ExportLawBlog » Cyber Weapons

Archive for the ‘Cyber Weapons’ Category

Jan

13

BIS Still Mulling Over Cybersecurity Export Rules

Posted by Clif Burns at 11:30 pm on January 13, 2016

Untitled by Kevin Wolf via https://scontent.fash1-1.fna.fbcdn.net/hphotos-xfa1/t31.0-8/12471591_10208490792490184_1220994233873918423_o.jpg [Public Domain - Work of U.S. Government] Yesterday Kevin Wolf, the Assistant Secretary of Commerce for Export Administration, testified before the House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies on the much reviled controls in the Wassenaar Arrangements on exports on certain software and technology. His testimony provides detailed insight into the interaction between the Bureau of Industry and Security, which is charged with implementing the Wassenaar Arrangement controls, and the technology and cybersecurity industry and community which was concerned about the overbreadth of the Wassenaar controls of “intrusion” software. This blog has previously articulated some of these concerns, particularly the extent to which the Wassenaar controls on “intrusion” software could reach auto-updating software, Address Space Layout Randomization (ASLR) security measures, and hot-patch programs.

Assistant Secretary Wolf’s testimony reveals that Commerce’s concerns about the potential overbreadth of the Wassenaar controls on intrusion software led the agency to take the “unprecedented step” of releasing the controls as a proposed rule and soliciting industry comments. Such a step is “unprecedented” because normally Commerce simply adopts and adds to the CCL all changes adopted by the Wassenaar Arrangement. The result of the request for industry comment, according to the testimony, was more than 260 comments, “virtually all of them negative.” The negative reaction was echoed in outreach meetings held by Commerce with industry. Assistant Secretary’s testimony summarizes these concerns, including the concerns we have expressed about how they would reach certain auto-updating and hot-patching programs.

Most importantly, Assistant Secretary Wolf’s testimony says this:

Neither the Commerce Department nor the Administration has reached a conclusion about how to respond to the public comments. We are still reviewing and considering them. â€¦ The commenters had many suggestions regarding how to address their concerns. The Administration will be reviewing all of them and many other ideas for how to address the policyÂ objectives of the control but without unintended collateral harms. As I have said many times in response to questions about the rule, the only thing that is certain about the next step is that we will not be implementing as final the rule that was proposed.

The moral of this story is clear, even if the shape of the ultimate rule is not. The export industry, as demonstrated conclusively throughout the export control reform initiative, has been loath to comment on proposed rules, whether from fear of standing out from the crowd or because of a belief that such comments will have no effect. As a result, Assistant Secretary Wolf has been known to remark that industry gets the rules they deserve. The response of Commerce here to the issues raised in the comments and industry outreach, however, shows that there are times when public input will have an impact. So the moral of the story is simple: you may not get everything you ask for, but you’ll almost never get what you want if you don’t even ask for it.

Permalink

Comments Off

Jun

16

BIS Cybersecurity FAQs Reach the Right Result for All the Wrong Reasons

Posted by Clif Burns at 9:16 pm on June 16, 2015

Category: BIS • Cyber Weapons

Photo: Harland Quarrington/MOD [see page for license], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ACyber_Security_at_the_Min istry_of_Defence_MOD_45153616.jpg After the uproar generated by the proposed amendments to the Export Administration Regulations to implement the Wassenaar Arrangement’s rules controlling “intrusion software,” the Bureau of Industry and Security (“BIS”) tried to calm things down by issuing some FAQs on the proposed rules. Sadly, I don’t think these FAQs are as helpful as BIS apparently thinks that they might be.

To understand the difficulty here, let’s focus on the problem I discussed in this post indicating that the new controls could reach auto-updaters, like the one in Chrome, that bypass operating system protections designed to prevent installation of new software without user interaction. The FAQs now say explicitly that auto-updaters are not covered. That is a good thing, and you (that means you, Google) can take that statement to the bank.

But the reasoning that BIS uses to reach this conclusion is dicey at best. Here it is:

Does the rule capture auto-updaters and anti-virus software?

No. Software that permits automatic updates and anti-virus tools are not described in proposed ECCN 4D004. ECCN 4D004 software must be specially designed or modified for the generation, operation or delivery of, of communication with, “intrusion software,” which is separately defined. Software that automatically updates itself and anti-virus software may take steps to defeat protective countermeasures, but they are not generating, operating, delivering, or communicating with “intrusion software”.

