Modern field guide to security and privacy

Cybersecurity pros makes final push to quash proposed export restrictions

Instead of the Commerce Department plan to limit the export of surveillance technology, many industry professionals and experts want entirely new proposals. 


With just three days left to comment on a controversial plan to stymie US exports of surveillance technology, many cybersecurity professionals are making their final pleas to kill the proposed trade restrictions. 

While many in the security community agree in spirit with the plan from the Department of Commerce’s Bureau of Industry and Security to limit overseas sales of spyware, especially to oppressive regimes, they also say the recommended pact is so broad and vague that it could harm the entire cybersecurity industry.

"Cyber is a space that is borderless and global. The rule needs to be re-looked at given the global interconnectedness of the industry," says Cheri McGuire, vice president of government affairs and security policy at the security firm Symantec.

Rather than restrict the export of spyware technology, the current proposal restricts the export of information about malicious software, the command platforms to control it, and the tools to make it.

Many experts say the Commerce Department proposal is written in such a way that it would prevent even transporting critical security software for testing global networks and would limit research between security labs in different countries. The department also warned that applications for a license to export technology that could be used for surveillance would be met with a presumption of denial, making it difficult for firms to get permission to do legitimate cybersecurity business overseas. 

The proposal is "well-intentioned, but has unintended consequences that must be addressed," said Eric Wenger, director of cybersecurity and privacy policy at Cisco, the world's largest maker of networking equipment. 

But if the policymakers at the Commerce Department go back to the drawing board, it's unclear what a replacement proposal would look like – and whether the security industry would like it any better.

The trade proposal resulted from the 41-nation Wassenaar Arrangement was originally intended to limit the sale of conventional weapons and expanded in 2013 to include restrictions on malware sales. Europe has already implemented the new limitations.

Instead of coming up with a new draft, the Electronic Frontier Foundation's Nate Cardozo says he wants the US to reopen the initial discussions that led to the software restrictions with the Wassenaar negotiators. That way, says the EFF staff attorney, the agreement could focus on actual spyware and surveillance products instead of the components that make or control those technologies.  

"What are they actually trying to control? Are they trying to control [the notorious spyware] FinFisher?" asks Mr. Cardozo, who recently filed a lawsuit against Ethiopia over its use of FinFisher, a maker of surveillance technology. "Why don’t they go after export of that kind of software directly?"

The idea of banning software that exfiltrates  – or steals – data without the users' knowledge is often cited as the utopian fix for the trade proposal. Sergey Bratus, a Dartmouth College computer science associate professor, originally suggested it in 2014 when the Bureau of Industry and Security first asked for comments on how it should impose the Wassenaar deal.

Cardozo says that comments he will submit Monday will urge the Department of Commerce to ease existing restrictions on exporting encryption technology alongside any rule to fight militarized spyware. Cardozo believes encryption would be a more successful measure to protect targets of repressive government surveillance.

"When I submit my comments about Wassenaar to the [Bureau of Industry and Security] on Monday,” he says, “the first point I will make is that if you think that this is a good idea, you have to remove cryptography from other export restrictions."

Restricting only exfiltration would assuage many concerns in the international community, says Ms. McGuire of Symantec, a founding members of the Coalition for Responsible Cybersecurity that launched this week as a show of force against the BIS draft policy. Focusing on exfiltration, she says, reassures foreign governments that the US isn't withholding cybersecurity tools for its own gain. 

But barring a complete renegotiation of the rule, McGuire says adding exemptions to BIS regulations for defensive cybersecurity products or research would appease many within the industry. 

McGuire says that approach would have been taken by BIS if it had consulted the cybersecurity industry as a whole, such as the National Institute of Standards and Technology did in preparation for recently released security best practices.

"Look at the NIST framework. It certainly went through a very lengthy process to ensure there were no consequences," she says.

Dave Aitel, chief technology officer at the security company Immunity inc., suggests the BIS remove the presumption of denial, and only mandate licenses for sales to hostile governments. But he isn’t convinced that any regulations, no matter how restrictive, would make much of an impact.

The recent data breach at Italian spyware seller Hacking Team proves his point, he says. It shows that Italy was willing to issue a “global license” to the company to distribute its surveillance software nearly anywhere, he says. If companies such as Hacking Team cannot be controlled by the regulations, how could they be at all successful, asks Mr. Aitel.

Though Aitel says the rules would not have much effect, he says modifying the proposal to something less “onerous” would be the end of a long struggle.

"I did not want my life to be consumed by Wassenaar for the past two years," he said. “But here we are. It’s an awfully important government process to have begun in such a broken way."


You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Cybersecurity pros makes final push to quash proposed export restrictions
Read this article in
QR Code to Subscription page
Start your subscription today