US clamps down on zero-day exploits, says sales should require an export license

A new proposal by the US Commerce Department aims to control zero-day exploits like any other weapon of war.

The US Commerce Department has proposed that anyone who sells zero-day exploits internationally must have a license.

The proposal, published on Wednesday, would apply to new restrictions on the export of "intrusion software", similar to other so-called "dual use" items that can be used as weapons.

The US, along with 40 other member nations of the Wassennar Agreement, in 2013 added intrusion software as controlled items in an effort to prevent the proliferation of cyber weapons, in particular undisclosed flaws in software known as 'zero days'.

Read this

​Flash zero-day flaw under attack to spread ad malware, botnet

New attacks on Flash Player may force Adobe to issue another patch just days after fixing nine flaws.

Read More

Under the US proposal, firms and researchers would need a license to export intrusion software and IP network surveillance systems, however the department wants to know whether hypervisors, debuggers, and software for reverse engineering should also be restricted.

Export applications will be treated favourably if the goods are being sold to governments in Australia, Canada, New Zealand, and the United Kingdom.

Also, the proposal notes that "there is a policy of presumptive denial for items that have or support rootkit or zero-day exploit capabilities".

Chaouki Bekrar, CEO of Vupen, a well-known zero-day researcher, said on Twitter this will make it "hell" for researchers and exporters in the US.

Vupen, based in France, earlier this year announced on its website that due to the Wassennar Agreement, it would limit sales of zero-day exploits to approved countries.

Some researchers believe the proposed regulation will be damaging to the security industry.

"Some form of licensing or regulation is useful. But the form of regulation being proposed is potentially very damaging to the security industry as a whole... It's flat out stupid," Adriel Desautels, chief executive of penetration testing firm Netragard, told Reuters.

But Alan Woodward, British security expert and professor at the University of Surrey, says the regulations overall are unlikely to harm the security industry.

"The purpose of the agreement is controlling offensive weapons. If you take the analogy of guns and bullets, bombs and missiles, it certainly hasn't stopped research in those, has it? It's just controlled the export of them," Woodward told ZDNet.

Woodward also agreed with the Commerce Department's tougher treatment of zero-day exploits.

"[It's saying] any zero day is presumed to be an attack vehicle until proven otherwise. The whole point about a zero day is that it can be exploited by hackers. And if I kept it secret and sold it, it can be used as a weapon. Zero days are offensive," he said.

"Selling a zero day in secret gives someone an advantage. It's the complete opposite to full disclosure, which I think most people in the security industry would prefer."

The only way the regulation could be construed as harming the security industry would be if it prevented researchers from publishing information about security flaws, he said.

Read more