Commerce Dep't struggles to implement anti-cyberwar regs

  • E-mail E-mail
  • Google+
  • Reddit Reddit

The U.S. government is back to square one in its efforts to implement an export control regime for intrusion software and Internet Protocol (“IP”) network communication surveillance systems. After a controversial rule proposal by the Bureau of Industry & Security (“BIS”) was quashed by fierce industry opposition, the BIS is now seeking alternative means of regulating transfers of cybersecurity technologies.[1]

The rule proposal arose from a 2013 determination by the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, a forty-one-nation multilateral export control regime with the goal of “promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies,”[2] to add cybersecurity technologies to its export control list.[3] The control list already regulates transfers of small arms, light weapons, aircraft, tanks, and other weapons that can be used by terror organizations, so cyber weapons were a natural next step.[4]

The Wassenaar Arrangement is not a treaty; it merely implements “non-binding best practices.”[5] Participating states are directed to enact national legislation and policies to ensure that transfers of dual-use goods and technologies “do not contribute to the development or enhancement of military capabilities which undermine” the organization’s goals of transparency and responsibility.[6] While there is no direct penalty for failure to abide by Wassenaar decisions, the criteria for admission to Wassenaar require that a nation have “taken the [Wassenaar Arrangement] Control lists as a reference in its national export controls . . . .”[7] Therefore, discrepancies between a country’s export policies and Wassenaar's may cause geopolitical tensions.

What is Cyberwarfare?

Cyberwarfare is defined as “actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.”[8] Recent examples of this mechanism include: the covert introduction of a joint American-Israeli computer virus into the servers of Iran’s nuclear enrichment facility at Natanz resulting in the destruction of 1,000 centrifuges;[9] and the November 2014 hack and subsequent public release of Sony Pictures Entertainment’s confidential data.[10]

The United States has taken several steps to secure confidential government, military, private sector, and consumer information. First, President Obama issued Executive Order 13636, Improving Critical Infrastructure in Cybersecurity, in 2013.[11] The plan has five critical features: protecting the country’s critical infrastructure; improving the nation’s ability to identify and report cyber incidents to promote quicker response times; engaging with international partners to advance internet freedom; setting clear cybersecurity targets to secure federal networks; and shaping a cyber-savvy workforce.[12] The next step is to prevent invaluable cyber-technologies from falling into enemy hands, per Wassenaar.

U.S. struggles to implement Wassenaar protocols

Kevin Wolf
Assistant Secretary of Commerce for
Export Administration Kevin Wolf.

Pursuant to U.S. membership in the Wassenaar Arrangement, the Commerce Department’s Bureau of Industry and Security (“BIS”) proposed a rule addendum to its Export Administration Regulations (“EAR”) on May 20, 2015, to implement the agreed-upon measures.[13] Interested parties were allowed to submit comments on the proposal through July 20, 2015.[14] This procedure ran counter to BIS’s normal policy of publishing Wassenaar control list entries as a final rule in order “to not take an action that would inadvertently harm our nation’s ability to engage in critical cyber defense and related research work.”[15] However, after receiving 264 mostly negative comments in the administrative notice-and-comment period, BIS chief Kevin Wolf told the House Government Committee on Oversight and Government Reform on January 14, 2016, that BIS “will not be implementing as final” the May 20, 2015, proposal.[16]

BIS’s proposal would have imposed a licensing requirement on exports of the following:

(1) “systems, equipment or components therefor specially designed for the generation, operation, or delivery of, or communication with intrusion software;”

(2) “systems specially designed or modified for the development or production of such systems, equipment or components;”

(3) “software specially designed for the generation, operation or delivery of, or communication with, intrusion software;”

(4) “technology required for the development of intrusion software;” and

(5) “Internet protocol network surveillance systems or equipment and test, inspection, production equipment specially designed components therefor, and development and production software and technology therefor.”[17]

