U.S. aims to limit exports of undisclosed software flaws

(This story refiles the May 20 story to change "fund" to "find" in paragraph 13) By Joseph Menn SAN FRANCISCO (Reuters) - The U.S. Commerce Department proposed new export controls Wednesday that would treat unknown software flaws as potential weapons, a move aimed at reducing the security industry’s aid to rival nations. The department said it was following through on an international commitment to address the evolution of warfare to include more technology. But some security researchers said the rules, which are subject to public comment for 60 days, would fail to curb the black market while hindering cross-border collaboration and sales of defensive products. The regulations are broadly written and cover what are known as “zero-day” flaws, or security vulnerabilities that the software vendors do not know about. Hackers and defense contractors often sell information about such flaws to government agencies or the maker of the software, and internal U.S. sales could continue. But sales of zero-day and supporting capabilities would be barred without special license outside of the United States, United Kingdom, Canada, Australia and New Zealand. One way zero-day flaws can be exploited is by repressive regimes using the holes in the software for surveillance, and the document notes human rights concerns in the trade. “I remember thinking licensing zero-day brokers is a good idea to a degree. You prevent someone in the U.S. from selling to Iran,” said Adriel Desautels, chief executive of penetration testing firm Netragard Inc. “Some form of licensing or regulation is useful. But the form of regulation being proposed is potentially very damaging to the security industry as a whole...It’s flat out stupid.” The regulations come as a follow-up to a 2013 agreement among 41 nations that some penetration software should be subject to controls alongside the likes of nuclear and chemical weapons components. Several researchers said that the large U.S. defense contractors, which find or pay for many software flaws and sell them to intelligence agencies, the military and law enforcement, would have no difficulty in hiring export lawyers to obtain licenses for some overseas sales. But law-abiding mid-size and small security companies, along with independent researchers, will be much more likely to give up on selling across borders, leaving those markets to criminals. “It could have major impacts against how we do vulnerability research and protecting our systems,” said Rand Corp expert Lillian Ablon, who has studied the zero-day markets. “If we are restricting the ability of the white hats to find the vulnerabilities, it’s only making it easier for the bad guys.” Though there exemptions for open-source software and for scientific research, if adopted the rules could have a profound impact on the legitimate markets for flaws and the tools that exploit them just as they are coming into the open and maturing. Many more companies have recently begun paying “bug bounties” to reward researchers who find security holes in their products, instead of driving them to sell to governments or hackers. A handful of startups have brought new professionalism and structure to reporting-and-reward systems, making them practical even for smaller companies. In the future, said Katie Moussouris, chief policy officer at one of those venture-backed companies, HackerOne, overseas corporations might have to offer researchers both cash rewards and guidance on obtaining export licenses, simply to make their own programs more secure. (Reporting by Joseph Menn; Editing by Lisa Shumaker)