Google: Arms Trade Amendments Could Ruin Security Research

Google has written an open letter criticising proposed US export controls that the firm says would negatively impact global cybersecurity research.

The new rules, proposed by the US Department of Commerce, relate to a multilateral export control regime called the Wassenaar Arrangement – an association that sets the rules for the export of conventional weapons and ‘dual-use’ goods and technologies, including that related to “intrusion software”.

Licensing

The proposed rules effectively mean sellers and vendors of cybersecurity software would have to obtain a licence before they can export goods to buyers. But Google thinks that this would constrain the global effort to openly learn and share security breakthroughs.

The search giant also says the proposed amendments are too vague, resulting in the possible ban in the trade of vulnerability exploits. This would potentially criminalise exporting tools from the US that are used by actual security researchers around the world who test for software flaws.

The letter, penned by Neil Martin from Google’s legal team and Tim Willis of Chrome’s security team, reads: “We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community.

“They would also hamper our ability to defend ourselves, our users, and make the web safer. It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure.”

Diligent research

Google highlights recent cybersecurity events such as Heartbleed and POODLE, events that were uncovered through “diligent research”. Without this global access to open research, Google reckons that cybersecurity do-gooders as a whole will be endangered.

Google submitted its comments on the proposed rules this week to the United States Commerce Department’s Bureau of Industry and Security (BIS). The firm’s main concerns discuss how it thinks that the new rules would require Google to request thousands of export licences, and that companies should be able to share information globally.

The open letter from Google comes at the end of a 60-day public comment period initiated by the BIS, which closed on Monday this week.

“If we have information about intrusion software, we should be able to share that with our engineers, no matter where they physically sit,” said Google.

“We acknowledge that we have a team of lawyers here to help us out, but navigating these controls shouldn’t be that complex and confusing. If BIS is going to implement the proposed controls, we recommend providing a simple, visual flowchart for everyone to easily understand when they need a license.

“We’re committed to working with BIS to make sure that both white hat security researchers’ interests and Google users’ interests are front of mind.”

Google said that it aims to “fix the scope” of the intrusion software controls at the annual meeting of the Wassenaar Arrangement members in December 2015.

Take our hacking and viruses quiz here!