“Intrusion software” was broadly defined as “software specially designed to avoid detection by monitoring tools or defeat protective countermeasures” of a computer or network-capable device.[18] Such software must be capable of performing either:

(1) “the extraction of data or information, from a computer or network-capable device, or the modification of system or user data;” or

(2) “the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.”[19]

This definition excludes information on how to discover a vulnerability in a system; information about the vulnerability; and information on testing the vulnerability.[20] The addition of network communication surveillance systems includes those acting “at the carrier level to intercept and analyze messages to produce personal and social information from Internet traffic.”[21] Finally, the proposed licensing requirement continues the registration of products for their information security functionality while setting forth new license review policies and special submission requirements.[22]

The argument for the proposed rule was premised on the belief that enhanced regulation of Internet surveillance technology would make confidential U.S. data safer from unwarranted access. Mandating a licensing procedure for virtually all U.S. exports of cybersecurity technology would limit the technological capabilities of terror cells and other parties whose interests are adverse to U.S. interests.

However, the prevailing sentiment among U.S. private-sector cybersecurity companies was that the regulation would have gone too far and would have done more to thwart cybersecurity than help it.[23] First, the opposition claimed the definition of “intrusion software” was too broad, and therefore, ineffective.[24] Opponents also warned that malware recovery tools, which allow hosts to “regain control of an infected system,” would be captured in the definition.[25] Additionally, some defense research tools would also be regulated because “they analyze malware to develop new defensive products.”[26]

Opponents also claimed that the definition of “intrusion software” “would impose a heavy and unnecessary licensing burden on legitimate transactions that contribute to cyber security.”[27] Government agencies and private-sector cybersecurity firms frequently check their own systems and networks to identify vulnerabilities.[28] When they find a threat, they provide their clients with mitigation tools to shore up any possibility of unwarranted intrusion.[29] These tools, which generally include the ability to “avoid detection, defeat protective countermeasures, extract data or information, and modify system or user data,” share the same characteristics as a successful malicious attacker’s software.[30] Therefore, assessment teams require the freedom to test their own software to effectively evaluate it for vulnerabilities.[31]

Finally, and most importantly, opponents asserted that the proposed rule’s controls on development of “intrusion software” technology could severely hinder cybersecurity research.[32] Specifically, the proposal would have placed a licensing requirement on transfers of technical information across national borders, even between divisions of the same company.[33] To effectively identify and counteract threats, cybersecurity firms require the instantaneous collaboration of experts from around the globe;[34] having to wait even a few hours for approval to begin discussions of correcting these potential problems could “limit the ability to fix and patch such vulnerabilities, leading to an overall decrease in the quality of cybersecurity.”[35]

What now?

Several options remain available to BIS. Renegotiation of the 2013 Wassenaar amendment was one option discussed at the House of Representatives hearing.[36] Industry witnesses and members of the House committee were particularly emphatic that the U.S. could probably renegotiate a more favorable amendment, because the U.S. is home to a disproportionate share of the world’s cybersecurity firms, and because other nations[37] with major cybersecurity companies are not party to Wassenaar.[38] However, BIS and U.S. State Department panelists asserted renegotiation would be politically impossible because thirty-one of the forty-one Wassenaar countries had already implemented the amendment.[39] Other possible avenues discussed at the hearing were creating harsher criminal sanctions for cyber-criminals and economic sanctions targeting the malicious use of cyber-intrusion tools.[40] Regardless of the path BIS chooses, future rule proposals need to involve discussion from all interested parties to ensure a workable solution that promotes cybersecurity for both the private sector and the government.

[1] See Amanda DeBusk, Uncertain Fate of Cybersecurity Export Rule Following Congressional Inquiry, Hughes Hubbard & Reed LLP (Jan. 2016), available at

[2] About us, WASSENAAR ARRANGEMENT ON EXPORT CONTROLS FOR CONV'L ARMS AND DUAL-USE GOODS AND TECH. (last updated Jan. 20, 2016), [] [hereinafter “Wassenaar”].

