On a daily basis, a barrage of threats against the US homeland endanger the nation’s interests, making it imperative that the government promote safety and resiliency through policy and protocol. One way to do this is for nations to exercise export controls on goods, technologies and widely used weapons. These nations can then gather together, forming a joint effort to keep such elements out of the hands of terrorists and extremists.
The Department of Homeland Security (DHS) and National Protection and Programs Directorate (NPPD) work together to promote such defensive efforts. However, one mechanism for doing this, the Wassenaar Agreement, recently came under fire during a hearing.
The Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee and the Subcommittee on Information Technology of the Committee on Oversight and Government Reform recently held a joint hearing to give government and industry officials the opportunity to comment on the impact of the Wassenaar Arrangement on US businesses, the cybersecurity industry, and the American people.
The Wassenaar Arrangement was established 20 years ago to advance regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies. Forty-one countries participate in the Wassenaar Arrangement.
In 2013, an amendment sought to expand export controlsto cybersecurity intrusion and surveillance software and technology in an effort to prevent technology companies from selling surveillance technology to governments with a known history of human rights abuses.
John Ratcliffe (R-Texas), chairman of the Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee, explained, “These changes were motivated by a desire to prevent authoritative regimes from repressing their people.”
Although Ratcliffe described the intention behind the amendment as “noble,” it has come under fire by cybersecurity industries, academics, and researchers, as well as the energy and financial sectors, worried that the controls could limit the ability to identify and fix security vulnerabilities. Ratcliffe also brought up concerns that the amendment could have a counterproductive impact on cyber threat information sharing.
“I agree that we should strive to limit dangerous technologies from falling into the hands of bad actors,” said Ratcliffe. “But national security and Americans’ personal security can’t be sacrificed. There are many ways the United States strives to combat human rights violators and I hope to hear today about why this route was chosen over other options.”
Chairman of the House Committee on Homeland Security, Michael McCaul (R-Texas) raised similar concerns, fearing the agreement could “hobble the entire cybersecurity ecosystem.”
“If the matter at hand was simply a question of efficacy, we wouldn’t be here today,” said McCaul. “If the only concern was that the Wassenaar Arrangement might have room for improvement, this conversation would be very different. But what has been violated here is the fundamental adage of ‘do no harm.’ The State Department agreed to an Arrangement that would restrict a broad group of information security tools and products.”
Multiple witnesses were called to speak during the hearing, including representatives from the federal government and the private sector.
Phyllis Schneck, NPPD Deputy Under Secretary for Cybersecurity and Communications, agreed with Ratcliffe’s assessment, saying, “We need to ensure that in implementing the 2013 control, the US does not inadvertently create greater problems and more risks than the security concerns that the control was intended to address.”
To set the context for the discussion on the 2013 amendment, Schneck explained that the NPPD leads the national effort to protect and enhance the resilience of the nation’s physical and cyber infrastructure. NPPD works closely with the private sector—including vendors, developers, and researchers—to come up with innovative solutions to protect the nation from risk.
Schneck emphasized that cybersecurity is characterized by “rapid change.” In this environment, the ability to share cyber threat information is vital—a fact that must be taken into account when discussing how to implement the Wassenaar Arrangement. Government policies should be designed to motivate innovation within the private sector.
Schneck noted that the intent behind the agreement was legitimate, but that implementation could have negative consequences. She explained, “The Wassenaar Agreement on Intrusion and Surveillance Items was developed in response to a legitimate concern: reducing the proliferation of dual-use technologies that are used for malicious surveillance or hacking. But in implementing that control we need to avoid unintended consequences on cybersecurity.”
“We also need to ensure that implementation of the Wassenaar control does not unduly disadvantage these companies in a global competition with their international peers,” Schneck said.
Schneck concluded that the nation needs a balanced approach that both incentivizes cyber research and developments while making it difficult for authoritarian governments “to monitor dissidents or for cyber criminals to steal data about US citizens.”
She also noted that, “The inherent nature of many ‘cyber technologies’ is that they are technologically agnostic; that is, the same software that is used to test a company’s cybersecurity can be used to conduct unauthorized or illegal surveillance. This demonstrates the complexity of the issue, and why further discussion is needed.”
Witnesses from the private sector also spoke at the hearing. Iain Mulholland, Vice President of Engineering Trust and Assurance at software solutions provider VMware, Inc. explained that, “The global digital ecosystem is experiencing a level of cyber attacks and sophistication that we have never seen.”
With the rise in the number and sophistication of cyber attacks, it is imperative that organizations are able to use every tool at their disposal to protect against and respond to attacks. Mulholland believes the 2013 Wassenaar rules would take away some these tools, limiting VMware’s ability to test and share code used to test for security vulnerabilities in their products, services and global infrastructure.
Mulholland pointed out that although the Wassenaar Arrangement was put into place to assist in international and local security efforts, and to promote a transparent and responsible transfer of information and technology, it could have the opposite effect, undermining the United States’ cybersecurity posture.
Vulnerabilities left unpatched could allow a malicious attacker to take complete control of critical infrastructure. Under Wassenaar, security flaws would like go unreported.
“In 2015 alone, over half of the security vulnerabilities reported to the VMware Security Response Center from external parties have come from individuals or organizations located in Wassenaar countries,” Mulholland said. “In most cases, an export license would have been required for the party to report the security issue to VMware. A security researcher would likely not even know where they were exporting to since VMware employs security engineers of multiple nationalities in multiple time zones to provide ongoing monitoring for reports of security vulnerabilities in our products.”
Mulholland continued, “It is highly improbable that these small research companies or individuals will take on the administrative and financial burden of applying for export licenses simply to report security vulnerabilities and as a result, this important source of information will dry up, leaving vulnerabilities unreported and customers less secure.”
Mulholland called for the Wassenaar Arrangement to be negotiated, saying, “We receive cyber threats against our networks and our customers from all over the world. Even if the US fixes its policy here domestically, it will not enable us to continue to receive critical and timely threat information-sharing from outside our borders.”
Mulholland also praised the Bureau of Industry and Security (BIS) and the Commerce Department for reconsidering its original draft proposal, and hosting a series of public forums with a range of stakeholders to try to find a reasonable solution.
Moving forward, Mulholland recommended that BIS and the Department of Commerce continue to keep all options on the table.
Ann K. Ganzer, Director of Conventional Arms Threat Reduction for the Bureau of International Security and Nonproliferation at the Department of State, testified that they are taking the feedback they have received from private industry very seriously.
Ratcliffe pointed out to Ganzer that members of the private sector are calling for the Wassenaar Arrangement to be renegotiated. However, Ganzer stated that it is premature to move to renegotiate the Wassenaar Arrangement, since it operates by consensus, and of the 41 countries who have adopted it, 31 have already implemented it.
Consequently, Ganzer explained, the government, through Congress, will need to be very careful in how they decide to move forward.