BetaNews reports about a meeting between where the US government is proposing to classify cyber security tools as weapons of war in an attempt to control the distribution of such capabilities from, well, just about anyone it does not want to have them:
Until now only when someone possessed a chemical, biological or nuclear weapon, it was considered to be a weapon of mass destruction in the eyes of the law. But we could have an interesting — and equally controversial — addition to this list soon. The Bureau of Industry and Security (BIS), an agency of the United States Department of Commerce that deals with issues involving national security and high technology has proposed tighter export rules for computer security tools — first brought up in the Wassenaar Arrangement (WA) at the Plenary meeting in December 2013. This proposal could potentially revise an international agreement aimed at controlling weapons technology as well as hinder the work of security researchers.
At the meeting, a group of 41 like-minded states discussed ways to bring cybersecurity tools under the umbrella of law, just as any other global arms trade. This includes guidelines on export rules for licensing technology and software as it crosses an international border. Currently, these tools are controlled based on their cryptographic functionality. While BIS is yet to clarify things, the new proposed rule could disallow encryption license exceptions.
The new proposal is irking security researchers, who find exporting controls on vulnerability research a regulation of the flow of information. You see, these folks need to use tools and scripts that intrude into a protected system. If the proposal becomes a law, it will force these researchers to find a new mechanism to beat the bad guys.
Some policy wonk in the United States government obviously has no practical knowledge of how the internet functions. Just because the United States may classify such tools as weapons of war will not make their acquisition difficult. The internet is global, and thus such tools will merely become available in nations without the same controls as the United States.
This is not to mention that cyber security – aka hacking – tools do not cause physical damage unlike, you know, actual weapons. Bombs, assault rifles, tanks, biological weapons, and whatnot all cause actual kinetic devastation, and can kill people. Hacking tools not so much. Even though industrial control systems may be compromised, it is doubtful their being breached can cause real harm, Stuxnet notwithstanding.
It is no surprise the US government would like to control the distribution of tools potentially capable of attacking the nation. However, this is sure to harm security research on attack techniques, which ultimately leads to new and unique defense mechanisms. We need the ability to conduct cyber security research inside the US, so shoring up these tools will surely have disastrous effects on academia and cyber defense research in general.