[3] Public Statement: 2013 Plenary Meeting, Wassenaar Arrangement on Export Controls for Conv'l Arms and Dual-Use Goods and Tech. (Dec. 4, 2013), available at; see also Wassenaar: Cybersecurity and Export Control, U.S. Committee on Oversight and Government Reform (Jan. 12, 2016), []

[4] Wassenaar, supra note 2.

[5] WASSENAAR, supra note 2.

[6] Wassenaar, supra note 2.

[7] Philip Griffiths, Guidelines and Procedures, including the Initial ElementsWASSENAAR ARRANGEMENT ON EXPORT CONTROLS FOR CONV'L ARMS AND DUAL-USE GOODS AND TECH. 12 (Dec. 2015), available at

[8] Richard A. Clarke, Cyber War 20 (2010).

[9] Kim Zetter, An unprecedented look at Stuxnet, the world’s first digital weapon, Wired (Nov. 13, 2014), [].

[10] David E. Sanger & Nicole Perlroth, U.S. said to find North Korea ordered cyberattack on Sony, N.Y. Times (Dec. 17, 2014), [].

[11] Exec. Order No. 13,636 (Feb. 12, 2013), 78 Fed. Reg. 11,739, available at

[12] See id.

[13] Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items, 80 Fed. Reg. 28,853 (proposed May 20, 2015), available at [hereinafter “Proposed Rule”].

[14] Nate Cardozo and Eva Galperin, What is the U.S. doing about Wassenaar, and why do we need to fight it?, Elec. Frontier Found. (May 28, 2015), [].

[15] Wassenaar: Cybersecurity and Export Control: Hearing Before the Subcomm. on Information Tech. and Subcomm. on Cybersec., Infrastructure Protection, and Sec. Tech. of the H. Comm. on Oversight and Gov't Reform, 114th Cong. 2 (Jan. 12, 2016) (statement of Kevin J. Wolf, Assistant Sec. Commerce for Export Administration) [hereinafter "Wolf Statement"], available at

[16] Id., at 2-3.

[17] Proposed Rule, supra note 13.

[18] Id.

[19] Id.

[20] Robert Rarog, Wassenaar Arrangement Control Implementation: Intrusion and Surveillance Items, Bur. Indus. and Sec. 7 (last visited Feb. 17, 2016), available at [].

[21] Id. at 9.

[22] Proposed Rule, supra note 13.

[23] Neil Martin & Tim Willis, Google, the Wassenaar Arrangement, and vulnerability research, Google Online Security Blog (July 20, 2015), [].

[24] Wolf Statement, supra note 15, at 2.

[25] Id.

[26] Id.

[27] Id. at 2-3.

[28] Id.

[29] Wolf Statementsupra note 15, at 2.

[30] Id.

[31] Id.

[32] Id.

[33] Proposed Rule, supra note 13.

[34] Wolf Statement, supra note 15.

[35] Id.

[36] DeBusk, supra note 1.

[37] Brazil, India and China are not party to the Wassenaar Arrangement.

[38] See DeBusk, supra note 1.

[39] See id.

[40] See id.

Posted by Joseph A. Fleishman on Wed. February 17, 2016 9:52 PM
Categories: Cyberwarfare, Free Trade, Intellectual property, International regulatory coordination, Reports (longer, analytical blog posts), United States

Comments for this post are now closed.

UNC School of Law | Van Hecke-Wettach Hall | 160 Ridge Road, CB #3380 | Chapel Hill, NC 27599-3380 | 919.962.5106

If you are seeing this, you are either using a non-graphical browser or Netscape 4.x (4.7, 4.8, etc.) and this page appears very plain. If you are using a 4.x version of Netscape, this site is fully functional but lacks styles and optimizations available in other browsers. For full functionality, please upgrade your browser to the latest version of Internet Explorer or Firefox.