Feds weigh next step for controversial anti-hacking regs

The Obama administration has not yet decided how to move forward on controversial regulations designed to keep hacking tools out of the hands of repressive regimes, officials told lawmakers on Tuesday.

At a House hearing, lawmakers expressed concerns about the proposed set of rules, which they argue could impede security research, curtail cyber threat information sharing and actually weaken digital defenses worldwide.

ADVERTISEMENT
“What has been violated here is the fundamental adage of, ‘Do no harm,’” said Homeland Security Committee Chairman Michael McCaul (R-Texas).

Because of vague definitions within the draft, critics say the rules would restrict researchers’ ability to share the hacking tools that companies regularly use to test and fortify their own defenses.

The proposal, McCaul said, “could hobble the entire cybersecurity ecosystem as well as cross-border data flows.”

The rules are part of the implementation of the little-known Wassenaar Arrangement, which governs the export of weapons and so-called “dual-use” technologies that have both civilian and military uses.

Officials acknowledged that these concerns have sent them back to the drawing board.

“The only thing that is certain about the next step is that we will not be implementing as final the rule that was proposed,” said Kevin Wolf, assistant secretary for export administration at the Commerce Department, which wrote the initial draft.

But the government hasn’t decided exactly what the next step is. Some believe the State Department should first renegotiate the 2013 extension of the Wassenaar pact, which extended the agreement to cover surveillance and hacking tool. Renegotiation proponents argue the extension’s language contains broad definitions of technical terms such as “intrusion software” that need to be revised before the pact can be properly implemented.

“Clarifying the Wassenaar [Arrangement] language itself seems the surest means of ensuring consistent implementation in a global cybersecurity environment,” said Dean Garfield, CEO of the Information Technology Industry Council, during his testimony Tuesday.

State has resisted these calls. Lawmakers and industry representatives say the refusal has led to a stalemate between State and others agencies, including the departments of Commerce and Homeland Security, on how to move forward.

At Tuesday’s hearing, Rep. John Ratcliffe (R-Texas) — who chairs one of the two subpanels holding the hearing, the House subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies — pressed a State official on the issue.

Ann Ganzer, who heads the Wassenaar delegation at the State Department, said it would be “premature” to say whether the government should return to the negotiating table.

Ganzer noted the Wassenaar Arrangement “operates by consensus,” and that 31 of the 41 signatories have already implemented rules for the control of these surveillance and hacking tools.

But she acknowledged the U.S. rules need to be rewritten, calling many of the criticisms “right on the mark.”

“This is something that we need to fix, and we are working interagency, analyzing the comments, following up with them to determine what our next step forward will be,” she said.