The Department of Commerce has released a new rule that further restricts the sale and export of hacking surveillance tools to repressive governments and geopolitical foes with records of humans-rights abuse.
An interim regulation released by the department’s Bureau of Industry and Security Tuesday creates a new category – called License Exception Authorized Cybersecurity Exports – that would be required to export, reexport or transfer commercial hacking and surveillance tools “to countries of national security or weapons of mass destruction concern” as well as countries subject to a U.S. arms embargo. It would also impose end-use restrictions on the sale or transfer of such tools if an entity “knows or has reason to know at the time…that the ‘cybersecurity item’ will be used to affect the confidentiality, integrity or availability of information or information systems, without authorization by the owner, operator or administrator of the information system.”
The rule makes exceptions for exchanges of technology for the purposes of vulnerability disclosure, cyber incident response or basic software patching.
In a statement, Secretary of Commerce Gina Raimondo said the rule would help restrict the sale and use of commercial spyware by repressive governments.
“The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights,” said Raimondo.
The broad contours of the restrictions were part of a years-long effort to include restrictions on hacking tools in the 2013 Wassenaar arms control agreement, but the past year has injected new urgency to put the rules in place as cybersecurity researchers and human rights groups have repeatedly found evidence of commercial mobile hacking tools– most notably Pegasus software sold by Israeli-based NSO Group – on the phones of journalists, politicians and activists around the world.
Pegasus and its ability to compromise a phone without clicking or input from the user is thought to be in a class of its own, but the growing normalization of the industry has some worried about the future. Aaron Cockerill, chief strategy officer at Lookout, a cybersecurity firm that helped analyze one of the first Pegasus iOS samples in 2016, told SC Media that the practices and capabilities of NSO Group are slowly being absorbed by other vendors to make their products more effective.
“Every day, the research teams at Lookout observe advanced techniques used by the likes of the NSO Group,” said Cockerill. “There has been a trend where these techniques are being adopted more frequently by consumer-grade surveillanceware and spyware vendors. This could put very powerful surveillance tools in almost anyone's hands.”
While companies like NSO Group say they only sell their spyware to governments, the ease at which their software can clandestinely compromise the personal communications of individuals or organizations makes it impossible to determine how widely used they are. After the news broke John-Scott Railton, a senior researcher at the non-profit Citizen Lab who has exposed numerous hacking campaigns carried out using Pegasus, questioned whether the new rules would still allow for the sale of commercial spyware to foreign governments who have spotty human rights records but good relations with the U.S.
"To watch: the US has close allies in Gulf that are notorious abusers of hacking tools. Will the actual license-granting process turn away sales to these serial offenders?" he asked on Twitter.
You can find the full draft rule here. The new regulation will take effect in 90 days, and the public has 45 days to submit comments.