Proposed U.S. Export Controls: Implications for Zero-Day Vulnerabilities and Exploits

A year ago, U.S. policy on zero-day software flaws—vulnerabilities unknown to software vendors or users—made headlines. Now, zero-days are back in the news: on May 20, 2015, the U.S. Department of Commerce Bureau of Industry and Security (BIS) proposed changes to export regulations that seemed to restrict sale and disclosure of zero-day flaws outside the United States. The proposed rules require export licenses for “intrusion technology,” defined to include “proprietary research on vulnerabilities and exploitation of computers and network capable devices.” As such, the proposed rules state “a policy of presumptive denial for items that have or support … zero-day exploit capabilities.”

Much controversy and acrimony ensued. Civil society and security researchers worried that the rules “proposed prohibiting the sharing of vulnerability research without a license” and that such effects would chill legitimate research that keeps devices secure. In response, BIS has issued clarifications of the proposed rules, mitigating some concerns but also generating further confusion.

As background, the U.S. government issued these rules to implement 2013 changes to the Wassenaar Arrangement, an agreement among 41 states that establishes nonbinding regulations on the export of certain dual-use technologies. The Wassenaar Arrangement definition of controlled intrusion software did not explicitly include zero-day flaws, which caused some confusion. The initial text of the proposed U.S. regulations seemed to deviate from the Wassenaar definition, defining intrusion software to include zero-days.

The proposed U.S. rules mean the U.S. government will review applications for export of intrusion software on a case-by-case basis for national security and foreign policy implications, including for human rights consequences. The regulations include an automatic license exception for end-users in Canada, and applications will be reviewed favorably if the intended destination is an end-user in Australia, New Zealand, or the United Kingdom; a U.S. company or subsidiary in approved countries; or foreign commercial partners in the “Five Eyes” countries, as well as 32 others, mostly in Europe.

The recent BIS clarifications state the proposed rules would “control the command and delivery platforms” for intrusion software but “transferring or exporting exploit samples, exploit proof of concepts, or other forms of malware” would not be controlled. Privacy International has similarly emphasized that BIS officials “have stressed to Privacy International that controlling exploits is not the intention of the controls, and that the controls do not place restrictions on research into, development, or sale of exploits.” These statements of intent are difficult to reconcile with the text of the proposed rules: the text is hard to read in any way that supports these statements. If BIS truly intended disclosure and sale of exploits not to be covered, they must make significant changes to the proposed language.

The clarifications have raised further questions about if and how BIS is seeking to distinguish between zero-days produced for research and commercial zero-days produced for sale (see FAQ 4). If BIS is intending such a distinction, it could be meant to address simultaneously concerns about controlling security research and U.S. government worries about commercial zero-day exports creating problems for U.S. national security, foreign policy, and human rights interests. Controlling commercial sale of zero-days could be intended to encourage sales to take place on the U.S. white and gray zero-day markets and gather better data about exports of zero-day flaws. The move may also come in response to concerns about how other countries are or are not implementing the 2013 changes to the Wassenaar Arrangement.

The distinction between zero-days for research and zero-days for sale might be intended to protect security researchers, but researchers often report vulnerabilities for money. If BIS is intending this distinction, security researchers and smaller security companies may find it difficult to participate in compensated zero-day disclosure abroad. For example, the rules might make it difficult for a foreign software company to offer rewards to, or conduct transactions with, U.S. security researchers reporting flaws. This could potentially result in some flaws going unreported or reducing the ability of U.S. researchers and companies to compete with foreign businesses in the zero-day market. Concerns also exist that the proposed rules could drive some actors to the black market.

The proposed export controls might create concerns under the First Amendment, in the same way controls on cryptographic products did in the 1990s “crypto-wars.” Although court decisions on free speech and export controls on cryptography products were inconsistent, the decisions suggested that the government could restrict cryptography exports if the products are functional but not if they constitute an “expressive act of speech.” Zero-day vulnerabilities – information about flaws in software – may not qualify as “functional.” Zero-day exploits, new code written to take advantage of zero-day vulnerabilities, are more readily definable as functional, but such new code may also qualify as protected speech.

My forthcoming paper in I/S: A Journal of Law and Policy for the Information Society argues that unilateral export controls on zero-days are an ineffective strategy that would damage U.S. interests and not achieve intended aims. The proposed export controls ostensibly arise from a multilateral mechanism but involve U.S. government assertiveness in seeming to control some categories of zero-days in implementing the 2013 Wassenaar Arrangement changes. If this is the case, whether other Wassenaar countries follow the U.S. lead remains to be seen. If they do not, the U.S. government might be left with what is, in effect, a unilateral export control regime on zero-days.

Last, it is important to note that the proposed regulations do not address policy controversies about the U.S. government’s purchase and use of zero-days, which remains a serious concern.

The proposed rules are open for public comment until July 20, 2015.

Mailyn Fidler is a Marshall Scholar studying international relations at the University of Oxford and is a graduate of Stanford University.