Federal agencies have unanimously approved a decision to seek to partially renegotiate a 2013 Wassenaar Arrangement rule that would limit exports of specified cybersecurity items, according to press sources. The decision follows overwhelming private sector opposition to a May 2015 Bureau of Industry and Security proposal to amend the Export Administration Regulations to reflect the Wassenaar rule.
The BIS proposed rule would establish a license requirement for the export, reexport or transfer (in-country) of the following cybersecurity items to all destinations except Canada: (1) systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software (including network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices); (2) software specially designed or modified for the development or production of such systems, equipment or components; (3) software specially designed for the generation, operation or delivery of, or communication with, intrusion software; (4) technology required for the development of intrusion software (including proprietary research on the vulnerabilities and exploitation of computers and network-capable devices) and (5) Internet protocol network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor.
Virtually all of the hundreds of comments submitted on this proposal were negative and focused on three main issues. First, the proposed definition of “intrusion software” is too broad and would catch products such as malware recovery tools and defense research tools. Second, there would be a heavy and unnecessary licensing burden on legitimate transactions that contribute to cyber security, such as using tools proposed for control to test systems and networks for vulnerabilities. Third, the rule could cripple legitimate cybersecurity research by subjecting vulnerability research, assessments and testing to export licensing requirements, including classification, screening and other control elements.
According to press reports, the U.S. has proposed a complete removal of the Wassenaar rule’s controls on exports of technology for the development of intrusion software. A decision on this proposal is not expected until the organization’s plenary meeting in December. In the nearer term the U.S. will also seek to discuss with the other 40 Wassenaar members ways to limit the hardware and software necessary to develop and control intrusion software that would be subject to the rule’s export restrictions. Inside US Trade cited a senior U.S. official as saying that if Wassenaar members reject these efforts BIS could revise its proposed rule, which likely would not happen until at least early 2017.