The U.S. Senate Wants to Control Malware Like it's a Missile
June 27, 2013
The Senate Armed Services Committee wants to get control of those pesky cyber weapons that are available for purchase by just about anyone by establishing an arms control regime along the lines of what’s done for missiles, tanks, and fighter jets.
The powerful congressional panel is looking for the President to "develop policy to control the proliferation of cyber weapons through unilateral and cooperative export controls, law enforcement activities, financial means, diplomatic engagement, and other means," according to the committee’s report on the 2014 defense budget bill.
"The approaches developed must also take into account the needs of legitimate cybersecurity professionals to mitigate vulnerabilities, and not stifle innovation in tools and technology that are necessary for national security and the cybersecurity of the Nation," the report goes on to say.
Everyone is concerned by the ever-growing online market for cyber weapons, from the Russians to some of the most senior officials working cyber in the Pentagon (even as the NSA and U.S. Cyber Command are accused of driving this market by purchasing these weapons). However, the last time the U.S. tried to control sales of a critical class of software, it failed.
In the post-World War II era, the U.S. government held strict control over who could sell and purchase American-made encryption technology. However, by the end of the 20th Century, the Web was taking off as a business domain. After years of prodding from the tech community — and after the growth of crypto freeare like Pretty Good Privacy — the government slowly realized that it couldn’t ban serious encryption technology from widespread use without doing significant harm the budding field of e-commerce. (Crypto is what helps keep your bank details from being stolen when you buy that flight to Europe on Kayak.)
Also in the late 1990s, a federal court determined that restricting crypto software distribution would infringe on First Amendment rights since it deemed source code to be free speech. All of this led to the government greatly relaxing export restrictions on cryptography technology and removing it from the list of military weapons that must be approved by the State Department before they can be sold abroad.
Which makes these suggested curbs on "intercept and penetration testing" software all the more curious.
"This is totally unworkable, the U.S. tried it in the 1990’s [with crypto] and it backfired," said Jim Lewis of the Center for Strategic and International Studies today when Killer Apps asked him about the Senate’s proposal. "Another effort to apply old ideas to new problems; that rarely works."
The Senate panel’s move was likely influenced by Director of National Intelligence James Clapper, who in March testimony discussed the growing market for malware.
"Cybercriminals… are selling tools, via a growing black market, that might enable access to critical infrastructure systems or get into the hands of state and non-state actors. In addition, a handful of commercial companies sell computer intrusion kits on the open market. These hardware and software packages can give governments and cybercriminals the capability to steal, manipulate, or delete information on targeted systems," he said. "Even more companies develop and sell professional-quality technologies to support cyber operations — often branding these tools as lawful-intercept or defensive security research products. Foreign governments already use some of these tools to target US systems."
The committee’s provision would require the President "to determine the types of malicious software that can and should be controlled through existing export control schemes." The panel also wants a consideration of how to handle "dual-use, lawful intercept, and penetration testing technologies. After determining which types of cyber technologies should be controlled the process should identify the intelligence, law enforcement, and financial tools that can be applied to control and contain their development, proliferation, and use. "
It will be interesting to see how on Earth the U.S. government will be able to effectively police the global market of any type of digital tool, even malware, when it considers source code to be free speech.
Right now, the U.S. government is trying to work with governments around the globe to establish rules of the road for cyber conflict that are based on the law of armed conflict and international human rights law. This effort has been stymied by the desire of governments China, Russia and others who want these rules to allow government’s to dictate who does and says what online — something U.S. officials say is a "nonstarter."
"There are other countries, the Chinese and Russians in particular, that don’t think the law of armed conflict is the best framework to view these things through and they focus much more heavily on control of information than they do on the security of crucial infrastructure or preventing the destruction of networks," Eric Rosenbach, deputy assistant secretary of defense for cyber policy told Killer Apps last fall.
"To say that your model of an international law for cybersecurity is based on controlling media content or what people can say about the government isn’t something we’re interested in at all," he said.
Unless this Senate provision passes. Then the U.S. government will be very much in the business of controlling media content and restricting software — which the courts have already said is tantamount to violating the right of free speech.
"China’s view is, there are no rules of the road in cyber," when it comes to stealing intellectual property online, said Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff during a speech at the Brookings Institution in Washington this morning.
But sometimes, a wrong-headed rule is worse than no rule at all.
