Dear Sir or Madam,
Thank you for your letter to Secretaries Kerry, Johnson, and me regarding implementation of the Wassenaar Arrangement “intrusion software” and surveillance technology provisions.
Since the publication of our proposed regulation last May to implement these controls, we have received substantial commentary from Congress, the private sector, academia, civil society, and others on potential unintended consequences of the 2013 Wassenaar controls, as well as on our proposal to implement them in U.S. regulation.
In response to these concerns, and as a result of extensive outreach efforts and further U.S. Government review, the United States has proposed in this year’s Wassenaar Arrangement to eliminate the controls on technology required for the development of “intrusion software.” We will also continue discussions both domestically and at Wassenaar aimed at resolving the serious scope and implementation issues raised by the cybersecurity community concerning remaining controls on software and hardware tools for the command and delivery of “intrusion software.”
These discussions will include significant consultations with other Wassenaar members and those in the U.S. government, private sector, and academic cybersecurity communities. The goals of these discussions will be materially address the concerns raised during the rulemaking process. They will also give the Administration a chance to share with our counterparts in other countries the U.S. cybersecurity communities’ concerns regarding the unintended consequences such controls could have.
Because changes in Wassenaar controls must be approved by all 41 members, we cannot predict the outcome of these discussions and negotiations. The Department of Commerce and our Federal partners, however, will continue to consult with the cybersecurity communities during the negotiations and we commit that we will not implement domestically any regulations on these specific controls without first giving the public an opportunity to participate through the notice and comment process of a proposed rule.
President Obama has identified cybersecurity as one of the greatest national security challenges we face as a Nation. Cognizant of this, we commit to ensuring that the benefits of controlling the export of the purpose-built tools at issue outweigh the harm to effective U.S. cybersecurity operations and research. We will also continue to analyze the role that appropriately scoped export controls could play within the larger strategy of countering the growing capability of malicious actors to cause harm through cyberspace.
Thank you again for your letter, and we look forward to working with your associations and your membership on this critical issue.