The Obama administration will reportedly seek to renegotiate a controversial cybersecurity export control rule required to be implemented into U.S. regulations by the Commerce Department under the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. The Wassenaar Arrangement is based on a multilateral agreement reached by the founding countries in 1995. Each participating state is responsible for implementing export controls based on annually updated control lists of munitions and dual-use goods and technologies (i.e., having both commercial and potential military applications) through its national legislative or regulatory process. The United States has implemented the export controls required under the Arrangement via the Export Administration Regulations (EAR) and its Commerce Control List (CCL).
The Department of Commerce’s Bureau of Industry Security (BIS) issued a proposed rule in May 2015, indicating its intent to implement a license requirement for the export, reexport or in-country transfer of certain intrusion and surveillance items. The controls focus on items associated with “intrusion software,” which critics argued was defined so broadly as to subject to licensing requirements the legitimate use of certain commonly-used cybersecurity tools. (For more information on the original proposal, see Alston & Bird’s alert on the topic here.) After intense pushback from industry and lawmakers, BIS withdrew the proposed rule. Now, the Department of State, which negotiates on behalf of the U.S. under the Wassenaar Arrangement (and agreed to the 2013 updates BIS attempted to implement in the proposed rule), has reportedly taken formal steps seeking to renegotiate the “intrusion software” controls on the list of controlled dual-use goods. Specifically, the Department of State has reportedly included this issue on the agenda for the next meeting of the Wassenaar member countries, which will take place in March.
The Administration’s decision to go back to Wassenaar followed a January 12, 2016 hearing of the Information Technology Subcommittee of the House Oversight and Government Reform Committee where government and industry witnesses addressed the role of the Wassenaar Arrangement, the proposed rule, and the potential impact on American businesses and the cybersecurity industry.
On February 29, 2016, in response to the administration’s decision to attempt to renegotiate the controls, Rep. Jim Langevin (D-RI), a co-founder of the Congressional Cybersecurity Caucus who has been vocal about the over-broadness of the BIS proposed rule stated:
While well-intentioned, the Wassenaar Arrangement’s ‘intrusion software’ control was imprecisely drafted, and it has become evident that there is simply no way to interpret the plain language of the text in a way that does not sweep up a multitude of important security products. By adding the removal of the technology control to the agenda at Wassenaar, the Administration is staking out a clear position that the underlying text must be changed. Furthermore, the Administration leaves open the possibility for further alterations to the control pending additional interagency review.
In a March 1, 2016 letter to thirteen major industry groups, Secretary Pritzker explained that the Administration would continue its discussions at Wassenaar “aimed at resolving the serious scope and implementation issues raised by the cybersecurity community,” and warned that “we cannot predict the outcome of these discussions and negotiations.” At least for now, the decision to seek to renegotiate the rule is a testament to the power and value of well-reasoned and sustained engagement by the business community.