Yesterday Kevin Wolf, the Assistant Secretary of Commerce for Export Administration, testified before the House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies on the much reviled controls in the Wassenaar Arrangements on exports on certain software and technology. His testimony provides detailed insight into the interaction between the Bureau of Industry and Security, which is charged with implementing the Wassenaar Arrangement controls, and the technology and cybersecurity industry and community which was concerned about the overbreadth of the Wassenaar controls of “intrusion” software. This blog has previously articulated some of these concerns, particularly the extent to which the Wassenaar controls on “intrusion” software could reach auto-updating software, Address Space Layout Randomization (ASLR) security measures, and hot-patch programs.
Assistant Secretary Wolf’s testimony reveals that Commerce’s concerns about the potential overbreadth of the Wassenaar controls on intrusion software led the agency to take the “unprecedented step” of releasing the controls as a proposed rule and soliciting industry comments. Such a step is “unprecedented” because normally Commerce simply adopts and adds to the CCL all changes adopted by the Wassenaar Arrangement. The result of the request for industry comment, according to the testimony, was more than 260 comments, “virtually all of them negative.” The negative reaction was echoed in outreach meetings held by Commerce with industry. Assistant Secretary’s testimony summarizes these concerns, including the concerns we have expressed about how they would reach certain auto-updating and hot-patching programs.
Most importantly, Assistant Secretary Wolf’s testimony says this:
Neither the Commerce Department nor the Administration has reached a conclusion about how to respond to the public comments. We are still reviewing and considering them. … The commenters had many suggestions regarding how to address their concerns. The Administration will be reviewing all of them and many other ideas for how to address the policy objectives of the control but without unintended collateral harms. As I have said many times in response to questions about the rule, the only thing that is certain about the next step is that we will not be implementing as final the rule that was proposed.
The moral of this story is clear, even if the shape of the ultimate rule is not. The export industry, as demonstrated conclusively throughout the export control reform initiative, has been loath to comment on proposed rules, whether from fear of standing out from the crowd or because of a belief that such comments will have no effect. As a result, Assistant Secretary Wolf has been known to remark that industry gets the rules they deserve. The response of Commerce here to the issues raised in the comments and industry outreach, however, shows that there are times when public input will have an impact. So the moral of the story is simple: you may not get everything you ask for, but you’ll almost never get what you want if you don’t even ask for it.