Coalition for Responsible Cybersecurity Applauds Commerce Department Decision to Revise Proposed Export Control Rule, Seek Additional Industry Input

WASHINGTON--()--Today, the Coalition for Responsible Cybersecurity, formed to ensure that U.S. export control regulations do not negatively impact U.S. cybersecurity effectiveness, applauds the U.S. Department of Commerce’s decision to substantially revise its proposed export controls rule on cybersecurity tools and to seek additional industry input before opening a second comment period on the proposed rule.

“We are encouraged by the Commerce Department’s acknowledgment that the current Wassenaar proposed rule is overly broad and would harm cybersecurity innovation, testing, and research,” said Cheri McGuire, Vice President, Global Government Affairs & Cybersecurity Policy at Symantec Corporation. “While we still believe the best course of action is for the U.S. Government to return to the Wassenaar Plenary to amend the arrangement itself, we look forward to working closely with Commerce to develop and review any future proposals.”

The Coalition submitted specific, detailed comments to the Commerce Department to help ensure that U.S. export control regulations are informed by the realities of the cybersecurity world and do not inadvertently restrict beneficial activity or miss the mark in attempting to control malicious activity.

“We applaud the Commerce Department for taking this important first step in finding a better way to control malicious activity, without stifling the development of defensive capabilities and innovative and effective cybersecurity tools necessary to combat such activity,” said Adam Ghetti, CTO of Ionic Security. “We encourage the Commerce Department to fully engage with U.S. industry as it considers the best way to proceed.”

As highlighted in the Coalition’s formal comments on the proposed rule, U.S. companies design, test, develop, and field some of the world’s leading technologies in critical areas such as network monitoring, penetration testing, data protection and encryption. Development of these cutting-edge defensive technologies relies on the ability to conduct unfettered research into vulnerabilities (including novel, zero-day vulnerabilities), as well as reverse engineering cyber threats and other basic methods of cybersecurity research.

However, robust research and development are only feasible when there is an open, global market for the products. If U.S.-origin technology becomes “tainted” by burdensome export control and other restrictions, U.S. companies will lose their leadership position, to the detriment of all the companies, organizations, governments and individuals that rely on U.S. cybersecurity to defend against malicious attacks.

Moreover, U.S. companies “export” these defensive technologies virtually every second of every day. Imposing the far-reaching licensing requirements that the Commerce Department has proposed would not only harm U.S. cybersecurity companies, but would harm global cybersecurity itself.

Ultimately, there are better ways to control the type of malicious activity that the Commerce Department is trying to reach through these regulations. Criminal law, sanctions and controls on activities of U.S. persons modeled on existing regulations targeted at specific end-uses of research or technologies, all present better models for addressing the problem of malicious software and similar threats.

The Coalition for Responsible Cybersecurity represents a broad cross-section of cybersecurity companies, including Symantec, Ionic Security, FireEye, Synack, Intel, Global Velocity, WhiteHat, Trail of Bits, and others. It was formed to educate the U.S. government about the risks created by the proposed regulation.

Contacts

Steptoe & Johnson LLP
Alan Cohn, 202-429-6283
acohn@steptoe.com

Contacts

Steptoe & Johnson LLP
Alan Cohn, 202-429-6283
acohn@steptoe.com