Lawmakers from both sides of the aisle and executives from American technology giants lined up on Tuesday to urge the Obama administration to renegotiate the terms of an obscure arms control agreement that has fueled an acrimonious fight over between Washington and Silicon Valley.
The pact in question, known as the Wassenaar Arrangement and in place since 1996, deals with the export of military technology and dual-use goods such as certain types of lasers. It was revised in 2013 to discourage the sale of software — such as the spy program FinFisher — to authoritarian regimes that could be used for surveillance purposes. When the Commerce Department last year issued a proposed rule for how to implement the new rules, security and tech firms went on the warpath, arguing that it was written so broadly that it restricted their own efforts to make secure software
Those tensions were on full display at a hearing Tuesday before a subcommittee of the House Committee on Oversight and Government Reform, where executives from Microsoft, Symantec, and software giant VMware all said they believe American diplomats should scrap the 2013 revision and return to the drawing board. “Security experts should not have to pick up the phone in the middle of the night to call in an export control advisor to determine whether they can share certain technical information about an ongoing attack,” said Cristin Flynn Goodwin, an assistant general counsel at Microsoft.
The 2013 revision added “intrusion software” to Wassenaar’s list of controlled goods. It defined such software as programs capable of extracting or modifying data and other hacking capabilities. When the Department of Commerce went to interpret that rule, it considered a wide variety of programs subject to the arrangement, including programs to carry out penetration testing. Penetration testing involves examining programs for security vulnerability and is a bedrock tool for creating secure software.
Officials from the Departments of State and Commerce said Tuesday that while they recognize their proposed rule — which sought to implement the 2013 revision — was written far too broadly, they expressed skepticism that they would set the diplomatic wheels in motion to renegotiate the agreement. Vann H. Van Diepen, the principal deputy assistant secretary for international security and nonproliferation at the State Department, said that the proposal for the rule had “missed the mark,” he said no decision had been made to renegotiate Wassenaar.
Repeatedly pressed by lawmakers on whether the Obama administration would be willing to do so, Van Diepen said that 31 of the 41 countries party to Wassenaar had already implemented its hacking provisions and had done so without controversy. Van Diepen said he hoped to learn from those countries experience to draft a more narrow rule. Wassenaar, he noted, operates on consensus and rewriting the 2013 provision would require the unanimous consent of countries that have already moved ahead with implementation.
The Commerce Department, charged with writing the rule, has since pulled it and has said it will rewrite it. Several lawmakers praised the department’s willingness to respond to criticism and reconsider the rule.
Kevin Wolf, the assistant secretary for export administration at the Department of Commerce, said the next iteration of the Wassenaar rule will once more be published as a proposal for the public to comment on. It remains unclear when the Obama administration will finish writing the rule.
Both Democratic and Republican lawmakers backed the tech executives and lambasted the Obama administration’s proposed rule. Rep. Michael McCaul (R-Texas), the chairman of the House Homeland Security Committee, called that language “simply unworkable.” Rep. James Langevin (D-RI) argued that the administration was pursuing the wrong approach in trying to restrict the availability of surveillance software — such as that sold by the Italian firm HackingTeam to governments in Sudan and Ethiopia — using the Wassenaar Arrangement.
Some critics of Wassenaar’s approach argue that using a system that has been primarily designed to control the export of physical military hardware — tanks and missiles, for example — is ill-suited to restrict the sale of code. Van Diepen said that Wassenaar has experience in regulating the export of software to control military systems, and that those controls have worked quite well.
But technology executives argue the requirement to secure export licenses for software that could be used to breach computers only hampers their efforts to create more secure computer systems. “We are trying to take a physical construct that has worked pretty well for 20 odd years and drop it into the digital world,” Iain Mulholland, vice president for engineering trust and assurance at VMware told the committee.
GREG BAKER/AFP/Getty Images