The problem with this analysis starts with the fact that BIS admits that an auto-updater is “intrusion software.” That’s an inescapable conclusion, of course, because the auto-updaterÂ overides operating system requirements that require user interaction to install new programs and does so to modify system data by installing the new program. But, we are told by BIS, the auto-updater doesn’t generate, operate, deliver, or communicate with “intrusion software.” Well, that might make sense if the auto-updater is a cyber-version of parthenogenesis and pops into existence completely unaided. That, of course, is nonsense. Some program, either the auto-updater itself or some other lines of code in the programbeing updated have to be specially designed to operate, deliver or communicate with the auto-updater for it to work at all. And so that code, either as part of the updater or the program itself, is covered by the ECCN. In short, an auto-updater unless accompanied by a program covered by the new ECCN is useless and will not work at all.

The problem here is unavoidable because of the EAR’s broad definition of program:

A sequence of instructions to carry out a process in, or convertible into, a form executable by an electronic computer

The lines of code in Chrome that deliver the auto-updater are, without question, a sequence of instructions convertible in a form executable by a computer, i.e. a program, specially designed to deliver other lines of code to defeat operating system protections requiring user interaction before modifying system data. If Chrome is exported with those lines of code that deliver the auto-updater it needs a license; if those lines of code are stripped from Chrome, it can be exported but it will not auto-update.

Of course, BIS has made it clear that it does not think auto-updaters are covered, so I don’t think Google needs to worry about violating the law. Unfortunately, the reasoning that BIS used to reach this conclusion is nonsense.

Permalink

Comments Off

May

20

BIS Finally Releases Proposed Cybersecurity Rules

Posted by Clif Burns at 11:55 pm on May 20, 2015

Category: BIS • Cyber Weapons

Photo: Harland Quarrington/MOD [see page for license], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ACyber_Security_at_the_Min istry_of_Defence_MOD_45153616.jpg At long last, and well after the E.U. and many other members of the Wassenaar Arrangement, BIS has released proposed (but not final) rules implementing the December 2013 changes adopted by the Arrangement and which imposed export controls on “intrusion detection software” and “IP network communications surveillance” systems and equipment. After the E.U. adopted the 2013 changes in October 2014, we speculated that the delay by BIS beyond its announced September 2014 date for releasing a proposed rule was that it perhaps was struggling with the impact of Wassenaar’s overbroad definition of “intrusion detection software.” But we were wrong.

The proposed rule adopts the Wassenaar changes without clarification of the scope of coverage of intrusion detection software. Instead, the delay seems to have been wholly occasioned by housekeeping matters: specifying the reasons for control, deciding that no license exceptions would apply, and so forth. The proposed BIS rules also grapple with a rather esoteric problem: what to do with intrusion detection software with encryption functionality. And it decides that the software is classified, and must comply with, both ECCNs, which, at last, concedes something BIS long said was impossible: that an item could have two ECCNs. Finally, and I’m not joking, so I’ll quote the agency itself to prove that I’m not

[a] reference to Â§772.1 is proposed to be added to ECCNs 4A005, 4D001 and 4E001 to point to the location of the â€˜â€˜intrusion softwareâ€™â€™ definition, as this rule may be of interest to many new exporters that would not otherwise know that double quoted terms in the EAR are defined in Â§772.1.

Seriously? Now BIS starts to worry about the indecipherability of the EAR and the secret rules of interpretation that must be applied? What next? Will proposed rules start spelling out “n.e.s.”?

But, all joking aside, the problems with the definition of intrusion software remain

â€˜â€˜Softwareâ€™â€™ â€˜â€˜specially designedâ€™â€™ or modified to avoid detection by â€˜monitoring tools,â€™ or to defeat â€˜protective countermeasures,â€™ of a computer or network-capable device, and performing any of the following: (a) The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or (b) The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

The notes indicate that protective measures include “Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) or sandboxing.”

Many have pointed out this definition would cover programs that permit auto-updating without user intervention, such as, for example, the Chrome browser, which updates itself in the background and circumvents protections normally imposed by the operating system to prevent installation or modification of programs without user intercession. Address Space Layout Randomization (ASLR) loads program components into random addresses in memory as a security measure against buffer overflow attacks and yet legitimate programs that must “hot-patch” operating servers or systems must scan memory to locate the program components, thereby both extracting data and defeating ASLR. The definition of sandboxing as a protective measure will subject programs that permit rooting or jailbreaking of mobile telephones to export controls.

I don’t normally try to look into a crystal ball and make predictions about the future, but I see clearly a flood of classification requests by software developers.

