Recent amendments to the Wassenaar Arrangement (WA)—a multilateral voluntary agreement among 41 countries that places restrictions on the export of dual use technologies—have added intrusion software and Internet Protocol (IP) network surveillance systems to the list of technologies that cannot be exported. The amendments’ purpose is to prevent countries, known to be human rights violators, from purchasing technology that could enable their continued practice of violating human rights. Despite the amendments’ positive intention, the addition of these technologies to the agreement significantly limits data sharing opportunities and could potentially impede cybersecurity advancements for enterprises that operate globally.
According to cybersecurity experts, WA amendments would restrict sharing of cybersecurity research across borders, restrict cybersecurity tool availability—including to subsidiaries of U.S. companies—and restrict cybersecurity collaboration because information is deemed “exported” once it is shared with a non-U.S. person even while working for a company in the United States.
Critics of the WA amendments also argue that its implementation in the U.S. would cause the U.S. to fall behind other countries that have advanced cybersecurity industries but are not subject to the WA, like Israel, Brazil, Singapore, Russia, and China. Critics further note that nation states which violate their population’s human rights and other “bad actors” would still be able to purchase the software from countries that are not part of the multilateral agreement.
In May 2015, the U.S. Department of Commerce’s (DOC) Bureau of Industry and Security (BIS) proposed a rule to implement the WA amendments restricting the export of intrusion and surveillance technologies. During a period that allowed for open comments on its proposal, BIS received more than 260 comments that overwhelmingly criticized the WA for overreaching and hindering ongoing research and potential advancements in cybersecurity.
According to a public testimony provided by an associate of the Carnegie Endowment for International Peace, the language in the proposed BIS implementation of the WA amendments was more restrictive than the original language in the WA amendments. While the WA amendments focused narrowly on intrusion and IP network surveillance technology that is developed by companies and sold to foreign governments, the BIS proposed language appeared to include restrictions on individual cybersecurity research not intended for sale to foreign governments.
Following a backlash, the BIS retracted the proposed rule, and in January, the Assistant Secretary of Commerce for Export Administration testified before Congress that the agency planned to reengage cybersecurity public and private sector stakeholders to determine ways to move forward. The U.S. Government is currently renegotiating the terms of the WA amendments with its multilateral partners rather than attempting to rewrite or reinterpret the controversial elements.
The controversial WA amendments and subsequent response by the cybersecurity industry demonstrate that—regardless of size or industry—every company must retain a heightened posture of cybersecurity awareness and preparedness that includes:
- Regular cybersecurity vulnerability assessments that provide an updated and comprehensive understanding of related risks;
- The ability to leverage knowledgeable resources that can effectively address the impact of continually changing cybersecurity regulations on a company’s business;
- And the engagement of various stakeholders from the private sector, government, and informal cybersecurity networks that hold different and important perspectives on the ever evolving cybersecurity field.