U.S. agencies should renegotiate an international agreement to limit the export of surveillance and intrusion software because the deal handcuffs cybersecurity efforts, critics said this week.
Overly broad definitions in the proposed export controls would require companies to get an export license every time they shared cyberthreat information outside of the U.S. and would tie the hands of cybersecurity vendors scanning networks for vulnerabilities, said Cheri Flynn McGuire, Symantec’s vice president of cybersecurity policy.
The deal, approved by the 41 member nations of the Wassenaar Arrangement in late 2013, “threatens the cybersecurity of not only the technology, but also that of all critical instructure companies,” McGuire said during a joint hearing of two House of Representatives subcommittees Tuesday.
Wassenaar members agreed to the export controls in an effort to keep surveillance technologies out of the hands of repressive regimes. But rules proposed by the U.S. Department of Commerce’s Bureau of Industry and Security would also clamp down on the export of “network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices.”
Those rules “would severely damage our ability to innovate and develop new cybersecurity products, conduct real-time global research, and share information on vulnerabilities and exploits,” McGuire said. “These new regulations would restrict the free flow of information across borders.”
Under the proposed regulations, scrapped by the DOC after backlash from tech vendors, a global tech company would likely have had to apply for an export control exemption every time it shared cyberthreat information with an overseas office, said Iain Mulholland, vice president of engineering trust and assurance at VMWare.
The DOC received more than 260 comments, almost all opposed, when it put the rules out for public comment in mid-2015.
“It is clear … that the first version of the proposed U.S. rule to implement the Wassenaar control missed the mark,” Vann Van Diepen, principal deputy assistant secretary for international security and nonproliferation at the State Department, told lawmakers.
Still, officials with the DOC and the State Department declined to detail their next moves when pressed by lawmakers. Thirty-one Wassenaar members have already implemented the intrusion software export controls, and the agencies are reluctant to scrap efforts to limit proliferation of surveillance technologies, officials said.
McGuire and Mulholland, along with executives from Microsoft and the Information Technology Industry Council, urged the agencies to renegotiate the deal with the other member nations during discussions this year.
While the proposal may have sailed through in other countries, the export controls would have an outsized impact on the dominant U.S. cybersecurity industry, Mulholland said.
Several lawmakers called on the agencies to start over by taking U.S. tech industry needs into account.
“I’m tired of us … worrying about what other countries want,” said Rep. Tom Marino, R-Pa. “I would like to see an emphasis put on what we need here in the United States.”