The administration is cracking down on sales of hacking tools

Placeholder while article actions load

Welcome to The Cybersecurity 202! After mostly missing alligators in Florida I’m intrigued to learn they’re trolling around southern Maryland. 

Below: The U.S. and Russia find common ground on cybersecurity at the U.N. and CISA supports a 24-hour turnaround for hacking alerts from critical infrastructure. 

Selling hacking tools to Russia and China will soon be tightly restricted

A Commerce Department rule being announced this morning aims to stem the global spread of commercial hacking tools, which repressive governments have used to spy on dissidents and journalists. 

The rule would bar U.S. companies from selling hacking tools to governments or companies in Russia and China and to the governments of numerous other nations without a special Commerce Department license, as my colleague Ellen Nakashima reports. It would also apply to foreign companies that sell U.S.-origin software. The rule will take effect in 90 days.

The rule has been in development for years. But it was given added urgency in recent months by revelations about widespread snooping on citizen and activists by non-democratic regimes using Pegasus spyware sold by the Israeli firm NSO group and similar companies. 

The move could significantly curtail the global spread of spyware, which has effectively allowed authoritarian regimes to quash dissent by silencing journalists within their borders and tracking and harassing dissidents and opposition politicians even when they’re abroad. 

Technology that can be used for hacking is often used to detect and prevent hacking as well. 

U.S. cybersecurity researchers were concerned that a rule that wasn’t nuanced enough would prevent them from collaborating with overseas colleagues to make the world safer from cyberattacks. That was a big reason for the long delay.

Commerce has tried its best to thread that needle, but researchers may still be unhappy with the outcome. 

“We’re trying to walk the line between not impairing legitimate cybersecurity collaboration across borders, but trying to make sure these pieces of hardware and software technology aren’t obtained and used by repressive governments,” a senior Commerce official told Ellen, speaking on the condition of anonymity under ground rules set by the agency. 

Here’s how the rule will work.

  • U.S. companies and companies that sell U.S.-made software will have to alert Commerce’s Bureau of Industry and Security if they want to sell tools that can compromise software to certain foreign governments or to any buyer in Russia or China.
  • BIS officials will then vet the end user. They’ll decide whether to grant an export license based on whether they believe the user can be trusted to use the tools only for the stated purpose.
  • Licenses won’t be required for some non-government buyers if the tool is for cyber defense — such as “penetration testing” tools that alert users about computer system vulnerabilities that malicious hackers could exploit.
  • The rule would apply to products that don’t contain encryption because Commerce already limits the export of products containing encryption.
  • There are likely few U.S. companies that will be affected by the rule; rather, it will affect a much larger share of foreign companies that sell tools containing U.S.-origin software, the Commerce official told Ellen.

“The rationale is these are items that can be misused to abuse human rights, to track and identify dissidents or disrupt networks or communications, but they also have very legitimate cybersecurity uses,” the official told Ellen. “So what the rule does is restrict these exports to the problematic countries.”

The rule will align the United States with 42 ally nations that are part of the Wassenaar Arrangement, which limits exports of technology that can be used for military purposes, including spying and hacking. 

Most Wassenaar countries have already limited exports of hacking tools. The U.S. process was more complicated, however, because it has a much larger domestic cybersecurity industry and researcher community. 

There could be loopholes — partly because countries vary in how they implement Wassenaar controls

The controls, for example, have not led Israel to halt the export of NSO software despite ample evidence it’s used for malicious purposes. Israel is not a Wassenaar member but says that it voluntarily adopts its controls. 

China is not a Wassenaar member. Russia is. 

The public will have 45 days to comment on the rule and Commerce may make changes for an additional 45 days before it becomes final. 

U.S. and Russian officials align briefly on cybersecurity at the United Nations

The countries offered a joint resolution that touts reports from two U.N. groups that recommended cyberspace rules of the road earlier this year, according to a draft obtained by The Cybersecurity 202. The groups only split apart, however, because the geopolitical rivals couldn’t agree on a single forum to talk about cybersecurity issues. 

The resolution comes after a years-long effort to create rules and norms for how nations interact in cyberspace, but it is more significant for being co-signed by the United States and Russia than for its generally bland contents. It signals that U.S. and Russian officials haven’t abandoned efforts to find a diplomatic solution to some aspects of cyber conflict — even as they remain far apart on what many of those rules should look like. Russia also continues to violate many U.S.-backed cyber norms, such as by allowing criminal hacking gangs to operate from its territory. 

