The Senate Armed Services Committee has favorably reported S. 1197, the National Defense Authorization Act for Fiscal Year 2014. And, you will be pleased to know (or maybe not), they have slipped into the bill a proposal for new export controls, this time on software that could be characterized as “cyber weapons.”
What got the immensely tech savvy aging Senators all whirled up on cyber weapons was, apparently, testimony they received in hearings on the bill about the Shamoon virus. Shamoon, in addition to being an excellent name for a dog, is also the name of a computer virus that struck Aramco in Saudi Arabia and rewrote or destroyed data on hard drives. No doubt the Senators were particularly vexed that one of the payloads carried by Shamoon was a picture of a burning U.S. flag which was used to overwrite some of the data.
So now section 946 of the proposed Defense Authorization Act requires the President to convene an “interagency process … to control the proliferation of cyber weapons through unilateral and cooperative export controls.” The Senate Report on the proposed legislation acknowledged that there might be some difficulty distinguishing between “cyber weapons” (bad) and “dual-use, lawful intercept, and penetration testing” technologies” (good). But, hey, that’s what an interagency process is for!
Now, the million dollar question, of course, is whether new export controls on cyber weapons would have had any impact on Shamoon. The answer, not surprisingly, is probably not. Kapersky Labs, which dissected the virus, concluded that the virus was riddled with a number of “silly errors” which limited its effectiveness and likely was the work not of sophisticated cyber criminals but was a “quick and dirty” job by “skillful amateurs.” Significantly, it was not something that the hackers acquired in the United States (or anywhere else) and exported but home-grown, error-ridden code. The only people who are going to be bothered by section 946 and its proposed export controls will be legitimate manufacturers of network intercept, analysis and testing software.