US backpedals on plan to regulate hacking software

Sponsored Links

US backpedals on plan to regulate hacking software

After a huge outcry from the security community, the US government will re-write proposed regulations on software used to hack smartphones and computers, according to Reuters. The Department of Commerce wants to heavily restrict the development and testing of exploits, zero-days and other intrusion software, which sounds like a good thing on the face of it. However, security professionals discovered that it would've severely limited, and possibly even criminalized, research into surveillance software. That might have made internet security worse than ever by keeping such exploits confined to the black market.

The use of exploit software by governments exploded into prominence with news of a security breach of the Hacking Team. That outfit, which has supplied zero-day exploits to oppressive regimes like Sudan, was itself hacked, with the intruders stealing up to 400GB of data. That included virtually all the source code for its products and exploits, including zero-day attacks on software like Windows and Adobe Flash. Those vulnerabilities in turn forced companies like Microsoft to scramble to produce software patches.

Turn on browser notifications to receive breaking news alerts from Engadget
You can disable notifications at any time in your settings menu.
Not now

The US Commerce Department stepped in around the same time with its proposed new legislation. Those rules will eventually form America's commitment to the 41-nation Wassenaar Arrangement designed to curb "weaponized" software. As security journalist Violet Blue reported earlier for Engadget, it's not just that the government got the rules wrong, they also don't seem to know what they were doing. "(Its) attempts to regulate are based on poor definitions such as 'intrusion software' and on jargon such as 'zero-days' and 'rootkits," said security expert Sergey Bratus.

The government gave interested parties until July 20th to comment, and companies like Black Hat and Google gave it an earful. Google called the rules "dangerously broad and vague," while Black Hat said they could "significantly restrict and/or eliminate the depth and types of research curated by many members of our security community, especially those that collaborate internationally."

G7 Leaders Meet For Summit At Schloss Elmau
President Obama recently called for stronger American cybersecurity

The Commerce Department told Reuters that "all comments will be carefully reviewed and distilled, and the authorities will determine how the regulations should be changed," a process it said could take months. It added that "a second iteration of this regulation will be promulgated, and you can infer from that that the first one will be withdrawn." From that, it's clear that the avalanche of complaints during the comment period had the intended effect. As Blue told us, "we're only nine days past the closing of the comment period, so it's kind of amazing to see (the US government) move so fast."

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Popular on Engadget