b'<html>\n<title> - WASSENAAR: CYBERSECURITY AND EXPORT CONTROLS</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n              WASSENAAR: CYBERSECURITY AND EXPORT CONTROLS\n\n=======================================================================\n\n                              JOINT HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n                         INFORMATION TECHNOLOGY\n\n                                 OF THE\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n                        HOUSE OF REPRESENTATIVES\n\n                                AND THE\n\n       SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION,\n                       AND SECURITY TECHNOLOGIES\n\n                                 OF THE\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                            JANUARY 12, 2016\n\n                               __________\n\n                           Serial No. 114-102\n\n             (Committee on Oversight and Goverment Reform)\n             \n             \n                               __________\n\n                           Serial No. 114-49\n\n                    (Committee on Homeland Security)\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n\n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]  \n\n\n\n         Available via the World Wide Web: http://www.fdsys.gov\n                      http://www.house.gov/reform\n              \n              \n                              __________\n                               \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n23-401 PDF                  WASHINGTON : 2017                     \n          \n----------------------------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, \nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). \nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1770677857746264637f727b673974787a39">[email&#160;protected]</a> \n                         \n              \n              \n              \n              \n              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM\n\n                     JASON CHAFFETZ, Utah, Chairman\nJOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, \nMICHAEL R. TURNER, Ohio                  Ranking Minority Member\nJOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York\nJIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of \nTIM WALBERG, Michigan                    Columbia\nJUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri\nPAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts\nSCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee\nTREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia\nBLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania\nCYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois\nTHOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois\nMARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan\nRON DeSANTIS, Florida                TED LIEU, California\nMICK, MULVANEY, South Carolina       BONNIE WATSON COLEMAN, New Jersey\nKEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands\nMARK WALKER, North Carolina          MARK DeSAULNIER, California\nROD BLUM, Iowa                       BRENDAN F. BOYLE, Pennsylvania\nJODY B. HICE, Georgia                PETER WELCH, Vermont\nSTEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico\nEARL L. ``BUDDY\'\' CARTER, Georgia\nGLENN GROTHMAN, Wisconsin\nWILL HURD, Texas\nGARY J. PALMER, Alabama\n\n                   Jennifer Hemingway, Staff Director\n                 David Rapallo, Minority Staff Director\n               Troy Stock, IT Subcommittee Staff director\n                    Sharon Casey, Deputy Chief Clerk\n                                 ------                                \n\n                 SUBCOMMITTEE ON INFORMATION TECHNOLOGY\n\n                       WILL HURD, Texas, Chairman\nBLAKE FARENTHOLD, Texas, Vice Chair  ROBIN L. KELLY, Illinois, Ranking \nMARK WALKER, North Carolina              Member\nROD BLUM, Iowa                       GERALD E. CONNOLLY, Virginia\nPAUL A. GOSAR, Arizona               TAMMY DUCKWORTH, Illinois\n                                     TED LIEU, California\n                     COMMITTEE ON HOMELAND SECURITY\n\n                   Michael T. McCaul, Texas, Chairman\nLamar Smith, Texas                   Bennie G. Thompson, Mississippi\nPeter T. King, New York              Loretta Sanchez, California\nMike Rogers, Alabama                 Sheila Jackson Lee, Texas\nCandice S. Miller, Michigan, Vice    James R. Langevin, Rhode Island\n    Chair                            Brian Higgins, New York\nJeff Duncan, South Carolina          Cedric L. Richmond, Louisiana\nTom Marino, Pennsylvania             William R. Keating, Massachusetts\nLou Barletta, Pennsylvania           Donald M. Payne, Jr., New Jersey\nScott Perry, Pennsylvania            