WASHINGTON, DC—April 7, 2017—The Coalition for Responsible Cybersecurity, together with BSA | The Software Alliance, applauds the efforts of the U.S. government to return the issue of dual-use export controls on “intrusion software” to the 2017 Wassenaar Arrangement round of negotiations, for clarification and revision.
“The 2017 round of Wassenaar negotiations provides Wassenaar Arrangement member countries the opportunity to rescope and clarify these controls so that they reach only their intended targets, without having the kinds of unintended negative impact on cybersecurity tools and cyber incident response, data protection, data integrity, academic research and other concerns raised almost unanimously by industry, academia, and government,” said Alan Cohn, Of Counsel, Steptoe & Johnson LLP. “Requiring cybersecurity practitioners to obtain export control licenses prior to performing even basic remediation efforts is a recipe for disaster. Unless the Wassenaar Arrangement controls are meaningfully narrowed, network defenders will face significant time delays in their ability to respond to constantly evolving threats,” said Christian Troncoso, Director, Policy for BSA.
The Coalition and BSA urge the Wassenaar member nations to narrow and focus the controls on “intrusion software,” including revising the overbroad definition of “intrusion software” and limiting the controls on related critical cybersecurity software, hardware, technology, and information sharing. The Coalition and BSA also urge the Trump Administration to refrain from implementing the controls on intrusion software in the United States as currently written until these core defects in the Wassenaar Arrangement’s wording are resolved.
The Coalition and BSA encourage all Wassenaar member nations to engage broadly with industry, academia, and researchers to craft meaningful changes to the controls on “intrusion software,” take seriously the concerns raised in these letters, and commit to renegotiating the flawed provisions to ensure that global cybersecurity is not put at risk.
Background: The Wassenaar Arrangement is a 41-country international export control agreement. In 2013, “intrusion software” controls were added to the Wassenaar Arrangement’s list of dual-use technologies that members must subject to export controls. While well intentioned, the provisions were imprecisely drafted and as written would subject core defensive technologies and products to onerous licensing requirements that would advantage our adversaries by grinding much-needed cybersecurity activity and research to a halt. In some countries that have adopted the current Wassenaar language, the controls have also been ineffective in actually reaching their intended targets—barring specific companies from exporting specific tools to specific end-users for specific purposes—and international implementation and enforcement of the controls has been widely divergent and inconsistent. Governments, industry, academia, and the cybersecurity research community worldwide have all raised similar concerns about the controls.
The Coalition for Responsible Cybersecurity represents a broad cross-section of cybersecurity companies, including Symantec, Ionic Security, Intel, Microsoft, FireEye, Raytheon, Philips, and others.
BSA | The Software Alliance is an association of the world’s leading software companies that promotes policies that foster innovation, growth, security, and a competitive marketplace.
Steptoe & Johnson LLP
Alan Cohn, 202-429-6283 and Meredith Rathbone, 202-429-6237
BSA | The Software Alliance