Cybersecurity tools could become easier to export as the US seeks to amend an international arms-control deal that controls their spread.
A congressman said the US wanted to renegotiate the Wassenaar Arrangement.
The deal restricts the flow of arms - including "intrusion software" - to oppressive regimes. But some have said it also covers tools that can improve cybersecurity.
The move was praised by online freedom campaigners.
The proposal to amend the deal "represents a major victory for cybersecurity here and around the world," said US congressman Jim Langevin in a statement announcing the news.
"While well-intentioned, the Wassenaar Arrangement's 'intrusion software' control was imprecisely drafted, and it has become evident that there is simply no way to interpret the plain language of the text in a way that does not sweep up a multitude of important security products."
The Electronic Frontier Foundation (EFF), which has also campaigned on the issue, agreed the deal had been reached with the best of intentions but its wording was too vague.
While the EFF was happy changes were to be considered, it remained concerned the amended arrangement would continue to have "serious chilling effects on security research".
'Dangerously vague'
Last year, the US authorities faced calls from Google to step back from restricting the flow of software as part of the 41-nation arms-control deal.
At the time, Google said the definition of "intrusion software" was "dangerously broad and vague" and included information about bugs and vulnerabilities that could be vital to protect systems.
Google's lawyer Neil Martin said the Wassenaar Arrangement would "hamper our ability to defend ourselves, our users, and make the web safer".
But the US authorities insisted it balanced computer security with foreign policy concerns.
Now, though, the US administration has said it supports making cyber-intrusion tools available overseas for legitimate cybersecurity activities.
The EFF said: "Human rights advocates have recognised that surveillance software designed and sold by companies in Western countries has been responsible for serious abuses around the world.
"We at EFF have long fought such abuses in court.
"We believe strongly that this is a fight worth having, but export controls are simply the wrong tool for the job."
Exploits
Efforts to come up with a workable US rule have highlighted the difficulty of applying the export controls restricting physical items to a virtual world that relies on the free flow of information for network security.
Many companies operate in multiple countries and routinely employ foreign nationals who test their own corporate networks across borders.
In May, the Commerce Department's Bureau of Industry and Security proposed denying the transfer of offensive tools, defined as software that uses "zero-day" exploits, or unpatched new vulnerabilities, and "rootkit" abilities that allow a person administrator-level access to a system.
But in the cyber-world, testing a network often requires determining first how to exploit it and then attempting to do so.
US government departments did not respond to requests for comment.
No comments:
Post a Comment