Filemon Vela, Texas\nCurt Clawson, Florida                Bonnie Watson Coleman, New Jersey\nJohn Katko, New York                 Kathleen M. Rice, New York\nWill Hurd, Texas                     Norma J. Torres, California\nEarl L. ``Buddy\'\' Carter, Georgia\nMark Walker, North Carolina\nBarry Loudermilk, Georgia\nMartha McSally, Arizona\nJohn Ratcliffe, Texas\nDaniel M. Donovan, Jr., New York\n\n                   Brendan P. Shields, Staff Director\n                    Joan V. O\'Hara,  General Counsel\n                    Michael S. Twinchek, Chief Clerk\n                I. Lanier Avant, Minority Staff Director\n            Madeline Eda Matthews, Professional Staff member\n                                 ------                                \n\nSUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY \n                              TECHNOLOGIES\n\n                    John Ratcliffe, Texas, Chairman\nPeter T. King, New York              Cedric L. Richmond, Louisiana\nTom Marino, Pennsylvania             Loretta Sanchez, California\nScott Perry, Pennsylvania            Sheila Jackson Lee, Texas\nCurt Clawson, Florida                James R. Langevin, Rhode Island\nDaniel M. Donovan, Jr., New York     Bennie G. Thompson, Mississippi \nMichael T. McCaul, Texas (ex             (ex officio)\n    officio)\n\n               Brett DeWitt, Subcommittee Staff Director\n                   John Dickhaus, Subcommittee Clerk\n       Christopher Schepis, Minority Subcommittee Staff Director\n                            \n                            \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on January 12, 2016.................................     1\n\n                               WITNESSES\n\nMr. Vann H. Van Diepen, Principal Deputy Assistant Secretary for \n  International Security and Nonproliferation, Department of \n  State\n    Oral Statement...............................................    10\n    Written Statement............................................    12\nHon. Kevin J. Wolf, Assistant Secretary for Export \n  Administration, U.S. Department of Commerce\n    Oral Statement...............................................    17\n    Written Statement............................................    19\nMs. Phyllis Schneck, Deputy Under Secretary for Cybersecurity and \n  Communications, National Protection and Programs Directorate, \n  U.S. Department of Homeland Security\n    Oral Statement...............................................    23\n    Written Statement............................................    25\nMs. Cheri Flynn McGuire, Vice President, Global Government \n  Affairs and Cybersecurity Policy, Symantec\n    Oral Statement...............................................    30\n    Written Statement............................................    32\nMr. Iain Mulholland, Vice President, Engineering Trust and \n  Assurance VMWARE, Inc.\n    Oral Statement...............................................    44\n    Written Statement............................................    46\nMs. Cristin Flynn Goodwin, Assistant General Counsel, \n  Cybersecurity, Microsoft Corporation\n    Oral Statement...............................................    51\n    Written Statement............................................    53\nMr. Dean C. Garfield, President and CEO, Information Technology \n  Industry Council\n    Oral Statement...............................................    64\n    Written Statement............................................    66\nMs. Ann K. Ganzer, Director of Conventional Arms, Threat \n  Reduction, Bureau of International Security and \n  Nonproliferation, Department of State\n    Oral Statement...............................................    74\n\n                                APPENDIX\n\nRepresentative Sheila Jackson Lee Opening Statement..............    96\n2015-12-16 Members of Congress to Ambassador Rice re Wassenaar...   102\n2015-07-20 Members of Congress to Wheeler-DOC re Wassenaar.......   113\n2016-01-12 Mr. Beckerman-Internet Association re Wassenaar.......   116\n\n \n              WASSENAAR: CYBERSECURITY AND EXPORT CONTROLS\n\n                              ----------                              \n\n\n                       Tuesday, January 12, 2016\n\n                  House of Representatives,\n            Subcommittee on Information Technology,\n  Committee on Oversight and Government Reform, Joint with \n Subcommittee on Cybersecurity, infrastructure Protection, \n and Security Technologies, Committee on Homeland Security,\n                                                   Washington, D.C.\n    The subcommittees met, pursuant to call, at 2:23 p.m., in \nRoom 2154, Rayburn House Office Building, Hon. Will Hurd \n[chairman of the Subcommittee on Information Technology] \npresiding.