Permalink

Comments Off

Apr

2

White House Fires First Salvo at Chinese Government Hacking Activities

Posted by Clif Burns at 12:47 pm on April 2, 2015

Category: China • Cyber Weapons • Economic Sanctions • OFAC

By Poa Mosyuen (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons http://commons.wikimedia.org/wiki/File:HK_%E7%9F%B3%E5%A1%98%E5%92%80%E5%B8%82%E6%94%BF%E5%A4%A7%E5%BB%88_Shek_Tong_Tsui_Municipal_Services_Building_%E9%9B%BB%E8%85%A6%E9%8D%B5%E7%9B%A4_Chinese_input_keyboard_Jan-2012.jpg Yesterday the Office of Foreign Assets Control published an executive order and accompanying FAQs under which the White House establishes the circumstances under which it will add certain persons and entities engaged in hacking computers and networks in the United States to the Specially Designated Nationals and Blocked Persons list. U.S. persons would be prohibited from engaging in any transactions with any of the designated cyberviolaters and all property of the cyberviolaters that comes into the United States or under the control of U.S. persons would required to be blocked.

Unlike most executive orders of this type, no parties have been designated yet under its authority; it is purely prospective in nature. This suggests that the order is, for the moment, mostly a diplomatic salvo and that its likely target is China. The numerous cyber attacks on the United States by China, including the recent Anthem breach, have been well documented and just as vociferously denied (in a clear methinks the lady doth protest too much” fashion) by the Chinese government.

Whether this will be effective in deterring China remains to be seen. One response by China to any future designation might be to double down and engage in cyber retaliation. Given the asymmetric nature of cyber warfare between the U.S. and China, due to the fact that the U.S. is more connected and more vulnerable than China, such retaliation cannot be discounted.

An additional point should be made on these new sanctions. I have seen some popular tech media and bloggers suggest that the sanctions might be applied to domestic hackers, even relatively benign ones doing things similar to what got Aaron Schwartz in trouble. It is important to remember, however, that the International Emergency Economic Powers Act, under which the executive order was issued, restricts the scope of the order to blocking “any property in which any foreign country or a national thereof has any interest,” thereby preventing purely domestic application of these sanctions. A domestic hacker would have to be working on behalf of a foreign country or foreign national to be designated under the new cyber sanctions.

Permalink

Comments Off

Dec

10

More Details Emerge on Multilateral Export Controls on Cybersecurity Items

Posted by Clif Burns at 8:11 pm on December 10, 2013

Category: BIS • Cyber Weapons • Wassenaar

Photo: Harland Quarrington/MOD [see page for license], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ACyber_Security_at_the_Ministry_of_Defence_MOD_45153616.jpg Last week we posted on reports that the Wassenaar Plenary was considering adding certain cybersecurity hardware and software products to the list of items that members of the WassenaarÂ Arrangement, which includes the United States, have agreed to subject to export controls. A press release today from Privacy International purports to provide details and operative language for the new controls, the first control to be on certain types of intrusion software and the second on certain types of deep packet inspection (“DPI”). Both of the proposed new controls are somewhat narrower than we first thought might be the case before we saw this language.

The controls on intrusion software originate from a U.K. proposal. It would control software designed to bypass security and detection systems in order to collect data or modify the execution of software on the targeted device:

“Software” specially designed or modified to avoid detection by ‘monitoring tools’, or to defeat ‘protective countermeasures’, of a computer or network capable device, and performing any of the following:
a. The extraction of data or information, from a computer or network capable device, or the modification of system or user data; or
b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

The target seems to be malware and rootkits used by government agencies to spy on its citizens, such as FinFisher software which we previously discussed here. Of course, the language is broad enough to cover exports of most malware and might give governments additional enforcement tools against domestic hackers and distributors of malware. Although I don’t believe that anti-virus software is the intended target, the language might wind up covering such software as well since it is designed to defeat the countermeasures of viruses and malware and to extract data about the malware from a computer or network.

The second new controls will target “IP network surveillance systems.” Specifically, the language, as proposed by France, is narrower than the title suggests and reads as follows:

5. A. 1. j. IP network communications surveillance systems or equipment, and specially designed components therefor, having all of the following:
1. Performing all of the following on a carrier class IP network (e.g., national grade IP backbone):
a. Analysis at the application layer (e.g., Layer 7 of Open Systems Interconnection (OSI) model (ISO/IEC 7498-1));
b. Extraction of selected metadata and application content (e.g., voice, video, messages, attachments); and
c. Indexing of extracted data; and
2. Being specially designed to carry out all of the following:
a. Execution of searches on the basis of ‘hard selectors’; and
b. Mapping of the relational network of an individual or of a group of people.

When I previously posted about possible added controls on DPI software and hardware, I noted that the “deep” in DPI could mean many things. This language clarifies that by only covering inspection at OSI Layer 7, the so-called application layer. Moreover, it only captures items that in addition to capturing the traffic contents also index that software and analyze it for relational data among individuals. The biggest ambiguity is what is meant by a “carrier class IP network,” a term likely to be defined differently by the various members of the Wassenaar arrangement.

Permalink

Comments (1)