Langevin Letter Addresses Export Controls on Cybersecurity Software

Jul 20, 2015 Issues: Cybersecurity

Congressman Jim Langevin (D-RI), a senior member of the House Committee on Homeland Security and its Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, submitted public comments to the Bureau of Industry and Security (BIS) at the Department of Commerce in regard to the Wassenaar Arrangement on international export controls. The proposed rule, issued on May 20, would govern the export of “intrusion software,” which was added to the list of controlled technologies by the Wassenaar Arrangement Plenary in 2013.

While the intent of the rule is to keep hacking tools out of the hands of malicious actors, Langevin believes BIS’s implementation of the controls is too broad and could therefore restrict research and slow the disclosure of vulnerabilities.

“We have seen time and again the havoc wreaked by data breaches and malicious hacks, and I appreciate the intent of the BIS to narrowly target offensive hacking tools and keep them from criminal organizations or repressive regimes,” said Langevin, who also co-chairs the Congressional Cybersecurity Caucus. “However, the proposed rule could have unintended consequences, negatively impacting a number of products that are solely intended for research. The change would draw a misguided line between offensive and defensive cyber tools, and I fear it would weaken our nation’s cybersecurity and overall national security posture.”

In particular, by presumptively preventing export of tools with zero-day and rootkit capabilities, the proposed rule would impair the comprehensive testing of risk management frameworks and the overall evaluation of cybersecurity. The proposal would also apply the United States’ “deemed export” regime to intrusion software and, as a result, could impede research and disrupt the entire reporting ecosystem. Even sharing vulnerabilities within a company could require licensing if a foreign national would come into possession of the exploit, and American companies with international affiliates would be more open to attack.

“Reasonable export controls are absolutely necessary, but in the best interest of our national security and the security of all the Wassenaar Arrangement’s participating states, I believe the proposed rule must be more narrowly targeted to ensure the timely disclosure of vulnerabilities and support for the robust cybersecurity research we need,” Langevin said. The submittal, which was also signed by Congressman David Schweikert (R-AZ), Congressman Ted Lieu (D-CA) and Committee on Homeland Security Chairman Michael McCaul (R-TX), calls for BIS to issue an additional draft rule for comment before finalizing any regulation. BIS has already held the comment period open for an additional 30 days due to concerns raised by private and academic stakeholders.