US backpedals on plan to regulate hacking software
After a huge outcry from the security community, the US government will re-write proposed regulations on software used to hack smartphones and computers, according to Reuters. The Department of Commerce wants to heavily restrict the development and testing of exploits, zero-days and other intrusion software, which sounds like a good thing on the face of it. However, security professionals discovered that it would've severely limited, and possibly even criminalized, research into surveillance software. That might have made internet security worse than ever by keeping such exploits confined to the black market.
The use of exploit software by governments exploded into prominence with news of a security breach of the Hacking Team. That outfit, which has supplied zero-day exploits to oppressive regimes like Sudan, was itself hacked, with the intruders stealing up to 400GB of data. That included virtually all the source code for its products and exploits, including zero-day attacks on software like Windows and Adobe Flash. Those vulnerabilities in turn forced companies like Microsoft to scramble to produce software patches.
The US Commerce Department stepped in around the same time with its proposed new legislation. Those rules will eventually form America's commitment to the 41-nation Wassenaar Arrangement designed to curb "weaponized" software. As security journalist Violet Blue reported earlier for Engadget, it's not just that the government got the rules wrong, they also don't seem to know what they were doing. "(Its) attempts to regulate are based on poor definitions such as 'intrusion software' and on jargon such as 'zero-days' and 'rootkits," said security expert Sergey Bratus.
The government gave interested parties until July 20th to comment, and companies like Black Hat and Google gave it an earful. Google called the rules "dangerously broad and vague," while Black Hat said they could "significantly restrict and/or eliminate the depth and types of research curated by many members of our security community, especially those that collaborate internationally."
President Obama recently called for stronger American cybersecurity
The Commerce Department told Reuters that "all comments will be carefully reviewed and distilled, and the authorities will determine how the regulations should be changed," a process it said could take months. It added that "a second iteration of this regulation will be promulgated, and you can infer from that that the first one will be withdrawn." From that, it's clear that the avalanche of complaints during the comment period had the intended effect. As Blue told us, "we're only nine days past the closing of the comment period, so it's kind of amazing to see (the US government) move so fast."
