Commerce to rewrite anti-hacking export rules

It appears the Commerce Department will go back to the drawing board on rules that would attempt to control the export of hacking tools.

The decision was spurred by a flurry of opposition from the security community, tech companies and even a few lawmakers during a comment period that ended July 20. Opponents argued the broad language would simply stunt the booming security industry and weaken cybersecurity worldwide.

ADVERTISEMENT

“I think you will see a very strong effort to be responsive to those comments and to try to figure out, ‘What is the next iteration of this?’ and frankly give people another opportunity to comment,” Deputy Secretary of Commerce Bruce Andrew said during a podcast interview this week with Stewart Baker, former assistant secretary for policy at the Department of Homeland Security.

Commerce confirmed it would revise its proposal.

“In light of the high volume of comments received, it is likely we will publish a second proposed rule,” a Commerce spokesperson said in an emailed statement. “We have no timetable for that action."

With its proposal, Commerce is trying to stem the increasing flow of cyber spying and digital sabotage equipment to cyber crooks and repressive regimes.

The desired update would alter the language of the Wassenaar Arrangement, a little-known pact among 41 countries that controls the export of weapons and so-called “dual-use” technologies that can be corrupted.

The agency wants to extend those controls to the technology behind “intrusion software,” which is used to sneak into computer systems. Essentially, the update would classify that technology as a potential weapon.

Security specialists immediately pushed back, saying the language might restrict legitimate cybersecurity research. Companies regularly test networks for flaws using the same technology that malicious hackers use to crack those networks.

Researchers fear they would have to get licenses for each one of these regular network tests under the desired update.

“It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure,” Google said in a blog post.

Andrews’ remarks also come as lawmakers are stepping up opposition to the proposal.

On Wednesday, Sen. Chuck SchumerCharles (Chuck) Ellis SchumerTrump blasts Pelosi for wanting to leave country during shutdown The Senate should host the State of the Union Dem senators debate whether to retweet Cardi B video criticizing Trump over shutdown MORE (D-N.Y.), the third-ranking Democrat, came out against the rules.

“Our companies must have the ability to install and test the best defenses,” Schumer said. “Unfortunately, when it comes to self-testing, a new federal rule is forcing companies and power utilities to fight the scourge of cyberattacks with one hand tied behind their backs.”

He also sent a letter to the department on Wednesday, urging it to reconsider.

“The goals of the proposal are laudable, and I share them: the proposal is intended to limit access to powerful surveillance tools by oppressive foreign regimes and agents,” it reads. “Unfortunately, I believe the proposal as drafted is vague and overbroad, and may inhibit the development of important cyber protection tools, as well as limiting the ability of US companies to protect their own networks.

The senator was the second lawmaker to take a strong public stance.

Rep. Jim Langevin (D-R.I.), who co-chairs the Congressional Cybersecurity Caucus, got three of his colleagues to sign on to a letter delineating his worries about the proposal.

His caucus co-chair, House Homeland Security Committee Chairman Michael McCaul (R-Texas), signed the letter, as did Reps. David SchweikertDavid SchweikertEthics committee expanding investigation into GOP rep over finance questions McCarthy defeats Jordan for minority leader in 159-to-43 vote House Republicans set to elect similar team of leaders despite midterm thumping MORE (R-Ariz.) and Ted Lieu (D-Calif.).

“The proposed rule has a number of flaws that could detrimentally affect our national security,” Langevin’s letter reads. “This could have a chilling effect on research, slowing the disclosure of vulnerabilities and impairing our nation’s cybersecurity.”

Langevin submitted the letter during the comment period on the proposal, which ended on July 20.

“It is in the DNA of the Commerce Department to be a public-private partnership,” Andrews said.

The comment period is intended to give the private sector time to weigh in before Commerce pushes forward with ill-conceived laws, he insisted.

“That’s the beauty of our system,” Andrews said. “We actually have the flexibility built in.”

— Updated 7:35 p.m.