State Department reverses course on cybersecurity exports

The State Department aims to renegotiate an international pact designed to limit exports of surveillance software – bowing to pressure from Obama administration officials and cybersecurity experts.

After nearly 10 months of intense pressure from cybersecurity experts, the Obama administration will send the State Department to renegotiate a controversial arms control agreement meant to limit surveillance software exports.

The decision represents a turnabout for the State Department, which had resisted reopening talks with the 41 nations that are signatories of the Wassenaar Arrangement. But after widespread criticism that the trade pact would hamper the trade of legitimate security software, the US is aiming to return to the negotiating table.

"There is simply no way to interpret the plain language of the text in a way that does not sweep up a multitude of important security products," said Rep. Jim Langevin (D) of Rhode Island in a statement. "The Administration is staking out a clear position that the underlying text must be changed."

Representative Langevin says National Security Advisor Rice also became a strong factor in swaying Foggy Bottom to renegotiate the deal. Obama administration officials unanimously called for a new agreement at a meeting last week.

The controversy around Wassenaar began heating up last May when the Department of Commerce released proposed export regulations based on the pact's terms. Experts feared the broad language in the proposed rules would even ban some cybersecurity researchers in the US from jointly conducting security work abroad.

In addition to cybersecurity experts, US lawmakers and Department of Homeland Security officials also worried that Wassenaar's language could limit threat information-sharing initiatives and damage domestic security.

At a congressional hearing in January, the State Department publicly opposed renegotiating Wassenaar – citing the difficulty of signing another deal with the 31 countries that had already adopted the terms. Instead, the agency had hoped to satisfy critics by creating exemptions in the trade restrictions.

But those claims were met with Congressional skepticism. Soon after the hearing, however, State Department officials reached out to industry experts to work on a new proposal. 

"The [House Oversight] hearing hammered home the national security implications of the Wassenaar language," said Katie Moussouris, the chief policy officer of the bug bounty firm HackerOne.

A vocal critic of the regulations, Ms. Moussouris was one of the industry experts called in to work on the new proposal. She says the new draft language shifts the focus of the Wassenaar guidelines with a narrower focus on surveillance software itself.

Moussouris cautions that the State Department’s evolving position on cybersecurity exports does not mean the issue is closed. Other nations will still have to agree to change.

"We’ll consider the issue settled when we see it settled," she said.