US aims to limit zero-day sales to Five Eyes

The US Commerce Department has proposed new export controls that would treat unknown software flaws as potential weapons.

The department said it was following through on an international commitment to address the evolution of warfare to include more technology.

But some security researchers said the rules, which are subject to public comment for 60 days, would fail to curb the black market while hindering cross-border collaboration and sales of defensive products.

The regulations are broadly written and cover what are known as “zero-day” flaws, or security vulnerabilities that software vendors are not aware of.

Hackers and defense contractors often sell information about such flaws to government agencies or the maker of the software. Under the proposed changes, internal US sales could continue.

But sales of zero-day and supporting capabilities would be barred without special license outside of the United States, United Kingdom, Canada, Australia and New Zealand.

Zero-day flaws can be exploited by repressive regimes using the holes in the software for surveillance, and the document notes human rights concerns in the trade.

“I remember thinking licensing zero-day brokers is a good idea to a degree. You prevent someone in the US from selling to Iran,” said Adriel Desautels, chief executive of penetration testing firm Netragard.

“Some form of licensing or regulation is useful. But the form of regulation being proposed is potentially very damaging to the security industry as a whole...It’s flat out stupid.”

The regulations come as a follow-up to a 2013 agreement among 41 nations that some penetration software should be subject to controls alongside the likes of nuclear and chemical weapons components.

Several researchers said that the large US defense contractors, which find or pay for many software flaws and sell them to intelligence agencies, the military and law enforcement, would have no difficulty in hiring export lawyers to obtain licenses for some overseas sales.

But law-abiding mid-size and small security companies, along with independent researchers, will be much more likely to give up on selling across borders, leaving those markets to criminals.

“It could have major impacts against how we do vulnerability research and protecting our systems,” said Rand Corp expert Lillian Ablon, who has studied the zero-day markets.

“If we are restricting the ability of the white hats to fund the vulnerabilities, it’s only making it easier for the bad guys.”

Though there are exemptions for open-source software and for scientific research, if adopted the rules could have a profound impact on the legitimate markets for flaws and the tools that exploit them just as they are coming into the open and maturing.

Many more companies have recently begun paying “bug bounties” to reward researchers who find security holes in their products, instead of driving them to sell to governments or hackers.

In the future, according to Katie Moussouris, chief policy officer at HackerOne, overseas corporations might have to offer researchers both cash rewards and guidance on obtaining export licenses, simply to make their own programs more secure.