In 2013, the Administration agreed to adopt broad export controls on cybersecurity software and technology under the Wassenaar Arrangement, a multilateral export control regime. It now concedes that it did so without a solid sense for collateral impacts on U.S. industry.
Nevertheless, in May 2015, the Administration proposed to amend the Export Administration Regulations to impose the new Wassenaar controls on exports of intrusion software and other cybersecurity tools and technology routinely used by U.S. and multinational companies to protect computer networks. [F/N 1] The proposal, which is reportedly intended to target the use of hacking tools by oppressive regimes, is extremely broad, restrictive, and prohibits the use of virtually all license exceptions.
Industry submitted over 260 public comments opposing the proposed rule. These public comments, primarily coming from large and small software companies, explain how the proposed rule’s definition of “intrusion software” is overly broad, would impose an unnecessarily heavy licensing burden on legitimate transactions that support the nation’s cybersecurity infrastructure, and would cripple legitimate cybersecurity research.
Earlier this week, the House of Representatives held a hearing on the Administration’s proposed cybersecurity rule. [F/N 2] Congressional members expressed concern with how the Administration agreed to such a significant multilateral control without knowledge of its impact on U.S. industry and questioned agency officials on whether the Administration will renegotiate the control with Wassenaar members. No commitment to seek changes at Wassenaar was provided and, in a prepared statement, the Administration advised that it has still not decided how to respond to the public comments.
This latest export controls problem created by the Administration is now complicated by the fact that other Wassenaar members have already implemented the controls. However, as discussed at the hearing, the proper approach to controlling cybersecurity activities is perhaps not through control of the underlying technology. Instead, if the stated intent of the proposed cybersecurity controls is to prevent U.S. persons from providing cybersecurity-related support to oppressive regimes, the government can narrowly tailor a law to criminalize the intentional, knowing or reckless provision of cybersecurity-related services to oppressive regimes—without unnecessarily and adversely impacting the U.S. cybersecurity industry. As shown by statements made by Congressional members at this week’s hearing, such a narrowly tailored measure could have easily garnered bipartisan support.
* * *
 80 Fed. Reg. 28,853 (May 20, 2015).
 See January 12, 2016 hearing of the House Committee on Oversight and Government Reform Subcommittee on Information Technology And the House Committee on Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies on Wassenaar: Cybersecurity and Export Control, available at https://oversight.house.gov/hearing/wassenaar-cybersecurity-and-export-control/
The above is not intended as an exhaustive list of restrictions that may apply to a particular transaction nor advice for a specific transaction because the specifics of an individual case may implicate application of other U.S. laws as well as foreign laws that carry added or different requirements. In addition, U.S. export control and sanctions laws are frequently subject to change. Such changes can affect the continued validity of the information above, which is based on U.S. law existing as of January 14, 2016. For these reasons, assistance from a qualified attorney competent to advise on such matters is highly recommended. Matthew A. Goldstein is an International Trade Attorney in Washington D.C. licensed to practice in the District of Columbia. He can be reached at (202) 550-0040 and Matthew@GoldsteinPLLC.com
Categories: Industry Alerts