The Obama administration is telling lawmakers that it will seek to renegotiate certain portions of a 41-nation agreement designed to keep hacking tools out of the hands of repressive regimes.
The reversal follows months of pressure from the technology community and lawmakers, who warned the vague definitions within the agreement would restrict companies’ ability to use legitimate tools to test and fortify their own defenses.
“Today’s announcement represents a major victory for cybersecurity here and around the world,” said Rep. Jim Langevin (D-R.I.), who helped spearhead efforts to press the administration to renegotiate.
In 2013, the State Department agreed to a series of amendments to the so-called Wassenaar Arrangement, a 41-nation agreement restricting the export of dual-use technologies in order to keep them out of the wrong hands.
Those amendments expanded the list of restricted technologies to include so-called “intrusion software” — digital hacking and surveillance tools that the agreement’s crafters were concerned could be used by to crack down on journalists and dissidents.
Following an interagency rulemaking process that included State, the Commerce Department and the Department of Homeland Security, the administration attempted to implement the agreement, but met with fierce pushback from both the security community and lawmakers.
Critics argue that the arrangement defines “intrusion software” too broadly, effectively outlawing legitimate cybersecurity tools needed to defend networks against hackers.
Increasingly, lawmakers from both sides of the aisle have begun to argue the security community’s long-held stance that a regulatory solution is impossible and that State must return to the table to renegotiate the terms of the arrangement.
“While well-intentioned, the Wassenaar Arrangement’s ‘intrusion software’ control was imprecisely drafted, and it has become evident that there is simply no way to interpret the plain language of the text in a way that does not sweep up a multitude of important security products,” Langevin said Monday.
The contentious language eventually led to a reported stalemate between the three agencies. Some in the security community, as well as some lawmakers, have complained that the State Department was dragging its feet by insisting that any changes to the language happen on the domestic regulatory level rather than through a renegotiation of the terms it agreed to in 2013.
The agency appears to have given in to the pressure. The administration filed a proposal on Monday to eliminate the 2013 controls on the development of intrusion software, according to a congressional aide with knowledge of the proceedings.
“By adding the removal of the technology control to the agenda at Wassenaar, the Administration is staking out a clear position that the underlying text must be changed,” Langevin said.