12 June 2015
The Internet Architecture Board is deeply sympathetic with the desire to enhance the security of Internet protocols, infrastructure, and Internet-connected systems. We believe, however, that efforts to enhance Internet security must proceed from a thorough knowledge of the threats against the network, its protocols, and the systems attached to it. Efforts to limit the export or transfer of Internet security technologies seem likely to limit that knowledge in ways that ultimately will frustrate the general goal of a secure and stable Internet.
The identification of vulnerabilities is a fundamental part of security practice. Restrictions on systems which perform that function will make it substantially more difficult for those performing that function to design and deploy secure systems.
Traffic analysis systems, though they may be used in other ways, are a similarly crucial part of the methods used to identify attacks and to analyze the success of remediations put in place. The Internet is a deeply interconnected set of networks that spans international borders, and attacks may occur in one part of the Internet that have extensive ramifications for the operation of the whole. Limiting traffic analysis technologies to specific territories seems likely to hinder efforts to detect and thwart both active threats and other network issues.
We note that in 1996 the IAB and Internet Engineering Steering Group (IESG) jointly published RFC 1984, with the following comments on a similar matter, the export of encryption technology:
Export controls on encryption place companies in that country at a competitive disadvantage. Their competitors from countries without export restrictions can sell systems whose only design constraint is being secure, and easy to use.
Usage controls on encryption will also place companies in that country at a competitive disadvantage because these companies cannot securely and easily engage in electronic commerce.
Export controls and usage controls are slowing the deployment of security at the same time as the Internet is exponentially increasing in size and attackers are increasing in sophistication. This puts users in a dangerous position as they are forced to rely on insecure electronic communication.
We believe the same points to be fundamentally true for the export of traffic analysis, penetration testing, and similar security technologies.
While it may appear possible to narrowly circumscribe restrictions so that they target technologies that serve no possible purpose but attack, any modular system, including those intended solely for research, will like have some elements that, divorced from the system, would serve no other purpose. Efforts to target such systems will thus likely sweep up many other security technologies. We therefore recommend that export restrictions on security technologies be generally avoided.