WASHINGTON >> The U.S. government is rewriting a proposal under arms control rules from 20 years ago to make it simpler to export tools related to hacking and surveillance software since they are also used to secure computer networks.
The White House said it supports making cyber intrusion tools available overseas for legitimate cybersecurity activities, according to a letter made public Tuesday.
Industry groups and lawmakers have raised fears that overly broad language aimed at limiting the spread of such hacking tools would have unintended negative consequences for national cybersecurity and research.
As one of the 41 member countries of the 1996 Wassenaar Arrangement, which governs the highly technical world of export controls for arms and certain technologies, the United States agreed in 2013 to restrict tools related to cyber "intrusion software" that could fall into the hands of repressive regimes.
Monitoring still needed
The Obama administration agrees that "keeping these technologies from illegitimate actors must not come at the expense of legitimate cybersecurity activities," according to a letter from the National Security Council's Senior Director for Legislative Affairs, Caroline Tess. The co-chairman of the Congressional Cybersecurity Caucus, Rep. Jim Langevin, D-RI, made the letter public.
Tess said the White House has intensified its discussion with U.S. officials and industry and that the Commerce Department will not issue a final rule without an additional round of public comment on a revised draft version.
Langevin, however, said in a statement Tuesday that problems with the rule may lie in the language itself, which would require a renegotiation of the 2013 agreement to limit such tools.
Efforts to come up with a workable U.S. rule have highlighted the difficulty of applying the export controls restricting physical items to a virtual world that relies on the speedy free flow of information for network security. Many companies operate in multiple countries and routinely employ foreign nationals who test their own corporate networks across borders.
In May, the Commerce Department's Bureau of Industry and Security proposed denying the transfer of offensive tools — defined as software that uses "zero-day" exploits, or unpatched new vulnerabilities, and "rootkit" abilities that allow a person administrator-level access to a system.
But in cyber, "penetration is a defensive action, (testing) how the defenses work," said Jen Ellis, spokeswoman for Rapid7, Inc., which makes a penetration testing tool. "To get to that knowledge you attack yourself, you take offensive action for a defensive purpose. That's a classic example where we can't draw a clear-stock line. They are intentionally and necessarily the same thing."
The Boston-based cybersecurity company does business in 90 countries. The 2013 addition to the arrangement also covers technology used for developing intrusion software, which may impact research.