Mr. Kerry, it's time to update cybersecurity rules
Cyber criminals, hacktivists, and foreign adversaries conduct millions of cyberattacks against U.S. interests daily, looking to steal state secrets and valuable information and undermine critical infrastructure. Attacks on the Office of Personnel Management and big-name private sector companies have shown that no one is immune.
To defend their networks and fix breaches, companies that harbor valuable information must rapidly communicate about vulnerabilities and issue necessary patches. But in 2013, the Obama administration made that significantly harder when it agreed to join other countries in applying export controls to critical cybersecurity tools and techniques. This decision will force companies to endure the burdensome process of obtaining export licenses before sharing time-sensitive information on security vulnerabilities, causing them to sit on critical threat information while their license application is processed.
In the coming weeks, the State Department is expected to begin setting its agenda on this issue for key international meetings in December. We implore the administration to undo its previous decision and renegotiate this agreement. America’s ability to protect itself in cyberspace is at stake.
Established in the 1990s, the little-known Wassenaar Arrangement, named after the city in the Netherlands where it was negotiated, is composed of 41 countries that agree upon export controls on conventional arms and dual-use goods and technologies. Each country has discretion in implementing these controls under its own national laws.
In 2013, the Wassenaar member countries agreed to add fundamental cybersecurity technologies to their list of export controls. The goal was to prevent intrusion and surveillance technologies from falling into the hands of authoritarian regimes that have used these technologies to spy on their populations and identify political dissidents. But negotiators failed to consult with experts in the cybersecurity industry, and agreed to expansive and vague additions to the Wassenaar export control regime.
Last May, the Commerce Department issued a proposed rule for implementing these export controls in the United States, prompting nearly unanimous opposition from the technology and cybersecurity industries, academics and security researchers. The significant pushback prompted Commerce to rescind its proposed rule. A new proposal has not been issued, and we hope one never emerges.
Export controls are most effectively used for dual-use weapons and goods that require physical space to manufacture, store and transport. In other words, goods that can be tracked. Export controls are applied in those contexts because there are a finite amount of such goods and there are ways to identify them entering or exiting a country. But the same cannot be said of cybersecurity tools and techniques, which could simply be code written on a sheet of paper that can be photocopied or scanned and sent electronically.
Applying export controls to the digital world could force a security professional to apply for a license before sharing an email that contains the code for a critical security vulnerability with an overseas colleague, or even with a colleague who works down the hall if he or she isn’t a U.S. citizen. The license could take months to process, while the company watches its adversaries change tactics daily — or hourly. This will leave American businesses insecure while a government office works at the slow pace of bureaucracy to grind out the necessary paperwork.
As these examples make clear, attempting to regulate cybersecurity technologies through export controls is a fundamentally flawed approach that will cripple the cybersecurity industry, putting us all at risk. Even worse, it will not achieve the goal of curbing human rights violations.
Instead of protecting against cyberthreats, Wassenaar will only give our cyber enemies more opportunity to attack U.S. companies. Real-time collaboration is an indispensable component of providing cybersecurity. Threat information must be shared around the globe at breathtaking speed to keep up with adversaries who are working 24/7 to undermine our networks, systems and critical infrastructure. But adding export controls to fundamental cybersecurity technologies will take us in the opposite direction.
In addition, export controls will not hamper the ability of bad actors and oppressive regimes to obtain so-called spyware. Countries with sizable information technology sectors such as India and Brazil are not members of the Wassenaar Arrangement, nor is cyber giant China or growing cyberthreat Iran. Therefore, nothing would preclude these countries from producing and selling the very technologies the Wassenaar countries are seeking to control.
This is not a partisan issue. When the Commerce Department released its proposed rule last May, a coalition of industry, academic and civil society groups pushed back. In December, a bipartisan group of 125 members of Congress wrote a letter to the administration expressing deep concern. In January, we held a joint hearing with representatives from the private sector and the departments of State, Commerce and Homeland Security to examine Wassenaar, with respect to cybersecurity and export controls. The hearing resulted in a clear consensus among both Democrats and Republicans that the administration must reconsider its decision.
The United States must not compromise its national security in exchange for implementation of an arrangement that is negligent bargaining at best, and a blatant security compromise at worst. Given the resounding outcry by stakeholders, the administration must go back to the drawing board on this issue. A new proposed rule from the Commerce Department will not fix the fundamental flaw that cybersecurity tools and technologies should not be regulated through export controls.
We urge the administration to admit it made a mistake and return to Wassenaar to renegotiate the agreement. The protection of the private sector depends on it.
Rep. Will Hurd sits on the House Homeland Security Committee and is chairman of the IT Subcommittee on the Oversight and Government Reform Committee. Rep. John Ratcliffe is chairman of the Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee for the House Homeland Security Committee and also serves on the House Judiciary Committee.