A coalition of tech and business groups is pressing the Obama administration to renegotiate an international agreement designed to keep hacking tools out of the hands of repressive regimes.
{mosads}“Because cybersecurity efforts depend on global action, it is essential for the United States to take a leadership role in pushing for a renegotiation of these provisions at the Wassenaar Arrangement itself,” the group wrote in a Thursday letter to Commerce Secretary Penny Pritzker, Secretary of State John Kerry and Secretary of Homeland Security Jeh Johnson.
Signees included the U.S. Chamber of Commerce, the Financial Services Roundtable and several major tech industry groups.
At issue is the Wassenaar Arrangement, a pact with 40 other nations that regulates the export of weapons and “dual-use” technologies that have both civilian and military uses.
In 2013, the State Department agreed to expand the list of restricted technologies to include so-called intrusion software — digital hacking and surveillance tools that the agreement’s crafters were concerned could be used by to crack down on journalists and dissidents.
Following an interagency rule-making process that included State, the Commerce Department and the Department of Homeland Security (DHS), Commerce last spring released a draft rule in an attempt to implement the arrangement.
But security experts revolted.
They claimed many of the definitions are broad or vague, and could potentially ban the legitimate sharing of security vulnerabilities or the tools that companies use to test and fortify their own defenses.
“We think that trying to craft a regulatory definition that would capture offensive tools only while leaving defensive tools freely available is not possible,” Nate Cardozo, a staff attorney at the Electronic Frontier Foundation told The Hill. “We think it’s a fool’s errand to even try.”
T heir outrage attracted the attention of more than a hundred lawmakers, led by the co-chairmen of the House Cybersecurity Caucus, Michael McCaul (R-Texas) and Jim Langevin (D-R.I.), who in December urged the White House to step in and help rework the proposed rule.
At the time, observers said White House intervention was needed to break a stalemate between the three agencies responsible for implementing the agreement.
According to sources in the security industry, as well as some lawmakers, Commerce and the DHS had accepted that renegotiation of the overall agreement could be necessary but the State Department was dragging its feet, insisting that any changes to the language happen on the domestic regulatory level rather than through a renegotiation of the terms it had agreed to in 2013.
The House Oversight Committee earlier this month sent State its own letter urging it to renegotiate the arrangement.
“We are concerned the Wassenaar Arrangement may not be the appropriate framework to control cybersecurity tools,” the committee wrote. “We unambiguously expect that the U.S. Department of State will work to renegotiate the controls at the Wassenaar plenary.”
The business groups on Thursday echoed the committee’s call.
“The national security risks posed by the ‘intrusion software’ provisions agreed to at the 2013 Plenary cannot be effectively addressed through U.S. policy alone,” they wrote. “For these reasons, we strongly urge the Department of State to add renegotiation of the 2013 Plenary provisions regarding intrusion software and surveillance technology to the agenda for the 2016 March meeting.”