Industry Alerts

State Department Holds Out on Doomed Cybersecurity Controls

Last month’s House Committee on Oversight and Government Reform’s hearing on Wassenaar Cybersecurity and Export Controls was highly critical of the Administration’s agreement to adopt broad export controls on cybersecurity software and technology under the Wassenaar Arrangement, a multilateral export control regime, without appropriate consideration of the cybersecurity implications of the new control. [FN 1]

The new Wassenaar cybersecurity control is reportedly intended to target the use of hacking tools by oppressive regimes. But the Administration’s proposed rule implementing the control in the Department of Commerce’s Export Administration Regulations is extremely broad, restrictive, and prohibits the use of virtually all license exceptions. [FN 2] Not surprisingly, the proposal is strongly opposed by U.S. industry, which submitted over 260 public comments opposing the Administration’s proposed rule.

Following testimony by government and industry representatives at the Committee hearing, several members of Congress sent Secretary of State John Kerry a letter requesting that he update their respective committees on options open to the State Department, and confirm whether or not the State Department will seek changes at the Wassenaar 2016 plenary session. [FN 3] Because the deadline for submission of Wassenaar proposals is the end of February, the letter requested a briefing for the House Committee on Oversight and Government Reform and the House Committee on Homeland Security no later than February 26, 2016.

The letter further stated:

“We unambiguously expect that the U.S. Department of State will work to renegotiate the controls at the Wassenaar plenary.”

As recently reported by The Hill, government and industry sources advised that the Departments of Homeland Security and Commerce agree that renegotiation of the control at Wassenaar is an option—but that the State Department is holding out. [FN 4] Reportedly, the State Department’s position is that the control language can be changed in implementation at the national level to alleviate industry concerns. But the new cybersecurity controls are proposed for implementation in the Department of Commerce’s Export Administration Regulations, not the State Department’s International Traffic in Arms Regulations, and the fact that the Commerce Department views renegotiation as an option is a strong indication that tweaks are not the solution.

*   *    *

[1] See January 12, 2016 hearing of the House Committee on Oversight and Government Reform Subcommittee on Information Technology And the House Committee on Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies on Wassenaar: Cybersecurity and Export Control, available at

[2] 80 Fed. Reg. 28,853 (May 20, 2015).

[3]  See February 3, 2016 Letter to John Kerry, Secretary of State, available at

[4] Katie Bo Williams, “House Oversight presses Kerry to renegotiate cyber controls,” The Hill, February 8, 2016 (available at


*The above is not intended as an exhaustive list of restrictions that may apply to a particular transaction nor advice for a specific transaction because the specifics of an individual case may implicate application of other U.S. laws as well as foreign laws that carry added or different requirements.  In addition, U.S. export control and sanctions laws are frequently subject to change.  Such changes can affect the continued validity of the information above, which is based on U.S. law existing as of February 9, 2016. For these reasons, assistance from a qualified attorney competent to advise on such matters is highly recommended. Matthew A. Goldstein is an International Trade Attorney in Washington D.C. licensed to practice in the District of Columbia.  He can be reached at (202) 550-0040 and

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s