igor - Fotolia
The proposed Wassenaar Arrangement export control rules for cybersecurity software drew fierce criticism from big companies, and now, the U.S. Department of Commerce has said it will draft new rules due to the public comments on the matter.
"We are currently reviewing the public comments regarding the proposed rule," a Commerce Department spokesperson said. "In light of the high volume of comments received, it is likely we will publish a second proposed rule. We have no timetable for that action."
Google was the loudest dissenting voice in those comments, saying the proposed rules were "dangerously broad and vague" and "would have a significant, negative impact on the open security research community. They would also hamper our ability to defend ourselves, our users and make the Web safer. It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure."
Symantec Corp. has been the first to respond to the promise to rethink the rules by the Department of Commerce.
"We are encouraged by the Commerce Department's acknowledgment that the current Wassenaar proposed rule is overly broad and would harm cybersecurity innovation, testing and research," said Cheri McGuire, vice president of global government affairs & cybersecurity policy at Symantec. "While we still believe the best course of action is for the U.S. Government to return to the Wassenaar Plenary to amend the arrangement itself, we look forward to working closely with Commerce to develop and review any future proposals."
When asking for comments on the proposed cybersecurity software export rules, the U.S. Bureau of Industry and Security (BIS) was concerned with the number of export licenses a company would need in order to be in compliance and how the rules would affect "vulnerability research, audits, testing or screening and your company's ability to protect your own or your client's networks."
Because technology companies have teams located in different regions of the world that need to share software covered by the rules, Google, for example, claimed it would need thousands of new export licenses, while Symantec put the number at around 850. Both companies suggested the need to exempt intra-company exports from the rules.
Google also said there should be exemption that covered sharing controlled information for the purpose of fixing vulnerabilities, and Symantec asked for an exemption in sharing threat intelligence information used to prevent attacks.
The final suggestion from both companies was a need for clarity in the rules. Symantec asked for more specific definitions for terms like "rootkits" and "zero-day exploits," because it is currently unclear if these items are considered "intrusion software" under the proposed rules. Google wasn't as specific with its recommended clarifications.
"We acknowledge that we have a team of lawyers here to help us out, but navigating these controls shouldn't be that complex and confusing," Google wrote in a blog post. "If BIS is going to implement the proposed controls, we recommend providing a simple, visual flowchart for everyone to easily understand when they need a license."
Jeremiah Grossman, founder of WhiteHat Security Inc., based in Santa Clara, Calif., said the security industry as a whole needs to come together to help form the new rules.
"Everyone in the computer security industry immediately saw the deep rooted problems with the original Wassenaar proposal regarding software exports," Grossman said in a statement to TechTarget. "The Department of Commerce's decision to redraft the Wassenaar rules after public comment was a good one. This will give everyone the necessary time to reflect upon what a better export proposal might look like, and how we might further our collective goals as a nation and world community."
Learn more about the BSA calling for a unified European approach to cybersecurity