Stakeholders Urging Changes to Wassenaar Proposal Over Concerns About Impact on US Cybersecurity
A Department of Commerce proposal for implementing changes to export control rules to comply with the multinational Wassenaar Arrangement (see 1505200014) is continuing to draw controversy among industry and nongovernmental organizations, with several industry officials saying at an event July 24 that they're actively lobbying members of Congress, Commerce and other federal agencies on the need for changes to the proposal. A wide range of U.S. cybersecurity parties railed against the Commerce Department's Bureau of Industry and Security (BIS) Wassenaar implementation proposal in comments last week (here), with many saying the proposed implementation of recent changes to Wassenaar that would control the export of intrusion software and network surveillance systems was overly broad and would significantly affect U.S. cybersecurity companies.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Symantec has been doing a great deal of outreach to federal agencies and members of Congress on the Wassenaar implementation proposal, though much of the conversation involves explaining details on cybersecurity and export controls, which are both “very arcane and very murky areas that no one really gets,” Symantec Senior Manager-Trade Compliance Michael Maney said during the Center for Strategic & International Studies event. Symantec is able to get lawmakers’ attention focused on the impact the implementation proposal could have on U.S. cybersecurity, Maney said. “They’re really trying to find ways that they can join in this dialogue,” he said. Proposals to change the U.S. proposal need to focus on narrowing its scope to exclude “everyday” cybersecurity activities that would be affected by the current wording, Microsoft Senior Attorney Cristin Goodwin said.
Human rights groups initially backed changes to Wassenaar to include the export of intrusion software and IP surveillance systems in reaction to scandals involving U.S. and European companies selling such software to authoritarian governments in the Middle East during the Arab Spring revolts, but the groups have since opposed the U.S. implementation proposal, Maney said. Several such groups, including the Center for Democracy and Technology and the Electronic Frontier Foundation, jointly urged (here) BIS to narrow its implementation proposal’s scope so it more clearly addresses potential human rights abuses of targeted technologies and to exempt technology used for legitimate security research.
House Homeland Security Committee Chairman Michael McCaul, R-Texas, and several other House members signed a letter by Rep. Jim Langevin, D-R.I., pushing for BIS to revise its Wassenaar implementation proposal so it becomes “more narrowly targeted to ensure the timely disclosure of vulnerabilities and support for the robust cybersecurity research we need.” Steptoe & Johnson cybersecurity lawyer Stewart Baker also noted support from members of Congress for changes to the BIS proposal, saying that seeking changes to the proposal “is not that hard a sell in Congress” because of the current proposal’s potential to have a significant impact on U.S. cybersecurity companies and because it could generally hurt U.S. cybersecurity.
The U.S. Wassenaar implementation proposal would significantly affect cybersecurity tactics used by major U.S. companies, including penetration-testing technology used by Symantec and other firms to test all of their own products and to test for vulnerabilities in clients’ networks, Maney said. Penetration testing inevitably involves crossing into networks in other countries, which qualifies the technology as an export and therefore would bring it into violation of Wassenaar under the U.S. proposal, Maney said. FireEye’s customers outside the U.S. would also be negatively affected by the U.S. proposal since they wouldn’t be able to view FireEye’s detection activity, Director-Threat Intelligence Laura Galante said.