> Global companies should be able to share information globally. If we have information about intrusion software, we should be able to share that with our engineers, no matter where they physically sit.
This statement goes through just as well when applied to missiles, nuclear engineering knowledge, bio-weapons knowledge, etc.
Governments have decided that they wish to use commercial entities as a proxy method for protecting the status quo. If Google wish to challenge that policy then, well, OK. But there is no reasonable argument for making a special exception for "cyber security" over other forms of security-related engineering.
The key difference between those technologies and this is that industrial production hardware (centrifuges or specialized biological equipment, etc) are needed in addition to specialized knowledge of the topic at hand. These additional requirements make export controls a lot more enforceable, and why you can, say, send regulators to the site of a nuclear engineering facility and get a reasonable answer about if they have sent nuclear materials to another country.
With infosec this would be basically impossible, since the specialized knowledge and the equipment are both non-physical and intimately entwined.
Well, if people all over the world were under a constant daily threat getting seriously ill from bio-weapons used by criminals and governments world wide (even against their own people), as is the current global situation in software security, then yes, I would very much make that same statement.
I would even argue that, especially in the case of bio-weapons, it would be a moral imperative to spread knowledge that could cure people.
Remember that (going back to the cybersecurity analogy) the criminals already have the weapons, as well as the knowledge and capability to develop completely novel weapons from scratch (they might even be better at it than the US).
For missiles the argument doesn't really hold, because knowledge of how to detect and protect oneself from missile attacks neither requires, nor strictly includes knowledge of how to actually build and use said missile.
So the two big reasonable arguments are:
- cyber attacks are already widespread, including global criminal organisations targeting civilians
- both cyber offence and cyber defence enabled by the same knowledge of cyber security
No, exploits have the unique property that the "attack" and "defence" information are mirror images of one another.
Also, deployment of nuclear and bio weapons against civilians is against international law, whereas western governments seem to have chosen to deploy offensive hacking themselves rather than attempt to get it banned internationally.
This statement goes through just as well when applied to missiles, nuclear engineering knowledge, bio-weapons knowledge, etc.
Governments have decided that they wish to use commercial entities as a proxy method for protecting the status quo. If Google wish to challenge that policy then, well, OK. But there is no reasonable argument for making a special exception for "cyber security" over other forms of security-related engineering.