In May 2015, the United States Department of Commerce published a proposed amendment to the U.S. export regulations that would cover cybersecurity products. While the proposed rule may have been well-intentioned to protect national security interests and preserve human rights, the unintended consequences and practical results of implementation would have far-reaching and detrimental effects on the cybersecurity industry.
The proposed rule would severely damage legitimate vulnerability research and security testing worldwide, and thus undermine our ability to protect our own networks and to innovate cybersecurity products and services. The end result is that our customers – businesses, governments and consumers – would be less secure and at greater risk.
The proposal was precipitated by U.S. commitments under the Wassenaar Arrangement, a 41-country export control agreement that was designed to cover arms and dual use technologies and did not originally envision cybersecurity. Though the Arrangement is not binding, it has been the policy of the U.S. government to fully implement agreements under the Arrangement and to update the export control regime accordingly.
The Commerce Department should reconsider this proposed rule, as the cybersecurity industry and those we serve will be impacted in the following ways:
Access to legitimate cybersecurity tools would be restricted, as the export of cybersecurity technologies and testing tools would be constrained, even to overseas subsidiaries of U.S. companies.
Research into cybersecurity vulnerabilities would be curtailed, as researchers would be hindered from testing networks and sharing technical information across borders.
Collaboration on cybersecurity risks would be harmed both within cybersecurity companies and with customers and industry partners, as information would be deemed “exported” if it is shared with non-U.S. persons, even if they are physically located in the U.S.
While the rule is directed at companies that create or sell “intrusion software” used to breach systems, its broad language will affect a wide array of legitimate cybersecurity research and network penetration testing. As a global security company, with researchers based around the world, this regulation could require our American researchers to obtain a government license in order to have more than a cursory conversation about new security vulnerabilities with their co-workers overseas. It also appears likely that we would need a new license every time we conduct defensive network testing for one of our own business units or a customer that resides outside the U.S.
In Symantec’s 2015 Internet Security Threat Report, we highlighted that cyber attackers are becoming more and more sophisticated and leapfrogging defenses of organizations of all sizes. In fact, nearly one million new malware variants are created every day, and there was a 40 percent increase year-over-year in targeted attacks against large enterprises. The current threat landscape requires real-time security analysis, testing and deployment of protections. Asking a multinational corporation who is at risk of a cyber attack to wait months for a license to be able to test its network defenses, or to receive the latest protections because its security provider is hampered from communicating across borders, is downright dangerous.
In addition, information sharing – a longstanding U.S. policy priority – would also be inhibited. The rule would have a chilling effect on the security community writ large as sharing details about vulnerabilities and exploits with experts outside the U.S. could be prohibited without first obtaining an export license. The simple fact is that the rule will not do anything to curtail illicit hacking and intrusions. As drafted, the rule would do just the opposite. It will handcuff legitimate security companies and researchers while imposing no restrictions on cyber criminals. Ultimately, this will put citizens, businesses, and governments at greater risk of cyber attacks.
The Commerce Department should reconsider the proposed rule and move for further discussion and analysis of the current agreement at the next Wassenaar Plenary meeting in 2016.