Infosec pros hit back over new UK software export controls

The British government has published a set of guidelines for exporters on controls for intrusion software, drawing the ire of security researchers who fear the new regulations will hinder their work.

In its latest notice [pdf], the UK Export Control Organisation (ECO) said the controls were agreed by countries in the multilateral Wassenaar Arrangement - which seeks to limit arms proliferation - in December 2013 and implemented in the European Union a year later.

ECO said the controls for intrusion software were introduced “because of real concerns about the use of such tools to breach human rights and the risk they pose to national security".

However, the government organisation said the intention of the export controls was not to prevent export of software or hardware for commercial applications or law enforcement purposes.

Nor was the government seeking to inhibit security research or information sharing in that field, ECO said.

Unlike the United States equivalent, the British government has made an exemption for mass-market software in its set of export controls.

Even so, the requirement to obtain export licenses will create problems for security penetration testers, Tom Cross, chief technology officer of security startup Drawbridge Network told iTnews.

“They [ECO] state explicitly that they control pen-testing tools that don’t meet the definition of ‘mass-market’ and they prohibit transfer of these inside of an international company, without a license,” Cross said.

Security researchers are also likely to fall prey to the new rules, he said.

“Vulnerability research and malware analysis is controlled if it explains how countermeasures are defeated and externally provided instructions are executed,” Cross said.

ECO said such “execution of external instructions” would only likely be exempt from controls “if instead the only outcome described was to launch a calculator process”.

Cross said the regulators lacked understanding that anything that starts up “calc.exe” (the built-in Windows calculator app) is equivalent to executing externally provided instructions, and that there was no clear line between that situation and malicious shell codes.

Anti-virus companies could also be hampered by the regulations, Cross said.

"These regulations also create problems for anti-virus companies, as they insert government regulators into the process of sharing malware samples across borders, slowing that process down and making it more burdensome,” he said.

ECO aims to process export license applications within 20 days in most cases, and 99 percent within 60 days. This, Cross said, is much too slow in today’s threat environment, with zero-day vulnerabilities appearing every week.

"Introducing bureaucratic delays into work that people are doing to inform software vendors about security vulnerabilities and attack activity just opens the window wider for the bad guys,” Cross aid.

The notes on intrusion software export controls are not legally binding, and ECO advised exporters to seek legal advice on the information.

Export licensing requirements for intrusion software, exploits and malware samples have been roundly criticised by global companies such as internet giant Google and security vendor Symantec as having the opposite effect of what's intended.

They are also seen as stymying security research. In July this year, a British researcher withheld details of the exploits used in his academic paper for fear of violating the Wassenaar Arrangement regulations.