers – exactly the opposite of what it seeks to accomplish.”
According to the U.S. Office of the Federal Register, the rules will also be applied to technology incorporating “encryption and cryptanalysis,” and require exporters to register such products with the Commerce Department. In some cases, manufacturers could be compelled to provide the source code for such products in export applications.
Though the department attests the proposed changes will help curb bad actors’ access to tools used in cyber intrusion, coalition members including Symantec, Ionic Security, FireEye, Synack, Global Velocity, WhiteHat, and others claim they will do the opposite by sweeping tech designed to prevent intrusion under stricter standards for export, limiting global access to prevention tools as the frequency of high-profile successful cyberattacks continues to rise.
According to Ron Bushar, global director for security program services at FireEye subsidiary Mandiant, “the rule treats these tools as though they were weapons, but in fact they are absolutely essential for every company and government that has been targeted by attackers. Every time cybersecurity professionals are asked to do defensive testing for a business — even a U.S. business with operations in Europe or South America — they would need a license.”
“The process involved in acquiring these unnecessary government licenses would delay cybersecurity protections for months, ensuring that U.S. cybersecurity defenses will always lag far behind the hackers.”
Earlier this year Symantec reported almost 1 million variants of new malware are created daily, and a year-over-year 40 percent increase of attacks targeting large enterprises.
“The current threat landscape requires real-time security analysis, testing and deployment of protections,” Symantec’s McGuire said in a blog post Tuesday. “Asking a multinational corporation who is at risk of a cyberattack to wait months for a license to be able to test its network defenses, or to receive the latest protections because its security provider is hampered from communicating across borders, is downright dangerous.”
Cybersecurity firms allege the rule will impede cybersecurity research by hindering researchers’ ability to test networks and share information across borders, limit the availability of prevention tools overseas (including to subsidiaries of U.S. companies) and the collaboration of information, which is considered “exported” even if shared with overseas employees of U.S. companies.
Even network surveillance and security perimeter tools, such as automated network monitoring and pre-programmed responses like IP blocking, would face restrictions.
“More than 70 percent of our cybersecurity researchers are from outside the United States but we will be barred from using their expertise,” Synack CEO Jay Kaplan said. “And this regulation could require our researchers in the United States to get a government license just to have more than a superficial conversation about new security vulnerabilities.”
The coalition is urging companies to push back against the proposed rules before the comment period ends on July 20.
“This proposed rule is unacceptably restrictive and ambiguous, and it applies to an industry that has not been targeted in this way by export controls before,” Iconic Security CEO Adam Ghetti said. “We would encourage the department to reconsider in light of the negative consequences, however unintended, that would result from implementation of its current proposal.”
