By Taylor Stenberg:
Cyber threats are becoming more complex and unpredictable as information and communications technologies continue to evolve, and hackers become more sophisticated in their techniques. The Obama administration has responded to this growing security concern with a number of initiatives, most recently including the promotion of heightened cybersecurity standards in government and industry, enhanced processes for public-private information sharing, and a new economic sanctions regime targeting malicious cyber activity. But despite these considerable efforts, obstacles remain.
Just one of the many challenges has been avoiding unintended consequences in the formal regulation of intrusion software. When applied offensively, this technology enables unauthorized access and surveillance of email and mobile phones by hackers and governments alike. Despite that many legitimate cybersecurity companies apply similar intrusive methods for protective purposes, there is not yet a clear distinction between the offensive and defensive use of intrusion software. The government’s current push to curb the damage done by intrusion software will succeed only if it better targets its offensive application.
The defensive use of intrusion software – also known as vulnerability research – is central to research and development efforts of major industry leaders as well as to new crowdsourced security programs. For instance, Intel Security Group, a partnership between Intel and McAfee, performs research and development efforts to identify security weaknesses. Through methods of vulnerability research like penetration testing, Intel Security Group employs intrusion software to simulate network breaches. Another emerging leader in this area is HackerOne, a company that helps establish bug bounty programs for major technology companies including Twitter and Snapchat. By providing hackers withbig-dollar compensation to disclose security holes, bug bounty programs are shifting incentives away from selling this information on underground forums. Despite such efforts’ clear intent to bolster cybersecurity, the distinction between offensive and defensive intrusion software remains unclear as a legal and policy matter.
A major step toward formal regulation of intrusion software came from members of the Wassenaar Arrangement in December 2013. The Wassenaar Arrangement is a voluntary export control regime whose member states work to harmonize national regulation of dual-use items – those with both commercial and military applications. In December 2013, member states added intrusion software to its list of dual-use items. Since then, the European Union is the only participant thus far to have started regulating intrusion software as prescribed by Wassenaar.
On May 20, the U.S. Commerce Department’s Bureau of Industry and Security (BIS) released its ownproposed rule to regulate intrusion software through Wassenaar. Yet during the public comment period on the proposal, BIS came under heavy criticism from technology companies including Intel, IBM andGoogle. Industry leaders feared that the proposed rule would criminalize security vulnerability research, burden companies as well as BIS regulators with thousands of export license applications, and restrict information sharing between cybersecurity firms. In response to the deluge of concerns, BIS has decided to draft a new proposal. Industry feedback is also prompting the European Union to reassess its own exports controls on intrusion software.
To better target offensive software and its users, BIS should consider complementing any eventual formal rule on intrusion software with non-regulatory solutions based on constructive public-private engagement. Previous trade initiatives offer several instructive lessons to this end.
Focused stakeholder engagement, for instance, could promote constructive discussion on pinpointing suppliers of offensive intrusion software, and supporting users of its defensive applications. Industry experts contend that technical differences between products are possible and warrant further examination. One effort to watch in this regard is a collaboration between the Commerce Department’s National Telecommunications and Information Administration and security researchers. Formally launched at a recent meeting on the campus of Berkeley Law, the process is meant to develop “a broad, shared understanding of the overlapping interests between security researchers and the vendors and owners of products discovered to be vulnerable, and to establish a consensus about voluntary principles to promote better collaboration.”
Voluntary “trusted trader” initiatives may provide another avenue to leverage private sector support in targeting offensive intrusion software. Although these initiatives to date have only involved trade in physical commodities, the same concept could be applied to sellers and buyers of intrusion software. The Internet and global trade routes both represent public goods, and both facilitate licit and illicit commerce alike. By rewarding legitimate suppliers in the cybersecurity industry, trusted trader initiatives could complement future regulations under the Wassenaar Arrangement.
BIS may also turn to the Cybersecurity Framework, developed by the Commerce Department’s National Institute of Standards and Technology, to clarify the distinction between offensive and defensive intrusion software. The framework emphasizes clear threat identification, provides a set of risk management standards, and more broadly represents a code of best practices for cybersecurity. Since the framework is a living document, it can be updated to reflect how offensive intrusion software is being used.
As technology continues to outpace regulation, government officials must recognize that conventional responses alone will not suffice to address emerging threats. In the current endeavor to target the offensive application of intrusion software, BIS and industry leaders must come together to identify how non-regulatory approaches can advance both technological innovation and global security.
Taylor Stenberg, a Managing Across Boundaries intern, is an International Relations student at the University of St Andrews, Scotland.
Photo credit: Defence Images via flickr