Israeli Apache helicopter
U.S. government regulators are considering expanding an international arms pact that would classify zero-day exploits under the same umbrella as warplanes, helicopters and tanks. Reuters/Baz Ratner

Should international governments control the export of computer code in the same way they regulate tanks, warplanes and other traditional weapons? It’s a question that’s at the crux of the latest debate between Silicon Valley and the U.S. government, which has proposed a crackdown on the export of code that has the potential to be used as a weapon.

The Commerce Department has proposed expanding the Wassenaar Arrangement, established in 1996 and signed by 41 countries including the U.S., Russia, Japan and much of Europe, as a means of controlling conventional arms transfers over international borders. The Commerce Department would like certain categories of code to be covered by Wassenaar, but Google, Cisco and hundreds of prominent computer scientists have come out against the proposed change, saying it would slow innovation and prevent researchers from sharing their knowledge with co-workers in different countries.

The Wassenaar Arrangement requires its members to update each other about any weapons dealings they had with nonmembers of the Arrangement. It includes disclosures on military aircraft, tanks, helicopters, warships, missiles, as well as various artillery and small arms systems.

That list could soon include any kind of “intrusion software,” a term made up by the U.S. Commerce Department’s Bureau of Industry and Security to include any software designed or modified “to avoid detection by ‘monitoring tools,’ or to defeat ‘protective countermeasures,’ of a computer or network-capable device, and performing the extraction of data or information” in order to “allow the execution of externally provided instructions.”

The expansion, proposed by the Bureau of Industry and Security in December, is motivated by a recognized need to restrict the sale of computer surveillance technology to repressive governments and roving criminal groups. But cybersecurity researchers say the actual language in the agreement is so broad that researchers would be forced to obtain licenses before sharing that threat info, becoming mired in bureaucracy when time is most sensitive. Recognized international threats like the Heartbleed and POODLE Web bugs would still exist, for example, though there would be no way to share information about how to stop them, according to online security experts at Google.

Experts are concerned that the broad language essentially classifies run-of-the-mill exploits and vulnerabilities as modern weapons of war. The dense explanation still managed to catch the research community’s attention, with dozens of high profile researchers weighing into the Bureau of Industry and Security’s open comment period that ended Monday night.

The Bureau of Industry and Security did not return request for comment.

“It’s dangerous not just for the security industry but for anybody who depends on the security industry to defend their own company,” said Chris Eng, vice president of security research at the cybersecurity company Veracode.

Putin computer
The U.S. Commerce Department's Wassenaar Arrangement proposal would ideally force Russian cyber adversaries to report new strains of malicious code, though few experts support the idea. Reuters/Alexei Nikolsky/RIA Novosti/Kremlin

Cybersecurity developments are traditionally the product of a kind of friendly arms race between technology companies and the researchers trying to outsmart them.

Say, for example, an Internet of Things company comes out with a new smart lock that promises to give customers more control over who can enter their home. Digital safecrackers will then deploy every possible trick against the lock, from brute force to manipulating the device’s password requirements. They then report those vulnerabilities to the manufacturer, which improves overall security by patching the holes.

“Offense and defense are so linked together,” Eng said, adding that the Wassenaar arrangement would have a chilling effect on proactive security research. “Say I’m with a bank, and I discover something and I want my team in Germany to vet through something. Technically you’d now have to get an export license, and the government also has access to this vulnerability information before they give approval. It slows everything down.”

Google agrees. The company called on the Bureau to simplify the language in the Arrangement to better define what kind of information sharing would actually be outlawed. Google also said that, if the Wassenaar Arrangement is passed in its current form, the company would be forced to request tens of thousands of licenses.

“Since Google operates in many different countries, the controls could cover our communications about software vulnerabilities, including: emails, code review systems, bug tracking systems, instant messages – even some in-person conversations,” export compliance counsel Neil Martin and hacker philanthropist Tim Willis wrote this week on Google's Online Security blog. “You should never need a license when you report a bug to get it fixed."

Even Cisco has chimed in. The company that infamously filed a lawsuit against a researcher who discovered a major security flaw in Cisco's operating system in 2005 warned Monday that the Wassenaar Arrangement will have unintended consequences.

“If implemented in its current form, the proposed rule would present significant challenges for security firms that leverage cross border teams, vulnerability research, information sharing and penetration testing tools to secure global networks, including Cisco,” the company said in its official BIS comment. “The result would be to negatively impact – rather than to improve – the state of cybersecurity.”