Export Controls: The Next Frontier in Cybersecurity?

When it comes to cybersecurity, issues such as data protection or data localization tend to dominate the headlines, as well as regulators’ attention. But a number of other developments are unfolding which have significant repercussions for the sector, even if they have gone largely unnoticed. These relate to two different sets of export control regulations.

Last week, governments met in Vienna to once again discuss proposed multilateral export controls on intrusion software proposed under the Wassenaar Agreement. Meanwhile in Brussels, the EU is moving ahead with a proposal for export controls on cyber-surveillance tools, as part of proposed revisions to its trade regulations. Both of these regulatory efforts are a matter of considerable importance for network owners, cyber responders, policymakers, and academics alike – many of whom came together to discuss the topic in Brussels last week, at the invitation of the Coalition for Responsible Cybersecurity and BSA | The Software Alliance.

The EU’s proposed controls on cyber-surveillance tools are particularly broad, having been expanded to include not only intrusion software but also monitoring centers, lawful intercept and data retention systems, and digital forensics. In essence, it creates an entirely new area of regulation for “Other Items of Cyber-Surveillance Technology”.

Much like the Wassenaar member states’ efforts, the EU’s intentions are focused on protecting human rights. Governments around the world are struggling to balance a range of issues thrown up by technological progress, including the line between technology used to secure and technology used to surveil. Both the Coalition and BSA believe more can and should be done to shore up human rights in the digital era. But many of the technologies which would fall under the scope of these two controls are in fact the solution, not the problem – they can be used to safeguard human rights and protect national security.

As MEP Marietje Schaake has said, “the question is how to make sure that stopping such exports is achieved in a targeted way, without unnecessary burdens, and in a way that provides legal clarity and certainty for business as well as authorities. It is absolutely essential that legitimate security research is not hindered. More information exchange, greater transparency, and much clearer guidance on how criteria such as human rights and repression should be interpreted are key.”

One of the principal challenges relates to the breadth of the proposed controls. When the definitions of what should be considered as “intrusion software” or “cyber-surveillance tools” are too broad, this not only risks impeding the development of defensive cyber-technologies, it also leaves the door wide open to confusion and misinterpretation. In many instances, there is broad agreement as to the specific systems which are of most concern to governments, but so far definitions and associated control descriptions remain broad, vague, and subject to multiple interpretations. Both industry and academics have expressed concern about this issue, which is only compounded by a lack of transparency into the process by which the Wassenaar member states define their terms.

Regulatory challenges of this scale warrant deep engagement with private sector experts, who can help ensure any regulation is logically scoped, sufficiently specific, or even purely sanctions-based. This is the path to providing the clearest guidance; a way to protect individual rights whilst supporting European growth and innovation, and avoiding unintended consequences.

The Coalition for Responsible Cybersecurity, along with many others in the sector, encourages governments to continue to address both the intrusion software controls and the proposed controls on cyber-surveillance tools in a thoughtful and targeted manner, and we stand ready to engage in further dialogue on this critical issue.

Alan Cohn
Counsel, Coalition for Responsible Cybersecurity

Alan Cohn coordinates the Coalition for Responsible Cybersecurity, which was formed by leading cybersecurity companies to prevent dual-use export control rules from harming defensive cybersecurity products, services, and technologies.