United States to Renegotiate Controls on Intrusion Software

March 15, 2016 Advisory

Since the end of 2013, an important question has loomed over the computer security industry: would the U.S. government impose strict controls on the sharing of technology and research related to cybersecurity vulnerabilities? In a letter dated March 1, 2016, Secretary of Commerce Penny Pritzker finally answered that question: no, the government would not enact such controls. At least for now.

This question arose in the context of the participation of the United States in the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies ("Wassenaar Arrangement"), a multilateral export control regime of 41 nations seeking to control the export of arms and dual-use items participating nations placed on export control lists.

In December 2013, during its Plenary Meeting, the Wassenaar Arrangement participating nations agreed in principle to add export controls for so-called "intrusion software." Intrusion software was defined as software specially designed or modified to avoid detection by monitoring tools, or to defeat the protective countermeasures of a computer or network-capable device, and performing either: (a) the extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or (b) the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions. While the Wassenaar Arrangement did not propose to control intrusion software itself, it did seek to add export restrictions on the software, systems, equipment, components and technology specially designed for the generation, operation or delivery of, or communication with, intrusion software. The intention was to make it more difficult for bad actors to acquire technology that could be used for a cyber-attack or surveillance.

The Wassenaar Arrangement Control List is not itself legally binding in the United States. Therefore, on May 20, 2015, the U.S. Department of Commerce's Bureau of Industry and Security ("BIS") published a proposed rule to implement the agreed-upon controls by adding the Wassenaar Arrangement's definition of intrusion software to the Export Administration Regulations ("EAR") and by amending the Commerce Control List ("CCL") to reflect the controls on the systems, equipment, components and technology specially designed for the generation, operation or delivery of, or communication with, intrusion software. Under the BIS proposed rule, an American person or entity would require a Commerce Department export license in most cases to share this sort of technical know-how with a foreign person.

BIS then invited comments from the public. Opposition to the proposed rule was fierce. Cybersecurity professionals pointed out that they use the same tools to develop proofs of concept of cyber vulnerabilities that a hacker uses to design exploitation tactics, and that the Wassenaar controls would have a chilling effect on sharing vulnerability research. Over a hundred members of Congress signed a letter to Susan Rice, the Assistant to the President for National Security Affairs, urging her to intervene and stop the Department of Commerce from enacting the proposed changes to the EAR. The members of Congress warned that the proposed controls on intrusion software could impede critical cybersecurity research and endanger national security.

In testimony before two subcommittees of the U.S. House of Representatives on January 12, 2016, Kevin Wolf, Assistant Secretary of Commerce for Export Administration, noted that, "By the end of the 60-day comment period, Commerce had received more than 260 comments, virtually all of them negative. Some commenters took the view that the underlying control at Wassenaar could not be implemented without causing significant harms to cybersecurity. Others made specific recommendations on ways to mitigate many of the concerns. Some praised the underlying objectives of the rule, while nonetheless proposing modifications to the scope of the proposed regulation, such as through license exceptions and definitions, to reduce the impact of unintended consequences." At the time, Assistant Secretary Wolf noted that the Commerce Department was still considering the public comments and had not yet reached a conclusion about how to respond to them.

Secretary Pritzker's March 1, 2016 letter – addressed to several companies and associations who submitted comments – provides resolution. She stated that, in response to the concerns of those who submitted comments, the U.S. has proposed to the other Wassenaar Arrangement members that the group eliminate the controls on technology required for the development of intrusion software. (She also noted that changes to the Wassenaar Arrangement controls must be approved by all 41 members and that acceptance of the American proposal could not be predicted.) The Secretary further signaled that the U.S. is committed to finding a way to prevent the spread of these cyber-intrusion tools in order to protect national security.

There are two key takeaways from Secretary Pritzker's letter. First, the cybersecurity industry should keep a watchful eye on the Wassenaar Arrangement to see if it does, in fact, remove the controls related to intrusion software. Second, the Secretary's letter is a reminder that private stakeholders can influence their industry's regulations through the notice and comment process. Had the government not received the hundreds of comments from individuals and entities with practical insight into the ramifications of the intrusion software controls, the Commerce Department might have enacted regulations that would hurt the interests of both the American government and the American industry.