Regardless of whether the U.S. government goes back to the negotiating table with the Wassenaar partner-nations, or structures rules in a way that doesn’t undermine legitimate security research, Internet Association member companies need continued access to the network security tools necessary to maintain their world-class systems.
Imagine this: a renowned technologist flies overseas for an international security conference to present her recent discovery of vulnerabilities in certain network systems. Her research could help engineers and developers strengthen systems and prevent nefarious attackers from accessing critical and sensitive networks and information. Once the applause from the presentation is done, she receives a notice that she violated international export controls and is subject to heavy fines… or worse.
This unfortunate scenario could become reality under new rules on “intrusion software” for the Wassenaar Arrangement. The Wassenaar Arrangement is a multilateral agreement between 41 countries – including the United States – to control exports of certain dual use technologies. The agreement is designed to accomplish a worthy goal: promote international stability by closing vulnerability gaps and increasing responsibility and transparency in the control of sensitive exports that could fall into the wrong hands.
However, in a recent round of updates to Wassenaar, “intrusion software” was targeted for export control and, alarmingly, the U.S. government’s interpretation of these new rules could spell big trouble for companies conducting security research worldwide. If implemented, the updates would create confusing hurdles for researchers to jump through just to work on their own companies’ systems.
Security is improved by making systems more resilient – preventing vulnerabilities in networks will prevent bad actors from endangering users. In working to advance regional and international stability, it is essential that policymakers not insert unnecessary risks by building roadblocks for companies that are leading the way in security research.
The Internet Association filed comments last year requesting that the Bureau of Industry and Security improve the rules before implementing them. And now Congress is taking note. Today, the House of Representatives held a hearing on the implications for cyber security under the new Wassenaar language on intrusion software. The Internet Association included a letter to the Committees stressing the changes necessary to U.S. implementation of new Wassenaar rules to ensure that we are preventing, and not creating, weaknesses in network systems.