Step Away from the Wassenaar: The Case Against Cybersecurity Export Controls

Step Away from the Wassenaar: The Case Against Cybersecurity Export Controls

by Ron Moritz 10 March, 2016 0

Israel’s cybersecurity industry dominates the country’s historical, natural and geographically advantageous location at the cross-road of east-west commerce. Minimal government intervention enabled the birth of a cybersecurity Switzerland. Proposed government regulation will destroy the industry’s competitive advantage and erode its strength. If it ain’t broke, don’t regulate it.

Over the past three years, a group of government bureaucrats has worked silently to hobble the white-hot Israeli cybersecurity industry. No, this is not some hacktivist group or a sinister foreign agency, but rather our own ministers.

In mid-January of this year, Israel’s premier business outlet Globes revealed that the Ministry of Defense’s Exports Control Agency intends to enhance oversight on cybersecurity exports. Government double-speak positioned the move as one that would “protect against cyber-attacks.”

Another article about the proposal influenced by the Wassenaar Arrangement and developed without input from Israel’s cybersecurity industry, revealed that representatives from the Prime Minister’s National Cyber Defense Bureau, Ministry of Economy, Ministry of Foreign Affairs, and the National Security Council collaborated with traditional military defense contractors to develop a policy that would “balance between the protection of political and security interests, sensitive to and preserving competitiveness, and provide flexibility and freedom of action of the Israeli cyber industry.”

As an example of the confusion governments create when they act irresponsibly to impose controls on industry, one need not look further than the absurdity of layering cybersecurity onto Wassenaar, a process that began in 2013. Broadly, Wassenaar is about regulating the transfer of not only conventional weapons of war, but also commercial dual-use technology such as supercomputers.

Problems and challenges arising from applying Wassenaar to cybersecurity technology are well documented. The Wall Street Journal highlighted the limitations of Wassenaar in 2011 when they published an infographic on digital surveillance technology. This knee-jerk response and disregard for commercial trade demonstrated by government attempts to apply controls on digital surveillance exports, and the resulting chaos, was captured by Tim Maurer and Jonathan Diamond in a well-researched article published last fall.

American cybersecurity technology companies have raised their own flag of concern. A July 2015 press release announcing the launch of the Coalition for Responsible Cybersecurity (CfRC), focused attention on “misguided export control rules.” The CfRC says that its mission is to “educate the U.S. government” about the risks created by export regulations on commercial cybersecurity technology. They provided clear explanations on how such regulation weakens the industry by hurting cybersecurity research, slows innovation in cybersecurity technology, limits the availability of cybersecurity tools, and restrains necessary cybersecurity information sharing and collaboration. The fragile cybersecurity intelligence ecosystem is a good example of an emerging platform at risk of being crippled by irresponsible regulations.

As in the U.S., the proposed Israeli cybersecurity export rules will only serve to prevent Israeli cybersecurity companies from competing internationally. The commercial fallout will have secondary effects including turning off the flow of investment capital that fuels our innovation. And limits on Israeli cybersecurity activities will directly result in the loss of our leadership as a global cybersecurity powerhouse.

Ironically, a key argument made by the CfRC is that Israel’s advanced cybersecurity industry and global leadership exists precisely because it is not subject to export controls. Government clerks in Jerusalem would do well to tune into the American debate. The full 54-page document capturing the CfRC’s comments against the proposed U.S. cybersecurity export regulation is available here.

If the threat to international competitiveness and innovation caused by the application of export control regulation on cybersecurity technology is well understood by the biggest companies in the industry, why then is the Israeli government proposing restrictions that will undoubtedly adversely impact one of its five national economic priorities? It is too easy for government officials and politicians to pull out the “it furthers-our-foreign-policy-and-national-security-interests-by-protecting-potentially-sensitive-technologies” wand in order to deflect arguments against such regulations. Despite strong evidence that suggests such controls in fact hurt national defenses, this is precisely what is happening. Regulating military and intelligence technology makes sense; applying similar controls to dual-use commercial technology does not.

While the government officials pushing these controls forward are cheering the “precedent-setting nature of this public participation process,” the historical fact remains that attempts by governments to apply export controls on dual-use cybersecurity technology have failed. Perhaps these bureaucrats neglected to consult the history books before undertaking a three-year process to draft export controls and apply government oversight on a free-market industry that is leading economic growth in Israel. Perhaps they are blind to the public debate in the U.S. about the same issue. Regardless, it is not too late to move the proposed regulations to the recycle bin and prevent a cyber-catastrophe.

Fortunately, voices have emerged to raise red flags and rally the troops. Cyber Together, a non-profit industry association launched to promote Israeli cybersecurity innovation where I serve as chairman, the Israel Export and International Cooperation Institute, and others are joining together and unifying concerns.

This initiative is nothing more than short-sighted bureaucrats looking to protect their fiefdoms. As a free-market capitalist, I abhor government meddling in industry – regardless of which government it may be. The potential impact of implementing the proposed cybersecurity export control regulation is not limited to a socioeconomic debate but, rather, it has a very real potential to harm the cybersecurity industry by imposing restrictions on:

  • Research and collaboration due to limits on the ability to test networks and share technical information about new vulnerabilities as well as active exploits
  • Technology sharing due to export controls on cybersecurity tools and science
  • Innovation especially in the areas of network surveillance and monitoring

In this context, the proposal can be seen as a nail in the coffin of an industry declared a national economic priority only two years ago. Many Israelis have worked hard to make Israel a Cybersecurity Switzerland. The heavy hand that proposes to add government oversight on an exceptionally well-run high-performance free market will toss this title, along with the many benefits that come with it, into the Mediterranean. If there is a desire to destroy the Israeli cybersecurity industry, then by all means, turn this proposal into law.

When will governments learn that the best path to economic growth and prosperity is when they do nothing? This proposal will make it harder for Israeli companies to develop and sell cybersecurity technology and will restrict their competitiveness around the globe. Cybersecurity solutions must be created and deployed faster than any other technology in order to stay ahead of the curve. Forcing government review will choke the industry. It doesn’t take a tenured professor at a prestigious university to find data demonstrating that government cannot and should not be involved in high tech oversight.

Moreover, such regulation would not only dry-up commercial opportunities but also foreign investment in the Israeli cybersecurity industry. Revenue and funding are interlocked. Israel has become a Cybersecurity Switzerland precisely because the government regulations have been minimal. We sell to countries that other western technology companies cannot access and we receive investments from individuals and institutions in countries that typically do not have access to other western technology companies.

Have we learned nothing from failed attempts to regulate the export of another dual-use technology: encryption? Encryption is simultaneously a defensive tool of the good guys and a weapon in the hands of criminals and terrorists. Trying to control export of encryption technology was a disaster in every country where it was tried. Export controls on encryption served no purpose other than to mire technology companies in paperwork; it did little to protect those nations.

It’s like a kitchen knife – good in the hands of a chef, bad in the hands of a terrorist. What if the government was going to intervene in the manufacture and distribution of knives?

By allowing the government to push forward without a significant fight, we become collaborators in downgrading Israel’s global leadership and competitiveness in the cybersecurity industry. And it’s not only Israeli high tech professionals who understand this. Since the publication of the government proposal to regulate the industry, colleagues from the United States have raised their own alarms.

Mr. Prime Minister: Don’t allow pettiness and jealousy to jeopardize Israel’s most important export. Kill this proposed regulation immediately before it kills the cybersecurity industry.

top