Washington, D.C. – Today, the Internet Association called for revisions to proposed Bureau of Industry and Security (BIS) rules that would make it more difficult for Internet companies to improve network security. In public comments submitted to the BIS, the Internet Association explains that the proposed rules, while well intentioned, should be rewritten as narrowly as possible to avoid unintended consequences on global Internet security research.
“Internet companies work tirelessly to protect their networks and end user data from outside attacks,” said Michael Beckerman, President and CEO of the Internet Association. “To that end, it is important that legal frameworks promote legitimate security research. The proposed rules will have the opposite effect, making it more difficult, not less, to fortify networks and protect end user data,” Beckerman concluded.
The comments outline how Internet Association member companies conduct security research, and raise a number of concerns with the proposed rules, including:
- There is no intra-company exemption built into the proposed rules. As a result, companies may run afoul of the rules simply by sharing software or tools that leverage exploits for testing and validation purposes within their own teams.
- The proposed rules are broad, ambiguous, and open to interpretation. Rules should be written as narrowly as possible, with the goal of minimizing their adverse impact on legitimate security research and testing.
- In areas where the proposed rules are clearer, they create a significant regulatory burden. Any organization that wants to develop tools that would be controlled under the proposed rules will need to implement new or updated export control processes, which will incur additional costs and increase time to market. In addition, the proposed rules create complex hurdles for individual researchers who might otherwise be able to make meaningful impact on overall security.
The comments also recommend steps to bring the proposed rules in line with the harm Internet companies believe they are meant to target, including:
- Introduce an intra-company exception.
- Focus on exfiltration and the use of cybersecurity items for unauthorized activities, not the items’ technical capabilities.
- Maximize clarity around acceptable uses that do not require a license.