Comment on BIS Proposed Rule on Wassenaar Arrangement

Washington, D.C. – Today, the Internet Association called for revisions to proposed Bureau of Industry and Security (BIS) rules that would make it more difficult for Internet companies to improve network security. In public comments submitted to the BIS, the Internet Association explains that the proposed rules, while well intentioned, should be rewritten as narrowly as possible to avoid unintended consequences on global Internet security research.

“Internet companies work tirelessly to protect their networks and end user data from outside attacks,” said Michael Beckerman, President and CEO of the Internet Association. “To that end, it is important that legal frameworks promote legitimate security research. The proposed rules will have the opposite effect, making it more difficult, not less, to fortify networks and protect end user data,” Beckerman concluded.

The comments outline how Internet Association member companies conduct security research, and raise a number of concerns with the proposed rules, including:

There is no intra-company exemption built into the proposed rules. As a result, companies may run afoul of the rules simply by sharing software or tools that leverage exploits for testing and validation purposes within their own teams.
The proposed rules are broad, ambiguous, and open to interpretation. Rules should be written as narrowly as possible, with the goal of minimizing their adverse impact on legitimate security research and testing.
In areas where the proposed rules are clearer, they create a significant regulatory burden. Any organization that wants to develop tools that would be controlled under the proposed rules will need to implement new or updated export control processes, which will incur additional costs and increase time to market. In addition, the proposed rules create complex hurdles for individual researchers who might otherwise be able to make meaningful impact on overall security.

The comments also recommend steps to bring the proposed rules in line with the harm Internet companies believe they are meant to target, including:

Introduce an intra-company exception.
Focus on exfiltration and the use of cybersecurity items for unauthorized activities, not the items’ technical capabilities.
Maximize clarity around acceptable uses that do not require a license.

###

News

Comment on BIS Proposed Rule on Wassenaar Arrangement

Board of Directors Statement on IA’s Future

IA Statement on Consumer Protection and Commerce Subcommittee Hearing

IA Statement on Communications, Media and Broadband Subcommittee Hearing

IA Congratulates Rosenworcel on Confirmation

IA Statement on Communications and Technology Subcommittee Hearing

IA Leads Multi-Organization Letter Opposing Canada’s Digital Services Tax

IA Commends U.S./India and U.S./Turkey DST Agreements

IA Applauds Chairwoman Rosenworcel, FCC for Approving Text-to-988 Suicide Prevention Order

Infrastructure Investment and Jobs Act Will Expand Broadband Access to More Americans

Snowden: Infrastructure Bill Will Positively Impact Americans for Generations to Come

Tiffany Haverly Joins IA as Communications Director, IA Builds Team With Two Additional Hires

Statement on House E&C Data Privacy Discussion Draft