The House Oversight Committee is pushing the State Department to renegotiate parts of an international export agreement that governs cyber weapons.
“We are concerned the Wassenaar Arrangement may not be the appropriate framework to control cybersecurity tools,” the committee wrote in a Friday letter to Secretary of State John KerryJohn KerryOvernight Energy & Environment — Presented by the League of Conservation Voters — EPA finalizing rule cutting HFCs Overnight Energy & Environment — Presented by the League of Conservation Voters — Senate Finance chair backs budget action on fossil fuel subsidies Kerry: 'We can't get where we need to go' in climate fight if China isn't joining in MORE. “We unambiguously expect that the U.S. Department of State will work to renegotiate the controls at the Wassenaar plenary.”
The pact with 40 other nations regulates the export of weapons and “dual-use” technologies that have both civilian and military uses.
In 2013, the State Department agreed to expand the list of restricted technologies to include so-called “intrusion software” — digital hacking and surveillance tools that the agreement’s crafters were concerned could be used by to crack down on journalists and dissidents.
Following an interagency rulemaking process that included State, the Commerce Department and the Department of Homeland Security (DHS), Commerce last spring released a draft rule in an attempt to implement the arrangement — but security experts revolted.
They claimed many of the definitions are broad or vague, and could potentially ban the legitimate sharing of security vulnerabilities or the tools that companies use to test and fortify their own defenses.
Their outrage attracted the attention of over a hundred lawmakers, led by House Cybersecurity Caucus co-chairs Michael McCaul (R-Texas) and Jim Langevin (D-R.I.), who in December urged the White House to step in and help rework the proposed rule.
At the time, observers said White House intervention was needed to break a stalemate between the three agencies responsible for implementing the agreement.
According to sources in the security industry, as well as some lawmakers, Commerce and the DHS had accepted that renegotiation of the overall agreement could be necessary — but that the State Department was dragging its feet, insisting that any changes to the language happen on the domestic regulatory level rather than through a renegotiation of the terms it agreed to in 2013.
“We think that trying to craft a regulatory definition that would capture offensive tools only while leaving defensive tools freely available is not possible,” Nate Cardozo, a staff attorney at the Electronic Frontier Foundation told The Hill. “We think it’s a fool’s errand to even try.”
The Oversight Committee held hearings on the rulemaking process in January, and seems to have been swayed by technologists’ stance that a domestic solution is impossible.
“According to testimony received at the hearing, addressing this issue through U.S. policy alone would not be enough due to the cross border nature of cyber threats,” the letter reads. “Furthermore, the language of the Arrangement itself appears to preclude an interpretation that allows for legitimate cybersecurity activities.”
“There is a growing consensus that the export control language on cybersecurity intrusion and surveillance software and technology would have a devastating impact on cybersecurity efforts worldwide,” the committee writes.