The U.S. Commerce Department has proposed tighter export rules for computer security tools, a potentially controversial revision to an international agreement aimed at controlling weapons technology.
On Wednesday, the department published a proposal in the Federal Register and opened a two-month comment period.
The changes are proposed to the Wassenaar Arrangement, an international agreement reached in 1995, aimed at limiting the spread of “dual use” technologies that could be used for harm.
Forty-one countries participate in the Wassenaar Arrangement, and lists of controlled items are revised annually.
The Commerce Department’s Bureau of Industry and Security (BIS) is proposing requiring a license in order to export certain cybersecurity tools used for penetrating systems and analyzing network communications.
Another great example of the state making the same mistake, only harder. Restricting the export of strong cryptographic tools put everybody at risk of attack and an export restriction against penetration testing tools would put everybody at risk of missing basic vulnerabilities in their networks.
Penetration testing tools, like any technology, can be used for good and bad. If you properly utilize the tools on your network you can discover vulnerabilities that are exploited by those tools and patch them. Not utilizing these tools allows an malicious actor to exploit your network using those tools. Any restriction on exporting these tools will leave networks vulnerable to them.
Why would the United States government propose implementing restrictions that put the entire world at risk? Most likely it’s because government agencies utilize penetration testing tools to exploit networks and would therefore gain considerably by making defending against them more difficult. This proposal shows just how self-centered the state really is because it’s willing to put billions of people at risk just to make its task of exploiting networks a little easier. Its narcissism is so bad that it doesn’t even care that this restriction would also make every network more vulnerable to exploitation by its enemies (if the United States can hack your network then foreign countries such as North Korea can as well).
Fortunately we learned what happens when restrictions are placed on ideas during the crypto wars. Even though the United States restricted the export of strong cryptographic algorithms the knowledge spread quickly. It’s pretty hard to restrict something that can literally be printed on a t-shirt, especially when you have a worldwide network that specializes in information sharing. If this restriction is put into place it will be entirely ineffective at everything but giving the state justification to put several very intelligent people in a cage for the crime of making our networks safer.