More than six years after proposing restrictions on the export of “intrusion software”, the Bureau of Industry and Security (BIS) of the United States Department of Commerce formulated a rule that it says balances the latitude required to investigate cyber threats with the need to limit dangerous codes.
The BIS on Wednesday announced an interim final rule that defines when an export license will be required to distribute what is essentially commercial spyware, in order to align U.S. policy with the Wassenaar Arrangement 1996, an international arms control regime.
Rule [PDF] – which spans 65 pages – aims to prevent the distribution of surveillance tools, like the NSO Group’s Pegasus, to countries under arms control, like China and Russia, while allowing research to continue and legitimate security transactions. Available to the public for comment over the next 45 days, the rule is expected to be finalized in 90 days.
Pegasus has reportedly been used by governments to spy on activists and journalists, among others. The United Nations recently called for a ban on the sale of “life-threatening” surveillance technology and specifically criticized the NSO group, which claims it “sells its technologies only to law enforcement and intelligence agencies of controlled governments for the sole purpose of saving lives by preventing crime and terrorist acts.”
The Israel-based company, which is waiting to see if the U.S. 9th Circuit Court of Appeals immunize it of the WhatsApp spy trial, later said he would no longer respond to criticism.
Basically, if you want to sell Pegasus or similar device penetration software and have a presence in the United States, you need a license to sell to China, Russia, or other covered governments. NSO is said to have a marketing and sales arm in the United States, a point that Israeli business rejects.
The Commerce Department said the US government “opposes the misuse of technology to violate human rights or carry out other malicious cyber activity, and these new rules will help ensure that US businesses do not fuel authoritarian practices “.
âThe United States is committed to working with our multilateral partners to prevent the spread of certain technologies that can be used for malicious activities threatening cybersecurity and human rights,â said US Secretary of Commerce Gina Raimondo, in A declaration.
âThe Commerce Department’s Interim Final Rule imposing export controls on certain cybersecurity items is a tailored approach that protects US national security from malicious cyber actors while ensuring legitimate cybersecurity activities. “
Europe took similar steps in November 2020, with its own export limitations on cybersecurity tools.
The United States proposed in 2015 to impose export restrictions on cybersecurity tools, but encountered headwinds when the U.S. cybersecurity industry objected, saying the rules were too wide and interfere with security patches. The government then returned to negotiate with other Wassenaar participants to come up with a more workable definition of how to limit intrusion software.
Following negotiations in 2016 and 2017, the negotiators of the Wassenaar Accord issued changes that clarified the limitation of the definition of intrusion software to malicious contexts, so that it did not cover all capabilities. command and control and all security research, vulnerability disclosure, incident response or software updates.
Chris Rohlf, non-resident researcher at Georgetown Center for Security and Emerging Technology and security engineer at Facebook, via Twitter called the revised BIS rule a well-informed attempt to limit the distribution of intrusion software in accordance with the Wassenaar arrangement.
âIt’s hard to grasp the nuance needed to be successful, but this time around he seems to be in a better position,â he said. Â®