Administration should continue to seek changes to international cyber export controls

The next administration faces increased challenges in securing cyberspace. Attacks are on the rise, and massive numbers of interconnected devices threaten to overwhelm Internet defenders. Cyber export control agreements have been drafted in the past several years, and the importance of getting them right affects not just national security, but the entire global Internet ecosystem. Getting them wrong means crippling Internet defenders.

The Wassenaar Arrangement was originally established over 20 years ago and now includes 41 nations to promote transparency and responsibility in transfers of conventional arms and dual-use goods and technologies.  In 2013, the Wassenaar Plenary, seemingly expanded its original mission beyond regulating technologies that could be incorporated into conventional weapon systems to include regulating the export of certain types of equipment, software and technology used to distribute or produce malicious “intrusion software.”


Setting Cyber Norms Faces Unintended Consequences

Regulated as a means to try to regulate the sale of the means for delivering “intrusion software” and related development technology to buyers that might use it to attack others’ computer networks or even to abuse human rights, the language that ended up approved in 2013’s Wassenaar Arrangement came with unintended consequences. In December of 2016, the Wassenaar Plenary  - the decision making body of the Wassenaar Arrangement - agreed to clarify some of the wording, but not enough was changed. We must continue our efforts to change this agreement.

Even if the U.S. were to ignore the agreement, the other 40 countries are still following it, and this will hamper Internet defenders here in the US by slowing down the flow of vital information from around the world. The result of these new export controls impede our ability to protect critical infrastructure, the economy, and all the other Internet-connected dependencies we have today.

Our Work Towards Correcting the Words

We were invited to join the U.S. Delegation in Vienna during the June and September Wassenaar sessions with the goal of providing U.S. technology and security industry expertise directly at the negotiating table. This was the first time that the U.S. Delegation included non-government cyber experts at the September meeting, due to niche knowledge we brought as security practitioners. 

In particular, extensive efforts were made to make our Wassenaar partners in the other 40 countries aware of our concerns that the current controls can hamper operational security investigation and response. We used real world technical examples to illustrate the criticality of the tools and techniques that the 2013 agreement appear to control. Our Wassenaar partners from the other 40 countries took our concerns seriously, and we were able to propose improvements to the Wassaenaar language that provided critical clarifications to allow for unimpeded exchange of cyber security tools and techniques for defense.

In fact, upon returning to the U.S. after the September negotiations in Vienna, there was much optimism that we had a workable agreement on the table.  That’s why we are seriously disappointed at the more limited changes agreed at the plenary in December, which were not enough to correct the flawed control language.

Continued Support for the Future of Cyber Defense

To protect our people, products, services, and networks against rising Internet threats, we must be able to share tools and techniques across borders in real time. Success will not come overnight, but we continue to believe that significant clarifications must be made to the 2013 Wassenaar Arrangement to ensure our national security. The U.S. government and our technology industry must speak with one voice in an effort to work constructively in partnership if we are truly able to craft a workable solution in the future.

We urge the incoming administration to continue to take this as a U.S. leadership opportunity in shaping international cyber norms by supporting the ongoing renegotiations on the Wassenaar Arrangement. The continued U.S. renegotiation efforts, in partnership with the U.S. technology industry with support from the bipartisan Congressional Cybersecurity Caucus, can ensure a sound Wassenaar cyber agreement that enhances our nation’s cyber posture and ultimately strengthens our defense against attacks.

Authors:  Iain Mulholland, Chief Technology Officer, Security, VMware, Inc; Katie Moussouris, Chief Executive Officer, Founder, Luta Security

The views expressed by authors are their own and not the views of The Hill.