Cyber threats move at Internet speed and so must cyber responders, to protect networks and data both in Europe and across the globe. Imagine the impact on cybersecurity if responders, innovators, and developers were told to pause and apply for an export license before responding to a threat. That’s what will happen under a new and overbroad cybersecurity regulation aimed at “intrusion software.”
Recently, the Coalition for Responsible Cybersecurity and BSA | The Software Alliance hosted an event in Brussels to begin a discussion on the “intrusion software” regulation created by the Wassenaar Arrangement, a consortium of 41 countries focused on creating export controls on weapons and other sensitive items.
The purpose behind the intrusion software rule is worthy: protecting human rights activists and political dissidents from surveillance by authoritarian governments. Marietje Schaake, Member of the European Parliament, recognized at the event in a video for attendees, that “the EU’s policy needs to be reformed to be sure that certain dual-use items, including ready-made surveillance, intrusion, and exfiltration systems are not marketed and sold to authoritarian regimes.”
The Coalition for Responsible Cybersecurity and BSA | The Software Alliance agree, and recognize that more can be done to protect those who advocate for human rights. Unfortunately, the approach proposed by the Wassenaar regulation misses the mark, and would ultimately undermine that goal by making it harder for cyber responders to defend against the use of surveillance technologies. Because the regulation is so overly broad, it would require cyber responders and security researchers to obtain an export license prior to exchanging essential information to remediate a newly identified network vulnerability, even when that vulnerability is capable of being exploited for purposes of surveillance. The Coalition’s most recent comments on the intrusion software control can be found here.
While the cybersecurity community prides itself on being engaged and aware of security and policy issues impacting technology, this issue had not been the subject of robust discussion prior to its adoption at the 2013 Wassenaar plenary session. This is in large part due to the Wassenaar Arrangement’s confidentiality restrictions, which often treat the bulk of its negotiations as secret. While that may be appropriate when addressing nuclear issues and military armaments, it may not be the best regime to apply to address cutting-edge cybersecurity issues. The cybersecurity community wants to engage on ideas to help protect those involved in human rights against particular cybersecurity threats, and to be able to respond rapidly when new attacks are detected. Requiring licenses and export control reviews will only slow this down.
Put simply, the impact of the Wassenaar intrusion software regulation will create significant (and likely unintended) consequences including negative impact on cybersecurity response and product innovation. In order to address this effectively and to avoid similar developments going forward, a broader policy discussion is needed. That debate should not happen behind closed doors but should instead involve the security research community, businesses and civil society who can share their expertise and work together with Wassenaar Member States to achieve the dual goals of protecting human rights while also advancing cybersecurity.
Wassenaar Member States have the opportunity to modify this regulation in upcoming meetings of the Wassenaar Arrangement over the remainder of 2016. Based on news reports on recent discussions taking place in Vienna, governments recognize that change is needed. Europe has the opportunity to play a leading role in this discussion as most of the 41 members are European countries. The Coalition for Responsible Cybersecurity, along with many others in the security research and academic communities, stand ready to engage in further dialogue on this critical issue and encourage governments to continue to address both the intrusion software issue and the need to ensure greater transparency on cybersecurity’s role in export control discussions.