The U.S. Commerce Department has found its rules on the export of security tools, especially those related to cybersecurity, to be too broad in nature. The Department held a comment period, which ended on July 20, and found that “The ambiguity in the definitions used in these rules creates an extraordinary gray area which makes it difficult for independent researchers and small companies to determine what is included under the proposed controls, especially the technology category.”
The Department proposed its new rules in accordance with the Wassnaar Arrangement — an international agreement designed to control the export of “dual-use” technologies, such as guns and landmines. Mark Kuhr, CTO of Synac, believes that while the intent of the rules is good, the focus needs to be much more narrow. Industry experts believe that the ambiguous rules can harm companies in the cybersecurity industry, by making it more confusing on which tools can and cannot be exported. It is held that more specific rules are in order especially for those who are not well-versed in export controls.
Tightening up its rules and regulations on the export of cybersecurity tools and devices is nothing new. Just two decades ago the U.S. added encryption software, biological weapons, tanks, artillery and aircrafts to its ITAR list. In 2013, the U.S. added surveillance systems to its list of controlled technologies after reports surfaced that they were being used in human rights abuse incidents across the globe. It will be interesting to follow the progression of this story to see how much the Commerce Department will adjust its rules.