Archive for the ‘Cybersecurity’ Category


Jan

13

BIS Still Mulling Over Cybersecurity Export Rules


Posted by at 11:30 pm on January 13, 2016
Category: BISCyber WeaponsCybersecurity

Untitled by Kevin Wolf via https://scontent.fash1-1.fna.fbcdn.net/hphotos-xfa1/t31.0-8/12471591_10208490792490184_1220994233873918423_o.jpg [Public Domain - Work of U.S. Government]Yesterday Kevin Wolf, the Assistant Secretary of Commerce for Export Administration, testified before the House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies on the much reviled controls in the Wassenaar Arrangements on exports on certain software and technology. His testimony provides detailed insight into the interaction between the Bureau of Industry and Security, which is charged with implementing the Wassenaar Arrangement controls, and the technology and cybersecurity industry and community which was concerned about the overbreadth of the Wassenaar controls of “intrusion” software. This blog has previously articulated some of these concerns, particularly the extent to which the Wassenaar controls on “intrusion” software could reach auto-updating software, Address Space Layout Randomization (ASLR) security measures, and hot-patch programs.

Assistant Secretary Wolf’s testimony reveals that Commerce’s concerns about the potential overbreadth of the Wassenaar controls on intrusion software led the agency to take the “unprecedented step” of releasing the controls as a proposed rule and soliciting industry comments. Such a step is “unprecedented” because normally Commerce simply adopts and adds to the CCL all changes adopted by the Wassenaar Arrangement. The result of the request for industry comment, according to the testimony, was more than 260 comments, “virtually all of them negative.” The negative reaction was echoed in outreach meetings held by Commerce with industry. Assistant Secretary’s testimony summarizes these concerns, including the concerns we have expressed about how they would reach certain auto-updating and hot-patching programs.

Most importantly, Assistant Secretary Wolf’s testimony says this:

Neither the Commerce Department nor the Administration has reached a conclusion about how to respond to the public comments. We are still reviewing and considering them. … The commenters had many suggestions regarding how to address their concerns. The Administration will be reviewing all of them and many other ideas for how to address the policy objectives of the control but without unintended collateral harms. As I have said many times in response to questions about the rule, the only thing that is certain about the next step is that we will not be implementing as final the rule that was proposed.

The moral of this story is clear, even if the shape of the ultimate rule is not. The export industry, as demonstrated conclusively throughout the export control reform initiative, has been loath to comment on proposed rules, whether from fear of standing out from the crowd or because of a belief that such comments will have no effect. As a result, Assistant Secretary Wolf has been known to remark that industry gets the rules they deserve. The response of Commerce here to the issues raised in the comments and industry outreach, however, shows that there are times when public input will have an impact. So the moral of the story is simple: you may not get everything you ask for, but you’ll almost never get what you want if you don’t even ask for it.

Permalink Comments Off on BIS Still Mulling Over Cybersecurity Export Rules

Bookmark and Share


Copyright © 2016 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Jan

5

The Doctor Says You’re Gonna Die, Betty [Updated]


Posted by at 8:52 pm on January 5, 2016
Category: CybersecurityOFAC

city lights by frankieleon [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://flic.kr/p/6mAPhC [cropped]The Office of Foreign Assets Control (“OFAC”) released on December 31 its cybersecurity regulations implementing Executive Order 13694 of April 1, 2015 (“EO 13694”), which permits the designation and blocking of individuals and companies that have engaged in “cyberenabled activities” that threaten the “national security, foreign policy, or economic health or financial stability.” Although no designations have been made under this order in the nine months since its issuance, OFAC didn’t want to pop open any New Year’s Eve bottles of champagne without pushing these regulations out the door. Since OFAC has yet to release regulations implementing Executive Order 13685, making Crimea the most sanctioned place on the face of the planet, this rush to implement an order under which no one has been designated is a bit puzzling. Low hanging fruit, I suppose.

The regulations are nothing more than the standard template regulations for blocking programs with  a prohibition of actions proscribed by the executive order, standard definitions, a provision implementing the 50 percent rule, and a few other basics. Three standard exceptions are provided authorizing (1) deduction of financial institution service charges from blocked accounts; (2) provision of certain legal services and (3) provision of unscheduled emergency medical services.

