Cyber threats move at Internet speed and so must cyber responders, to protect networks and data across the globe. Imagine the impact on cybersecurity if responders, innovators, and developers were told to pause and apply for an export license before responding to a threat. With a new round of international negotiations about to begin for the Wassenaar Arrangement, now is the time to press hard to arrive at a workable international standard that protects, rather than undermines, cybersecurity.
In 2013, the Wassenaar Arrangement, a 41-country international forum that seeks consensus among its members on dual-use export controls, adopted new controls on “intrusion software” and “carrier class network surveillance tools.” The purpose behind these controls is worthy: protecting human rights activists and political dissidents from surveillance by authoritarian governments.
Unfortunately, the approach proposed by the Wassenaar regulation misses the mark, and indeed, the controls would ultimately undermine that goal by making it harder for cyber responders to defend against the use of surveillance technologies. Because the regulation is so overly broad, it would require cyber responders and security researchers to obtain an export license prior to exchanging essential information to remediate a newly-identified network vulnerability, even when that vulnerability is capable of being exploited for purposes of surveillance. It would also require an onerous licensing process for sales of strong cybersecurity tools and services by companies around the world, and in some cases, could prohibit their sale altogether.The Coalition for Responsible Cybersecurity, together with industry associations, academics, and researchers, have filed comments with the US government and provided white papers on the controls to a variety of governments. In 2016, the Coalition supported the US government’s work to begin the process of reshaping these controls. However, the proposed revisions for 2016 were modest and not ultimately adopted, and indeed, more can be done to revise and clarify the controls to ensure that they do not jeopardize security or weaken global cybersecurity efforts.
In 2017, there is a real opportunity for industry, academia, and researchers to work with the US government and other Wassenaar arrangement member governments around the world to fashion a workable standard that strengthens cybersecurity while protecting human rights and political dissent. It is critical that those concerned about these controls step up to the plate and offer constructive solutions before the window to do so closes.
For 2017, industry, academia, and researchers should push together for the following four key steps:
- Stop any further efforts by the US government to implement the Wassenaar Arrangement controls in their current form, and work with other governments who have already implemented the controls, such as the United Kingdom, to clarify the scope and intended application so as not to harm defensive cybersecurity.
- Support efforts by the US government in 2017 to advocate for meaningful changes to the controls, including by revising the overbroad definition of intrusion software, and by limiting the controls on related software, hardware, technology, and information sharing.
- Work with the governments of Canada, Australia, New Zealand, the United Kingdom, the Netherlands, France, and Germany to fashion a different approach to curbing sales of harmful products and services to objectionable end-users.
- Advocate for opening the Wassenaar Arrangement discussions on these controls to broader engagement with industry, academia, and researchers—the technical experts on these subjects—through industry forums, two-way feedback mechanisms, and inclusion of a broader range of technical experts in the Wassenaar Arrangement working sessions, in order to ensure that policy makers have an accurate and fulsome understanding of the relevant technology, and to enable all interested parties to work together to find the right solution to this challenge.