More than 100 House members are demanding changes to a set of draft Obama administration regulations designed to keep hacking tools out of the hands of repressive regimes.
The bipartisan coalition, spurred on by industry groups, warns that the proposed rule — which has also led to a stalemate between a trio of federal agencies — could keep U.S. companies from adequately protecting their networks
At issue is the implementation of a little-known international agreement governing export regulations for so-called intrusion software — digital hacking and surveillance tools that the agreement’s crafters were concerned could be used by to crack down on journalists and dissidents.
Security experts have long argued that the arrangement defines “intrusion software” too broadly, effectively outlawing the export of legitimate tools that companies use to test and fortify their own defenses.
Now, a formal push on Capitol Hill has given new force to their concerns.
At least 125 lawmakers, led by House Cybersecurity Caucus co-chairs Michael McCaul (R-Texas) and Jim Langevin (D-R.I.), this week urged the White House to step in and help rework the proposed rule.
“It seems like this relatively obscure issue, but we sent out this ‘Dear Colleague,’ and within two days — I’ve never seen a Dear Colleague catch that much steam that fast,” McCaul told The Hill, referring to the letters lawmakers circulate to drum up support for an issue.
In 2013, the State Department agreed to a series of amendments to the 41-nation Wassenaar Arrangement, which restricts the export of dual-use technologies in order to keep them out of the wrong hands. Those amendments expanded the list of restricted technologies to include Internet-based surveillance systems, including the broadly defined intrusion software.
Following an interagency rulemaking process that included State, the Commerce Department and the Department of Homeland Security, Commerce this spring released a draft rule that attempted to provide clarity to businesses by attempting to draw a line between “offensive” and “defensive” cyber tools.
The security community was outraged, insisting that it is impossible to draw such a distinction; companies regularly test networks for flaws using the same technology that malicious hackers use to crack those networks.
The agency “may think that it's not regulating vulnerability research, but the proposed rules could end up doing just that,” the Electronic Frontier Foundation (EFF) wrote in a blog post.
Critics also say the proposed regulations wouldn’t actually prevent dictators and cyber criminals from getting their hands on technology that could be abused.
Lawmakers echoed those criticisms on Wednesday, calling the Commerce Department’s efforts “misguided” in a letter to National Security Adviser Susan Rice.
As written, they say, the rules “dramatically reduced our ability to defend our nation's networks while only marginally reducing malicious actors' abilities to use hacking tools.”
Commerce responded to a torrent of public comment in July, saying that it would likely issue a second proposal — but observers say disagreement between the three agencies has stymied progress.
“Right now, the Department of State, the Department of Commerce and the Department of Homeland Security have different views on Wassenaar and whether or not it would be a problem for cyber threat research,” Langevin told The Hill.
Lobbying by the security industry has made the Department of Commerce cognizant that the language of the arrangement itself may need to be renegotiated in order to avoid any unintended national security consequences of implementing its broad-brush terms, according to lawmakers and sources in the business community.
“That is part of what I think the interagency process needs to look at,” said Rep. Will Hurd (R-Texas), a former CIA agent. “Do you need to go back to the Wassenaar and renegotiate that or is there a better way to achieve the goal of Wassenaar by the implementation of the Commerce law?”
But some in the security industry, as well as some lawmakers, complain that the State Department is dragging its feet, insisting that any changes to the language happen on the domestic regulatory level rather than through a renegotiation of the terms it agreed to in 2013.
Critics say a domestic solution is impossible.
“We think that trying to craft a regulatory definition that would capture offensive tools only while leaving defensive tools freely available is not possible,” said Nate Cardozo, a staff attorney at EFF. “We think it’s a fool’s errand to even try.”
Those concerned about the language hope Rice’s involvement will help break the logjam by convincing the State Department that it may be necessary to renegotiate the treaty at the next Wassenaar plenary meeting in December of next year.
“We request that you take an active role in collaborating with [the Department of Commerce] and State to reevaluate the 2013 Wassenaar additions,” Wednesday’s letter to Rice read.
“I think this is important enough that that this needs to be looked at from a national security perspective to make sure the rule is written in the right way,” Langevin said.
While some lawmakers are still open to a regulatory solution, security experts hope the White House will leverage pressure on the State Department to return to the negotiating table.
“Having White House involvement means that maybe we can get State on board,” Cardozo said. “My best scenario is State comes around and says, let’s renegotiate at the December 2016 plenary.”