Coalition for Responsible Cybersecurity fights proposed export control regulations

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

A broad cross-section of industry announced the formation of the Coalition for Responsible Cybersecurity. The purpose of the Coalition is to prevent the Commerce Department from adopting proposed export control regulations that could severely impact U.S. cybersecurity effectiveness.

“These rules, if they were adopted as they stand today, would put the entire U.S. cybersecurity industry—and everyone who relies on that industry for protection—at risk,” said Cheri McGuire, Vice President, Global Government Affairs & Cybersecurity Policy of Symantec Corporation. “The rule as written is going to hurt cybersecurity research, slow innovation in cybersecurity technology, and put a damper on cybersecurity information sharing.”

Implementation of this rule as written will significantly weaken the technology, processes, and tools industry uses to maintain state of the art defenses against intrusions, and all other hacking activities. The rule will put the United States and the world at greater risk from hackers – exactly the opposite of what it seeks to accomplish.

The proposed rule, as drafted, would have four detrimental impacts on cybersecurity firms and technologies:

  • Cybersecurity research will be curtailed, as the rule hinders researchers from testing networks and sharing technical information about new vulnerabilities across borders.
  • Cybersecurity tool availability will be constrained because the rule restricts the export of cybersecurity technologies, even to subsidiaries of U.S. companies overseas.
  • Cybersecurity collaboration will be harmed, as the rule deems information to be “exported” once it is shared with non-U.S. persons, even if they work for the cybersecurity company itself here in the United States.
  • The network surveillance controls included in the rule could hinder effective development of innovative perimeter security technologies. Inclusion of features and functionality, such as network monitoring and pre-programmed actions, including for example, IP blocking may require a license if sold outside the U.S. and Canada.

The Coalition for Responsible Cybersecurity represents a broad cross-section of cybersecurity professionals from U.S. companies, including Symantec, Ionic Security, FireEye, Synack, Global Velocity, WhiteHat, and others. It was formed to educate the U.S. government about the risks created by the proposed regulation.

While the rule is ostensibly aimed at companies that sell systems to create or operate “intrusion software” that hackers use to break into networks, the rule’s overbroad language sweeps in vast amounts of legitimate and beneficial cybersecurity research and self-evaluation. According to Ron Bushar, Global Director for Security Program Services at Mandiant, a FireEye Company, “the rule treats these tools as though they were weapons, but in fact they are absolutely essential for every company and government that has been targeted by attackers. Every time cybersecurity professionals are asked to do defensive testing for a business—even a U.S. business with operations in Europe or South America—they would need a license. The process involved in acquiring these unnecessary government licenses would delay cybersecurity protections for months, ensuring that U.S. cybersecurity defenses will always lag far behind the hackers.”

Information sharing, long a priority for the Obama administration, would also suffer. “More than 70% of our cybersecurity researchers are from outside the United States but we will be barred from using their expertise,” said Jay Kaplan, CEO of Synack, Inc., “and this regulation could require our researchers in the United States to get a government license just to have more than a superficial conversation about new security vulnerabilities.” No one will reasonably be able to share the details of an attack with experts who can help because virtually every group fighting hackers uses some experts from outside the country.

What is worse is that the rule will not stop the spread of malware or curtail illicit hacking and intrusions in any way. In fact, the rule would hinder research and the development of effective tools to combat attackers. This actually makes the proposed rule very dangerous for companies and industries throughout the world. The proposed rule is based on a voluntary 41-country export control arrangement not originally intended for cybersecurity, and many countries with advanced cybersecurity industries, from Israel, Brazil, and Singapore to Russia and China, are not subject to these restrictions.

“All the rule will do is prevent U.S. companies with an international business from having good cybersecurity and stop U.S. cybersecurity companies from competing. We will be more at risk and less competitive as a nation if the Commerce Department limits U.S. cybersecurity activities in this way,” said Synack’s Kaplan.

The Coalition plans to file detailed comments with the Commerce Department. “This proposed rule is unacceptably restrictive and ambiguous, and it applies to an industry that has not been targeted in this way by export controls before. We would encourage the Department to reconsider in light of the negative consequences, however unintended, that would result from implementation of its current proposal,” said Adam Ghetti, CTO of Ionic Security Inc.