State Dept. effort to update international cybersecurity transfer rules fails

Congressional Cybersecurity Caucus co-chair Jim Langevin (D-R.I.) acknowledged Monday that the U.S. failed to implement language in an international export control agreement to allow the transfer of computer hacking software for defense purposes at a meeting in Vienna, Austria, earlier in December.

The Wassenaar Arrangement, first agreed to in 1996, now incorporates 41 countries and sets rules and transparency guidelines for the sale and trade of materials and technologies that have potential military uses.

The U.S. Commerce Department’s Bureau of Industry and Security, as well as U.S. cybersecurity sector leaders have advocated amending a rule implemented in 2013 to distinguish between intrusion software and technology or research tools used to protect computer systems. The wording of the current agreement is not detailed enough to explicitly isolate harmful computer code, also known as malware, thus prohibiting useful technology from being shared between allies.

National Security Advisor Susan Rice outlined the specific amendment being sought, and was represented by personnel from the State Department in Vienna who had the task of convincing all 40 countries to agree with new language. Under Wassenaar rules, unanimous consent is required for the adoption of an amendment.

Also involved in the revision advocacy effort were Luta Security founder Katie Moussouris, director of public policy at computer security company Rapid7, Inc., Harley Geiger, and Dell Technologies vice president Iain Mulholland.

Greiger explained how the current agreement prohibits the sharing of certain malware code between countries, a practice used to defend against cyberattacks.

“Although some helpful changes were made, the problematic ‘technology’ category definition was not changed,” he said of the meeting. “This broad description could result in security researchers and companies having to obtain export licenses in order to share exploit code across borders.”

Asked for additional comment by AP, Rep. Langevin warned that the consequences of continuing to abide by such cumbersome rules could be devastating for America.

“U.S. cybersecurity and that of our allies will be imperiled if companies and researchers are not able to quickly share defensive tools,” he said.


[AP] [The Hill] [Image courtesy Estonian World]