A letter signed by over a quarter of the House of Representatives and sent Wednesday to National Security Adviser Susan Rice called on the White House to revise the U.S. implementation of export controls on cybersecurity intrusion software.
The letter’s authors, House Cybersecurity Caucus Co-Chairs Jim Langevin (D-R.I.) and House Homeland Security Committee Chairman Michael McCaul (R-Texas) argue although the export of sophisticated hacking techniques to criminal organizations or repressive regimes is a legitimate concern, they fear a new export control rule will impair security efforts by being too broad.
The Commerce Department’s Bureau of Industry and Security (BIS) issued a proposed rule on May 20 to govern the export of intrusion software and solicited public comments from interested parties. The rule was in line to the addition of intrusion software as a category in the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. Wassenaar is a multilateral export control regime established in 1996 to contribute to international security and stability by promoting responsibility and transparency arms and dual-use technology transfers (Defense Daily, July 22).
During the department’s comment period several legislators, including Langevin and McCaul, wrote a comment arguing the proposed rule was too broad and could potentially negatively impact the use of products intended to research how to deal with cybersecurity intrusion.
With such a broad original definition, “any implementation must either greatly narrow the range of affected technologies; if that proves unfeasible, the language of the Arrangement itself may need to be renegotiated,” the letter said.
Langevin and McCaul add that the Commerce Department’s proposed solution, attempting separate offensive and defensive cyber tools, is misguided because defenders need access to software exploits to test their networks.
“This artificial distinction, combined with the lack of a waiver of deemed export rules, could have a chilling effect on research, slowing the discovery and disclosure of vulnerabilities and impeding our nation’s cybersecurity,” the letter said.
“The proposed BIS rule would have dramatically reduced our ability to defend our nation’s networks –hindering companies’ abilities to acquire and utilize new security technologies as well as impeding vulnerability disclosure and information sharing–while only marginally reducing malicious actors’ abilities to use hacking tools.”
Photo: U.S. House of Representatives.
The authors now seek administration intervention on the issue. The representatives note the BIS has been very accommodating to stakeholders so clear advice from the Executive Office of the President should help BIS and the State Department put the newest comments into context. They request Rice take an active role in collaborating with BIS and the State Department to reevaluate the 2013 Wassenaar additions.
“Your guidance will help them conform to the United States’ broader cybersecurity strategy and holistically evaluate the net effects on national security. Furthermore, your involvement will help resolve the uncertainty facing businesses as they await resolution of what has already been an overlong process,” the letter said.
“BIS has conducted an unprecedented degree of outreach on this issue, and I greatly appreciate their flexibility and transparency. However, I think it is incumbent upon the White House to weigh in and help deconflict the guidance BIS has been receiving from the various agencies,” Lengevin added in a statement.
McCaul also claimed the proposed rule, if not the whole agreement itself, would have significant unintended consequences for security researchers, cybersecurity providers, and the U.S. overall cyber posture.
“We cannot let the good intentions of these export controls trump the fact that in their current form they would depreciate cyber security at home and for billions around the world,” McCaul said.
Langevin and McCaul on Wednesday also called for oversight hearings to look into the implementation of cybersecurity export controls and their potential implications on national security, the statement said.