The United States is seeking to regulate the export of software containing zero-day exploits with the intent of preventing the sale of surveillance software to repressive regimes. However, the proposed regulations are too broad, and they would create far more problems than they would solve.

But first, let me step back, and provide a little background.

In the summer of 2015, the Bureau of Industry and Security (BIS)—a sub-department of the Department of Commerce—proposed new export regulations that included provisions subjecting zero-day software exploits to license before they were to be exported. The proposed regulations were BIS’s attempt to implement the added provisions to the Wassenaar Arrangement (WA) in 2013. The WA nations were embarrassed by revelations that surveillance solutions made in their countries were used in Egypt, Bahrain, Uganda and other nations by their governments to spy on their political opposition and dissidents. The solutions used zero-day exploits to load software modules on targets’ computers for surveillance tracking.

If this were the only use of zero-day software, or if the only uses for zero-day software were nefarious in nature, then this would be an adequate solution. However, this is not the case.

Fox example, many security pros know that penetration testing is included in the “technical” portion of administrative, technical and physical safeguards mandated by Gramm-Leach-Bliley Act. It may be less apparent, however, that comprehensive software frameworks used in penetration testing incorporate zero-day exploit payloads as a part of testing. Network defenders need to be able to experience real-world attacks to understand how their systems will respond and to shore up any deficiencies in their defensive posture. Without them, the network defenders will be reduced to guessing.

This is a frightening proposition.

Plus, software vendors—so as to avoid a zero-day fueled, high-profile data breach—rely on reports from security researchers as part of their vulnerability detection and remediation for their code. It can be hard to assess whether the bug report is for something trivial or whether the flaw is catastrophic. To help prioritize, the bug submissions to the software vendor nearly always include a compiled exploit to prove the capability of the flaw. As a result, restricting the ability to submit proof-of-concept code to a software vendor makes it far less likely the researcher will submit the bug to the company and far more likely the researcher might sell the vulnerability to those who would use it for ill.

It cannot be overstated that adding friction to vulnerability reporting is a really bad idea.

An unaddressed flaw in commonly used software can be an easy entry point for an attacker, and nobody wants to activate their breach-response plan because of a vulnerability in software that could have been easily addressed.

While the proposed BIS regulations presumptively deny an export license for software containing zero-day capability, it is still possible to submit the software to BIS for a license. As part of the licensing process, the zero-day would be sent to Fort Meade for review. This process could be lengthy, and the NSA is open about its acquisition and use of zero-day exploits for its own surveillance capability.

This is counter-intuitive to the original purpose of preventing surveillance by governments.

With the recent attention back to terror after the Paris attacks, privacy advocates can debate the merits of bestowing more capability to governmental surveillance apparatus. What is clear is that the delays in reporting the flaw to the manufacturer imposed by the licensing process would mean that security flaws would remain unremediated as long as the government was using the exploit.

After receiving feedback on its proposal, BIS is drafting a new proposal for review. Privacy advocates should keep an eye out for the new proposal and keep in mind the unintended consequences of regulating zero-day software. The goal of preventing software from being used by repressive regimes to spy on their people is laudable, but the proposed regulation affects far more than its apparent intent. The new proposal should be far more narrowly tailored to meet its objectives—not just a blanket-regulation of zero-days.

We’ll all be safer for it.

photo credit: Computer Circuit Board via photopin (license)