The emergency medical service exception, which appears in a number of regulations, is worthy of some further discussion. It addresses the issue of what happens in the case that a designated hacker or other blocked person is hit by drunken cab driver and is bleeding to death on the streets. A U.S. doctor happens by. Can he stanch the bleeding? In most blocking regulations this would be a problem because the regulations prohibit providing services to a person whose property and interests in property are blocked. Section 537.201(b)(1) of the Burma Sanctions, for example, contains such a provision. That provision would, on its face, prohibit the doctor from treating a blocked Burmese former junta member who was bleeding to death before his eyes. Hence the need for some kind of exception for unscheduled emergency treatment.

The new cybersecurity sanctions regulations do not directly prohibit providing services to a person blocked under those regulations but they do prohibit violating E.O. 13685 which itself has a provision prohibiting the provision of service to a person whose interest in property is blocked.  Thus the emergency medical exception is needed so that the doctor can apply a tourniquet without risking a jail sentence. Payment for these services, if they were sought, would be problematic without the exception because any payments to the doctor by the bleeding victim would have to be blocked. The cybercrime regulations would, however, permit this payment.

But, but, and there’s always a but when sanctions regulations are involved, these emergency services can only be provided in the United States. If the bleeding victim is on the streets of say, Canada, the U.S. doctor can’t perform or be paid for his services. He’d have to stand by and let the victim die. Fortunately, most doctors have bigger hearts than OFAC.

(The title of this post, by the way, refers to a naughty joke involving two famous actresses which can’t be repeated on a family-oriented blog such as this but which I hope some of you may have heard before. . . )

Permalink Comments (3)

Bookmark and Share


Copyright © 2016 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Aug

30

Glass Houses, Stones and Cybersecurity


Posted by and at 1:34 pm on August 30, 2015
Category: CybersecurityTechnical Data ExportTechnology Exports

Chinese Army HackersRecently, the Department of Defense issued  an interim rule that would impose on DOD contractors and subcontractors a contractual duty to provide “adequate security” from “unauthorized access and disclosure” for a broad array of unclassified information Additionally, the interim rule requires DOD contractors and subcontractors to report within 72 hours directly to the appropriate DOD office a “cyber incident” or “malicious software.” A “cyber incident” is defined as an action on a computer network that compromises the network of has an “actual or potentially adverse effect” on the information on the network. Finally, the rule requires contractors to make available “media (or access to covered contractor information systems and equipment)” upon request.

The interim rule, which is immediately effective, applies to all contractors and subcontractors with “covered defense information transiting their information systems.” The “covered defense information” to be safeguarded is extremely broad. It includes information provided to the contractor by or on behalf of DOD in connection with performance of the contract or ”critical” or “controlled information stored by or on behalf of the contractor in support of the performance of the contract.

Of particular emphasis for readers of this blog, “covered defense information” also includes export controlled information, including “items identified in export administration regulations and munitions list,” license applications, and “sensitive nuclear technology information.” Beyond these obvious items, the covered export controlled information includes things not covered by existing export control regimes but “whose [sic] export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives.” We have no idea on earth what this could possibly mean or how any contractor can figure out what information, not covered by the EAR or the ITAR, actually fits in this category.

DOD recognizes that such cyber incident reports or other information provided to DOD under this interim rule may include a contractor’s proprietary information, including personal information relating to its employees. In response, DOD states “the government shall protect against the unauthorized use or release” of such information. Does anyone else see the tremendous irony here? The United States government, which has been hacked left and right by the Chinese, the Russians and others, promises to protect the information. To add to the irony, the new rule only applies to unclassified information, which is precisely the type of information the USG has been unable to protect on its own.

Rest assured that anything that you provide to the DOD will be read almost immediately by the Red Army in China. Perhaps the U.S. Government should get its own cybersecurity house in order before it starts preaching to private industry.

Permalink Comments Off on Glass Houses, Stones and Cybersecurity

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)