Critics pan changes to cyber export rules

Critics pan changes to cyber export rules
© Getty Images

A coalition of policymakers and cyber experts say they've failed to agree on changes to an international export pact they worry will hurt cybersecurity.

“I am deeply disappointed that Wassenaar member states declined to make needed updates to the intrusion software controls, particularly those related to technologies necessary for their development,” wrote Rep. Jim Langevin (D-R.I.) in a statement.

Langevin, along with a variety of U.S. agency representatives and a unified front of cybersecurity researchers, has spent the past 15 months pushing to change an arcane export control agreement known as the Wassenaar Arrangement. The agreement was updated this month, but Langevin and others say the changes were insufficient to address their cybersecurity concerns.

ADVERTISEMENT

Wassenaar is a non-binding annual meeting of around 40 nations to develop controls for products with both military and civilian uses. In 2013, it veered into cybersecurity, posing new rules for exporting commercial militarized spyware, which was being used by regimes against activists and journalists. 

The rules did not take the subtleties of cybersecurity into account and some of its restrictions could prevent the sharing of cyber research and information about threats. One key problem, critics say, is that by definition, sharing research on threats requires sharing the threat.

There were high hopes among advocates, alongside key industry figures like Katie Moussouris, chief executive of Luta Security, that negotiators had brokered a compromise. But the ultimate rule did not make all the changes they felt were necessary. 

“Although some helpful changes were made, the problematic ‘technology’ category definition was not changed. This broad description could result in security researchers and companies having to obtain export licenses in order to share exploit code across borders,” said Harley Geiger in a statement, director of public policy at the security firm Rapid7.

Rather than immediately alerting the community to a current threat, a professional researcher might have to wait months for an export license.

“I am hopeful that the incoming administration will continue to press the case for sensible language changes during negotiations next year and continue to forbear exercising rulemaking authority on these controls until such changes are made,” said Langevin.