The United States was unable to renegotiate portions of the Wassenaar Arrangement’s export controls for intrusion software at the plenary meeting held from Dec. 6-8, delaying efforts to change language U.S. officials believe is too broad and potentially damaging.
In March the Obama administration decided to attempt to renegotiate the export control rules on cyber intrusion software at Wassenaar following deep opposition from multiple sectors to proposed rules by the Commerce Department to keep in line with the international regime’s new controls.
The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is a multilateral export control regime established 20 years ago to maintain security and stability by promoting responsibility and transparency in transfers of arms and dual-use technologies, aimed at preventing destabilizing accumulations. Digital intrusion software was added as a new controlled technology at the arrangement’s 2013 plenary meeting.
After the Commerce Department’s Bureau of Industry and Security (BIS) issued an initial proposed rule for public comment in 2015, the administration received wide-ranging opposition from legislators, industry officials, and open internet non-government organizations all calling it far too broad and potentially damaging in scope. The concern was that intrusion software was defined too broadly and would hamstring legitimate cybersecurity tools used to defend networks against cyberattacks.
Rep. Jim Langevin (D-R.I.), co-founder and co-chair of the Congressional Cybersecurity Caucus, was one of the leaders of congressional opposition to the proposed rule and cheered when the administration agreed with critics that the proposed rule had too many negative effects. He said the arrangement failed to change the intrusion software controls.
“I am deeply disappointed that Wassenaar member states declined to make needed updates to the intrusion software controls, particularly those related to technologies necessary for their development. For over a year, I have led my colleagues in Congress in calling for a careful review of these controls, which could harm our nation’s cybersecurity by making it more difficult to quickly share defensive tools and close vulnerabilities,” he said in a statement.
Although relatively minor changes clarifying the role of command and control functionality at the annual session were positive, they “are simply insufficient to address the broader flaws in the language,” he added.
This change specified that the rule should apply to attack code used to command and control malware and not regular computer defense tools that could otherwise be captured by the rule.
However, Langevin thanked National Security Adviser Susan Rice for formulating the U.S. position on the changes needed to the export control language and the State Department for its “strong advocacy” at the plenary.
The lawmaker also highlighted and welcomed the BIS’s outreach to cybersecurity practitioners, which included bringing on Katie Moussouris, CEO of Luta Security, and Iain Mulholland, Chief Technology Officer (CTO) of security at VMware, as delegation expert advisers.
If the U.S. continues to seek a rule change at the next Wassenaar Arrangement meeting, it will have to occur under President-elect Donald Trump’s administration. Langevin said he is hopeful the next administration will continue to push for the language changes in 2017 and continue to refrain from making new rules on the controls until changes are made at the international agreement level.