Upcoming Wassenaar meeting

/ August 19, 2016 at 3:02 PM

As a September technical meeting of Wassenaar export control group countries draws closer, sources believe members of the arms control organization will coalesce around language narrowing the scope of a specific technology control stemming from the 2013 definition of "intrusion software" that has drawn the ire of the U.S. cybersecurity industry, Inside U.S. Trade reports:

Industry sources welcomed progress made by the U.S. government and industry stakeholders in convincing Wassenaar members to seriously consider narrowing the technology control, but stressed that the root cause of the 2013 decision's negative impact on cybersecurity derives from the definition of "intrusion software" itself.

Three separate export controls on technology, software, and hardware stem from the “intrusion software” definition and, despite industry demands, redefining intrusion software or completely removing any of the three controls is currently not on the table among Wassenaar members, sources said. The U.S. early this year set out with the goal of eliminating the technology control altogether.

At issue is a non-binding arrangement intended to prevent intrusive software and network surveillance tools from falling into the hands of adversaries and oppressive regimes. But implementation of the agreement has prompted industry concerns about unintended consequences by blocking access to products and research that could be used to protect data and networks from malicious attacks.

The Wassenaar Arrangement was established with the goal of limiting and making more transparent the transfer of arms and duel-use items, with group decisions implemented through national measures.

Still, signs of progress on the technology control front are emerging as a technical Wassenaar meeting in September approaches. The outcome of that meeting is likely to closely correspond to what the arms control group considers and endorses at its December plenary.

Ahead of the September meeting, U.S. government and industry have made efforts to explain to other Wassenaar countries the negative cybersecurity implications that are likely to arise from the current controls and “intrusion software” definition, and the arms control groups has agreed to take a second look at the issue.

The U.S. cybersecurity industry in particular has focused on providing to other Wassenaar members real-world, granular, and specific examples of how the controls -- and the technology control specifically -- can stymie a robust cybersecurity regime, sources said.

Industry sources noted that the U.S. intends to finish its so-called “education” efforts ahead of the September technical meeting to maximize the amount of time spent discussing specific language to tighten the technology control. Wassenaar members are expected to spend two days at most discussing the issue, and the U.S. would prefer not to get bogged down in re-explaining the issue during that time, sources said.

Also still on the table are a number of exceptions from the export controls on technology, software and hardware stemming from the definition, those sources said.

Such carveouts would seek to define specific products and related processes and uses that would allow them to qualify for an export control license exception. The aim of those carveouts would be to avoid impingement on cybersecurity efforts that require the use of items that would be captured by the intrusion software definition as it currently stands, industry sources told Inside U.S. Trade.

Overall, the industry's goal, they said, is to make as much progress as possible at Wassenaar this year, provide feedback on a new Bureau of Industry and Security (BIS) draft rule to implement the controls likely to be issued a couple of months into 2017, and then make a request that the U.S. government return to Wassenaar with a fresh push for further revisions to the 2013 agreement if deemed necessary.

The revised BIS draft rule is expected to be much narrower in scope compared with the office's first attempt, which sparked outcry from the U.S. cybersecurity industry in the summer of 2015.

Regardless, industry sources characterized the two proposals -- carveouts and narrowing the technology control -- as progress but not a complete solution. Other Wassenaar members are unwilling to take more ambitious action for a number of reasons, source said.

First, some European members fear that too narrow of a definition could allow nefarious actors to easily gain access to intrusion software and then apply such software in a malicious manner. Second, some countries have already begun implementing the controls domestically, making a rewrite politically difficult.