WASHINGTON—An international effort to prevent cyberweapons from reaching malicious regimes is at risk of coming apart amid objections from U.S. companies who claim it would upend the way they use and sell legitimate spyware.
In the wake of the Arab Spring uprising, the U.S. and 40 other nations decided that virtual weapons should be subject to the same export control rules that have been used on heavy or unconventional weaponry like tanks and chemical weapons.
But as the rules are still being written, it appears that cyber arms control is proving even harder than the traditional kind.
A central problem: Officials can’t agree on the legal distinction between nefarious computer programs that spy on networks and the software that helps companies avoid hackers. Some believe there is no distinction.
The debate has become so tangled that U.S. officials are considering whether to ask the 40 other countries involved—including Russia, France, and the U.K.—to rework the proposal, potentially delaying its implementation by at least a year.
“We have no idea what we are going to do,” said Kevin Wolf, assistant secretary at the Commerce Department—which has taken a lead role in drawing up the rules—at a briefing Thursday with executives from Google Inc., Dow Chemical Co., Texas Instruments Inc., and other firms.
Many of these companies say these rules—which would force them to apply for a series of licenses to export technology that could be used for cyberwarfare—would harm their business while doing little to stop oppressive regimes or others from using intrusion software that surreptitiously monitors communication.
Multinational banks worry they would have a hard time transmitting security tools to their overseas subsidiaries. Chemical and technology companies warned that they would be caught up in the restrictions. At Thursday’s meeting, several executives said that as part of a “good guy industry,” they should be exempt from the new rules.
“No one is denying that some of these tools are very powerful, and that the U.S. government should have a say in whether they are sold to Russia or China or perhaps authoritarian regimes that would use them against their own people,” said Stewart Baker, a former general counsel for the National Security Agency who now represents numerous firms opposing the proposal.
But he added, “Export controls are probably ineffective at keeping those out of the hands of other governments in most cases, because there are other sources.”
The unraveling agreement intended to slow the spread of spyware to oppressive governments was ironed out late 2013 in Vienna, based on input from human rights groups and others. They claimed that Libya, Syria, Bahrain, and other countries had used Western technology to spy on the computers of ordinary citizens, stealing passwords, emails, and other secret communications.
Human-rights groups alleged that the FinFisher technology from Gamma Group, a British and German firm, was used for some of the spying. They also raised concerns that an Italian firm, Hacking Team, was selling its surveillance software to oppressive regimes.
Efforts to reach Gamma and Hacking Team were unsuccessful.
The deal reached in Vienna, which revised an existing pact known as the “Wassenaar Arrangement”—the Netherlands town where an export control agreement was first brokered in 1996—then had to be implemented domestically by each of the 41 signatories.
The Wassenaar body has a licensing and enforcement group that monitors participation, and countries that don’t adopt the rules could face pressure to come into compliance.
U.S. officials, led by the Commerce Department, began drawing up the rules. They proposed requiring companies to obtain a license before exporting delivery systems for surveillance and intrusion software, as well as mechanisms that communicate with that software once it is installed.
The rules also would make it much harder for U.S. firms to sell “zero day” technology. Such programs are considered the crown jewel of cyber tools, since they represent ways to hack into a network that haven’t been previously exposed, for legitimate as well as nefarious purposes. Some of the technology would need to be vetted by the NSA.
Penalties for failing to comply with export control rules could include multimillion-dollar fines and up to 20 years of imprisonment, Mr. Baker said.
When the proposed rules became known, the blowback was instant and severe. Symantec Corp., a cybersecurity company, predicted the number of licenses it would need to operate would jump from 12 to 1,000. Other security firms said they needed to sell technology with intrusion software to test their clients’ networks.
U.S. officials said they made the proposed rules intentionally broad and provocative to elicit more feedback. Within two months this summer, they received almost 300 letters, most warning of a range of unintended consequences if the rules were adopted.
Google, Cisco Systems Inc., Northrop Grumman Corp., Boeing Co., Raytheon Co., and others raised concerns about the rules. Few organizations, even among the privacy groups who had initially called for the new rules, were willing to back the Commerce Department’s proposal.
Officials are now stumped, a message they recently delivered to the 40 other countries in a letter.
“Do other delegations see the need to clarify the scope of control for software and technology for these entries?” the letter asked. “Do other delegations see the controls as limiting the ability of companies to share internal information?”
The European Commission, for its part, already adopted the new export controls late last year, without facing a similar backlash.
Some executives speaking at the Commerce Department meeting Thursday pushed for government officials to put the proposal on pause, while others said that if the rule could be effective if more tailored.
“The good guys and the bad guys are hard to distinguish here,” said Window Snyder, chief security officer at Fastly, a San Francisco-based content delivery firm. “You can build a house with a hammer, or you can take it to someone’s head.”