Dem asks White House to help rewrite anti-hacking export rules

Rep. Jim Langevin (D-R.I.) is asking the White House to step in and help rework proposed export regulations that security researchers say would obstruct important digital defense work and further expose American networks to hackers.

The cyber-focused lawmaker on Monday began collecting signatures on a letter to national security adviser Susan Rice that expresses his displeasure with the Commerce Department’s proposal.

{mosads}If implemented, Langevin said in his letter, the new rules “could seriously hinder our national security.”

The Commerce Department this summer issued the proposal as part of an effort to restrict the export of hacking tools — or “intrusion software” — that cyber criminals and repressive regimes could use to crack into company’s systems or to spy on journalists and dissidents.

But researchers and tech companies quickly came out against the rules, arguing that the broad language could criminalize legitimate efforts to inspect and secure networks around the globe, weakening overall cybersecurity.

“The definition of intrusion software,” Langevin said, “is very broad to the point that it includes a number of products regularly used for cybersecurity research and defense.”

In response to the outcry, Commerce said it would revise its proposal.

“I think you will see a very strong effort to be responsive to those comments and to try to figure out, ‘What is the next iteration of this?’ and frankly give people another opportunity to comment,” Deputy Secretary of Commerce Bruce Andrew said during a July podcast interview.

But Langevin is concerned that the Bureau of Industry and Security (BIS), which issued the proposal, may not be up to the task.

“We believe that clear advice from the Executive Office of the President will help BIS put these comments into context,” the letter said. “Therefore, we request that you take an active role in collaborating with BIS to reevaluate the [proposal].”

The suggested language would alter the Wassenaar Agreement, a little-known pact 41 countries have signed to control the export of weapons and so-called “dual-use” technologies that can be corrupted.

Intrusion software is seen as a “dual-use” tool because it can be used for defensive cyber research, as well as for offensive hacking campaigns.

The BIS offering tried to distinguish between offensive and defensive cyber tools. But Langevin called the attempted distinction “hopelessly misguided,” saying defensive researchers often need offensive tools to test for vulnerabilities in networks.

“This artificial distinction,” he said, “could have a chilling effect on research, slowing the discovery and disclosure of vulnerabilities and impeding our nation’s cybersecurity.”

Langevin, who co-chairs the Congressional Cybersecurity Caucus, is not the only lawmaker who has raised red flags about the rule.

He got House Homeland Security Committee Chairman Michael McCaul (R-Texas), Rep. Ted Lieu (D-Calif.) and Rep. David Schweikert (R-Ariz.) to sign on to an earlier letter to Commerce about the issue.

Sen. Charles Schumer (D-N.Y.) the third-ranking Democrat, has also sent Commerce a letter expressing similar disapprovals.

“A new federal rule is forcing companies and power utilities to fight the scourge of cyberattacks with one hand tied behind their backs,” Schumer warned in his letter.