X

Feds say 'Oops!' in anti-hacking deal

An update to an international accord potentially opens everyone to attacks, something the US government didn't figure out until after it was signed.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
See full bio
Laura Hautala
4 min read

To fight hackers and oppressive rulers, the US government updated a deal with 40 countries last May to keep dangerous software from moving from one nation to another. The arrangement is designed to keep viruses and spyware from spreading by requiring businesses to obtain a license to access such software from across borders.

It makes sense: Keep tools for everything from identity theft to spying on political dissidents out of the hands of organized-crime rings and despots. For example, companies such as the recently shamed Hacking Team in Italy would be prevented from secretly selling spy software to countries with documented human-rights abuses like Ethiopia and Sudan.

It turns out that there's an unintended side effect, though. The update also keeps cybersecurity researchers from doing their jobs.

An international cybersecurity agreement makes it harder for security researchers to do their jobs.

The conflict came to a head at a congressional hearing in Washington, DC, earlier this month when US representatives pointedly asked the federal agencies tasked with implementing the deal, known as the Wassenaar Arrangement, how they could fix the problem. Members of Congress said the US government must find a way to implement the deal without stopping cybersecurity research.

"If we can't do that," Rep. John Ratcliffe (R-Texas) said at the January 12 hearing, "I question why as a country we are agreeing to this updated arrangement."

No one even noticed that the researchers would be left out in the cold until two months after the update was signed. It was cybersecurity experts themselves who pointed out the problem in July when the US Department of Commerce asked for feedback on the rules they wrote to implement the update.

Under the arrangement, researchers say, the government would make it significantly harder for them to pass information back and forth across borders -- also known as, y'know, working over the Internet.

"That puts nearly all this sort of research at a stalemate," said Willis McDonald, a senior threat researcher at cybersecurity company Damballa.

This isn't just theory.

Earlier this month, Damballa helped Norwegian law enforcement identify a hacker who was taking control of computers remotely and using them to access online accounts where gamers store characters and resources that can be sold for real money outside of a game. Sitting in Damballa's office in the US, researcher Loucif Kharouni accessed the malicious software used by the hacker as it sat on a Norwegian server. After Kharouni figured out who authored the software, the hacker, whom the company declined to name, was arrested in Norway.

Both the US and Norway are participants in the Wassenaar Arrangement, so under the new rules, Damballa would need to get permission in the form of an export license from the Commerce Department's Bureau of Industry and Security (BIS) to conduct this kind of research. There's no fee for the application, but it currently takes an average of more than 21 days for the bureau to process an application.

That processing time may even rise.

For example, Microsoft has estimated that it would need hundreds of thousands of export licenses per year for itself and the security research companies it partners with to continue business as usual. Like many large Internet companies, Microsoft does a lot of its own cybersecurity research but also contracts with other companies throughout the world to make sure its products are secure.

Last year, the US government issued more than 37,000 export licenses. There's no estimate for exactly how many new applications for the licenses the bureau would have to process, but Cristin Flynn Goodwin, assistant general counsel of cybersecurity at Microsoft, told Congress that it seems likely the BIS can't handle the oncoming flood of requests.

Critics say the government should just scrap the updated rules and instead spend its time investigating hackers and bad companies.

"That seems like a more direct way to go after them," said Ari Schwartz, a lawyer in Washington, DC, who until October served in the White House as the director of cybersecurity at the US National Security Council.

That's probably a pipe dream, though. By the time security experts pointed out the problem to the government, other countries already put their rules in place. Making changes now would mean renegotiating a deal with the other 40 countries involved.

Still, Rep. Jim Langevin (D-RI), who co-signed a letter with Rep. Michael McCaul (R-Texas) lambasting the Wassenaar Arrangement, said in an interview he didn't see how the US could abide by the deal.

His solution is to go back to the drawing board in Wassenaar, Netherlands, where the idea originated.

"There might not be a way to fix it without re-negotiating it," he said.