Last week, the Center for Strategic & International Studies (CSIS) hosted several high-profile private industry representatives to discuss the Department of Commerce, Bureau of Industry and Security’s (BIS) proposal to implement the December 2013 Wassenaar Arrangement agreements regarding intrusion and surveillance items. The proposed implementing rule, which we profiled earlier this summer, has already created quite a stir—the definitions of items that would be subject to the new, restrictive controls are vague and may pose a significant challenge to entities’ commercial standing and ability to innovate and conduct research in this area.
CSIS’s panelists represented a diverse cross-section of the cybersecurity industry, including highly esteemed policy and legal personnel from Microsoft, FireEye, Symantec, and HackerOne. The panel highlighted several key challenges that the proposed rule would pose for private industry, including the broad and somewhat nebulous scope of the products and technology to be controlled.
Another challenge stems from the proposed rule’s manner of operation. By targeting the technical characteristics of products and related technology, and not the context of or intent behind their use, the proposed rule may have a negative impact on the way in which many commercial and research entities currently research, analyze, discuss, and create solutions to protect against the malicious intrusion and surveillance items that appear to be the true targets of the new controls. If the controlled items are too broadly defined and related activities are too tightly regulated, many worry that the proposed rule may stymie or even cripple critical innovation, research, and other activities of the U.S. cybersecurity industry.
The panelists appeared to agree that more comprehensive dialogue between government regulators and industry experts on intrusion and surveillance products and related technology is a critical step to resolving many of the potential issues posed by BIS’s proposed rule, particularly with regard to developing a more tailored definition of the items on which controls would be imposed. You can find more information on the panel and discussion, including a video of the panel’s presentation, via CSIS’s website.