“Despite our serious differences, the United States worked with Russia in the lead up to [the United Nations General Assembly] to develop a resolution that welcomes these two reports and calls on states to be guided by them,” a State Department spokesperson told The Cybersecurity 202. 

The spokesperson added: “This resolution does not mean that we see eye to eye with Russia on all things cyber. On the contrary, the United States and Russia (not to mention China) continue to have fundamentally different visions and objectives when it comes to cyberspace.”

Things could have been worse. A previous U.N. cyber norms effort fell apart in 2017 when U.S. and Russian officials failed to reach any agreement. 

The draft resolution expresses “concern” about cyberattacks on critical infrastructure — though Russia and the United States have different definitions of what that means — and urges future efforts at cyber diplomacy.

The resolution has been co-sponsored by more than 50 countries, the State Department spokesperson said. Russia’s First Deputy Prime Minister Andrey Belousov said the agreement was “unprecedented” and called on all U.N. member states to support it.

CISA backs a 24-hour requirement for critical infrastructure companies to report hacks

The agency believes that 24 hours is the “right amount of time” for reporting breaches, CISA Executive Director Brandon Wales said. Lawmakers are still divided about what the requirements should look like, FCW’s Adam Mazmanian writes.

The 24-hour time limit has faced opposition from industry groups and some lawmakers. The groups argue that the time limit is too short to fully understand cyber incidents and could require resources that are better spent responding to the hack itself. Lawmakers have offered competing proposals with 24-hour and 72-hour requirements, though top senators appear eager to compromise on a single bill.

Wales’s comments come after weeks of uncertainty over what CISA’s position is on the incident reporting mandates. In September, CyberScoop’s Tim Starks explained that CISA Director Jen Easterly had both publicly supported and opposed the 24-hour requirement:

National Cyber Director Chris Inglis weighed in on what should happen to critical infrastructure companies that don’t implement the right cybersecurity measures, Nextgov‘s Mariam Baksh reports. “At the end of the day, if you’ve not performed well in this space, there will be consequences. There should be liability,” Inglis said.

CISA Director Jen Easterly is crowdsourcing how to implement a key priority — what should replace the agency’s famed pineapple on pizza Twitter campaign. CISA stoked Twitter fights about the fruit topping as a model for how foreign disinformation can divide Americans in the run up to the 2020 election. 

Some interesting backstory from former top CISA adviser Matt Masterson:

Iran steps up cyber war against Israel – using models (Israel National News)

Keeping the world’s focus on cyber (The Hill)

Zerodium seeking zero-days in ExpressVPN, NordVPN, and Surfshark VPN apps (The Record)

Watch out: Squid Game malware hits Google Play as hundreds of unofficial apps flood store (Forbes)

  • Homeland Security Secretary Alejandro Mayorkas and CISA Director Jen Easterly are scheduled to speak at CISA’s annual cybersecurity summit today.
  • CISA Executive Director Brandon Wales speaks at the Cyber Future Summit today at 1 p.m.
  • Bob Kolasky, who leads the DHS’s National Risk Management Center, speaks at FAIRCON21 today at 2 p.m.
  • Mayorkas is scheduled to testify before the Senate Judiciary Committee on Thursday at 10 a.m.
  • Easterly speaks at the Capital Cyber Summit on Friday at 8 a.m.
  • National Cyber Director Chris Inglis participates in an American University Washington College of Law event on Friday at 10:30 a.m.
  • House Veterans’ Affairs Committee Chairman Rep. Mark Takano (D-Calif.) discusses law enforcement algorithms at a Brookings Institution event on Oct. 25 at 3 p.m.
  • The Irish Defense Forces hosts an event on national and international cybersecurity coordination on Oct. 26 at 7:30 a.m.
  • Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) and SolarWinds President and CEO Sudhakar Ramakrishna participate in a Washington Post Live event on Oct. 26 at 10:30 a.m.
  • Inglis and Neuberger speak at a Center for Strategic and International Studies event on Oct. 26 at 2 p.m.

Maybe we can get a parmigiano reggiano vs. pecorino romano feud going. Thanks for reading. See you tomorrow.