The Obama administration has decided to attempt to renegotiate export control rules on cyber intrusion software at the Wassenaar Arrangement after several levels of opposition to proposed rules by the Commerce Department in line with the international regime.
Lawmakers including Rep. Jim Langevin (D-R.I.), co-founder of the Congressional Cybersecurity Caucus and member of the House Committee on Homeland Security and subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, announced and commented on the decision Feb. 29.
“Today’s announcement represents a major victory for cybersecurity here and around the world. While well-intentioned, the Wassenaar Arrangement’s ‘intrusion software’ control was imprecisely drafted, and it has become evident that there is simply no way to interpret the plain language of the text in a way that does not sweep up a multitude of important security products,” Langevin said in a statement
The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is a multilateral export control regime established 20 years ago to maintain security and stability by promoting responsibility and transparency in transfers of arms and dual-use technologies, aimed at preventing destabilizing accumulations. Digital intrusion software was added as a new controlled technology at the arrangement’s 2013 plenary meeting.
The Commerce Department’s Bureau of Industry and Security (BIS) issued an initial proposed rule for public comment in 2015, which received wide-ranging opposition from legislators (including Langevin), industry officials, and open internet non-government organizations all calling it far too broad and potentially damaging in scope.
Opponents said the BIS rule draft and arrangement addition define intrusion software too broadly in a way that could outlaw and stymie legitimate cybersecurity tools used to defend networks against cyberattacks.
In December over a quarter of the House of Representatives joined the opposition in a letter to National Security Adviser Susan Rice calling on the White House to revise the rule and, if necessary, renegotiate the listing at the arrangement. The letter was written by Langevin and fellow House Cybersecurity Co-Chair and House Homeland Security Committee Chairman Michael McCaul (R-Texas).
Following the letter and committee hearings on the topic, the White House responded by noting it would intensify engagement with stakeholders on how to mitigate the problems a rule might incur and would not issue a final rule without at least another round of public comments.
The administration appears to have been unable to find a compromise with the stakeholders. State Department officials said renegotiation of the cyber intrusion control was possible if necessary at a Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies hearing in January on the Wassenaar cyber issue. Officials said the administration would decide on renegotiation of the control itself if first further consultations with stakeholders, between government departments, and with Wassenaar members who have implemented the intrusion controls but do not seem to have the same kind of implementation problems cannot resolve the widespread concerns through BIS rule language.
“By adding the removal of the technology control to the agenda at Wassenaar, the Administration is staking out a clear position that the underlying text must be changed. Furthermore, the Administration leaves open the possibility for further alterations to the control pending additional interagency review,” Langevin said.
Langevin acknowledged the decision “was the result of a long process that saw industry, Congress, and the administration working together to understand the precise implications of the proposed rule implementing the control.”
He thanked Assistant Secretary of Commerce Kevin Wolf and the BIS for being open, transparent, and willing to listen to stakeholders throughout the process.
“Of course, the addition of items to the agenda does not, in itself, ensure a successful resolution. I look forward to working with our Wassenaar partners to advance the dialogue, and to supporting the State Department’s team as negotiations progress.”