Hacking Team Leak Could Lead to Policies Curtailing Security Research
Already, the signatories of the Wassenaar Arrangement—an international accord by which developed countries control weapons and dual-use technology—have sought to add software exploits to the list of banned weapons. Over the past few months, a request for public comment on the latest proposed changes to Wassenaar spurred debate in the United States. Google, for example, told U.S. officials that the current vague rule could make security research fraught with legal peril. "We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community," Neil Martin, Export Compliance Counsel for Google, said in a statement on July 20. "It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure." While the Wassenaar Arrangement should likely be modified to rein in the unrestricted trade in exploit code, the treaty needs to keep any such restrictions extremely narrow, Netragard's Desautels said.Dealing with fast-changing political alliances is also very difficult. Leaked emails show that Hacking Team, for example, did sell surveillance software to countries considered to have poor human-rights records, such as Ethiopia, Sudan and Russia. Yet, the company has argued that it has rejected business from other countries who intended to use the software for purposes other than fighting crime, and if a current client misused the technology, it ended its business relationship. "Ignored is the fact that, as the company's thinking about public policy developed and as situations changed in these three countries, Hacking Team of its own volition ended these business relationships," David Vincenzetti, CEO of Hacking Team, stated in a letter published in the International Business Times. Any regulations controlling exploit sales need to take into account the ever-changing political climate, agrees Malwarebytes' McNeil said. "It would be a large task to place on a company beforehand to say, 'Okay, it is your responsibility to ensure that the country you are selling this to is not going to use it for nefarious reasons,'" he said. What will be least impacted is nations' ability to spy or monitor criminals and other targets, researchers said. While Hacking Team has argued that criminals and terrorists gain breathing room because of the breach, security researchers believe that legitimate law enforcement groups and intelligence agencies will quickly find new products to help them retain their ability to spy on targets and investigate criminals. "While the exposure of Hacking Team will temporarily disrupt the surveillance operations of their customers, these customers will find new sources for exploits and malware," Bugcrowd's Price said. "If Hacking Team ceases to exist, the employees will find new jobs doing the same work for the same customers."
"The Wassenaar treaty is too broad and far-reaching, and effectively makes it impossible to own a zero-day and disclose a zero-day," he said. "You are going to disarm legitimate researchers and you are going to prevent them from doing that legitimate research, but you are not going to impact the bad guys."