How a cyber ‘safeguard’ is harming U.S. defenses

(Cyberwar.news) A U.S. lawmaker representing Virginia’s high-technology corridor is pressing for changes made to an international arms control agreement because it’s cyber-related provisions are having a negative impact on U.S. defenses.

As reported by Defense One, the agreement, which was struck in 2013, bans multinational corporations and cyber vendors from relaying information regarding “intrusion software” across national boundaries without first getting a license.

When the Obama administration propose a rule to put the agreement in force in May 2015, federal officials fielded hundreds of public comments, with most critical of the plan.

Critics said a major error is that the transferal of technical data regarding intrusion software is vital to ensuring that potential targets are protected from future infections. As Defense One reported further:

No information security firms were consulted on the addition of spyware to the so-called Wassenaar Arrangement, a multilateral 41-country forum founded in 1995 to regulate the transfer of conventional weapons and dual-use goods like certain lasers and supercomputers.

“There were none that were sitting on the advisory groups” that the U.S. Dept. of Commerce used to assist the State Department in reaching an international consensus on the control of hacking tools, according to testimony given to lawmakers last week by Cheri Flynn McGuire, the vice president of global government affairs and cybersecurity policy for Symantec.

She, along with other leaders from the tech industry and Rep. Gerry Connolly, D-Va., were urging renegotiation of the agreement during a joint hearing with the House Homeland Security and Oversight and Government Reform committees. The Homeland Security cyber czar even noted that, without question, the agreement ought to be revisited.

Initially the U.S. and signatories to the agreement intended to stop authoritarian regimes from hacking into political opponents’ electronic communications using intrusion software. But unbeknownst to U.S. negotiators at State and Commerce, American information security providers have good reason to have access to such code. They say it’s not possible to protect government and industry IT systems against malware without analyzing it and then essentially hacking into systems to see how such malicious code affects machines.

 

 

Those techniques, which are legal, are called “exploit” or vulnerability research and “penetration testing,” Defense One noted.

DHS deputy undersecretary for cybersecurity and communications Phyllis Schneck said that if tech firms say the licensing process for exporting malicious code data can take weeks then there are problems with the hacking tool restrictions.

“The best cybersecurity protection we can provide is to understand,” as fast can be, “what’s happening and make sure that when a cyber actor tries to execute their instruction on a machine they don’t own, that machine knows a) not to execute it or b) that it’s happening, so it can tell everybody else about it and not sustain an injury,” she said.

“The ability or the thought that that would get delayed in any of the ways mentioned today is detrimental to our cybersecurity,” she added.

Proposals to change the current rules under the agreement are due in March and will be debated throughout the year, with a final decision made in December, Defense One reported.

See also:

Defense One

Cyberwar.news is part of the USA Features Media network of sites.