\n    Present for Subcommittee on Information Technology: \nRepresentatives Hurd, Farenthold, Walker, Blum, Kelly, \nConnolly, and Lieu.\n    Present for Subcommittee on Cybersecurity, Infrastructure \nProtection, and Security Technologies: Representatives \nRatcliffe, Marino, Perry, Clawson, Donovan, McCaul (ex \nofficio), Richmond, Sanchez, Jackson Lee, Langevin, and \nThompson (ex officio).\n    Mr. Hurd. The Subcommittee on Information Technology of the \nCommittee on Oversight and Government Reform and the \nSubcommittee on Cybersecurity, Infrastructure Protection, and \nSecurity Technologies of the Committee on Homeland Security \nwill come to order. Without objection, the chair is authorized \nto declare a recess at any time. I would like to start off by \nrecognizing my friend and the chairman of the Subcommittee on \nCybersecurity, Infrastructure Protection, and Security \nTechnologies, and fellow Texan, the Honorable Ratcliffe, John \nRatcliffe. Over to you, sir.\n    Mr. Ratcliffe. I thank the gentleman for yielding. The \npurpose of this hearing is to address the impact of the \nWassenaar Arrangement, which was recently amended to propose \nexport controls for cybersecurity products. I now recognize \nmyself for an opening statement.\n    The House Homeland Security Committee\'s Subcommittee on \nCybersecurity, Infrastructure Protection, and Security \nTechnologies and the House Oversight and Government Reform\'s \nSubcommittee on Information Technology meet today to hear from \nkey industry and government stakeholders about the impact of \nthe Wassenaar Arrangement, that it will have on American \npeople, on American businesses, and on the cybersecurity \nindustry.\n    I first want to start off by thanking my friend, Mr. Will \nHurd, the gentleman from Texas, for co-chairing this hearing. \nToday, we are doing what Americans would like to see more of in \nCongress. Two committees that don\'t often work together are \nable to, and happy to come together to tackle an issue that\'s \nextremely important and relevant to national security and to \nthe security of individuals\' personal information. Congressman \nHurd and I share the belief that one of our core duties here in \nCongress is to bypass the jurisdictional roadblocks, and make \nreal progress towards keeping our citizens safe.\n    To the issue at hand, we know that private industry in \nAmerica is excellent at responding to consumer demands. Many \ncompanies, including some of those here today, pride themselves \non guaranteeing the security of their customers\' personal \ninformation. Others represented here exist solely to help in \nsecuring that information. They also secure vital sectors of \nsociety such as critical infrastructure and the financial \nsector. Their success hinges, in part, on their ability to \nguarantee their own security. Today, I hope to hear from our \nwitnesses on how the Wassenaar Arrangement in its \nimplementation would affect these objectives.\n    The Wassenaar Arrangement was established 20 years ago to \napply to conventional arms and dual-use goods and technology. \nChanges made in 2013 sought to extend export controls to \ncybersecurity intrusion and surveillance software and \ntechnology.\n    These changes were motivated by a desire to prevent \nauthoritative regimes from repressing their people. This intent \nis noble. If the administration\'s implementation effort \nresulted in unified dissent from the technology and \ncybersecurity industries, from academics and researchers, the \nenergy and financial sectors also voiced deep concerns. And \nthey were echoed by civil society groups who said that the \nproposal could make communicating about security \nvulnerabilities almost impossible in certain cases. The Federal \nGovernment engages in countless ways with the American people \nand our international partners. When proposing actions, the \ngovernment should, at a minimum, not do harm to its own people. \nI\'m interested to hear from our government witnesses how they \nbelieve this arrangement will successfully deter the \naccumulation of digital weapons, which aren\'t constructed in \nfactories, which don\'t need physical space for storage, and \nwhich don\'t depend on traceable means of transport.\n    I hope to better understand how they believe this export \ncontrol framework can be effectively applied to intrusion \nsoftware. I agree that we should strive to limit dangerous \ntechnologies from falling into the hands of bad actors. But \nnational security and Americans\' personal security can\'t be \nsacrificed in the process. There are many ways the United \nStates strives to combat human rights violators. And I hope to \nhear today why this route wasn\'t chosen over other options. As \nwe can see by the variety and the size of our witness panel, \nthe Wassenaar Arrangement has broad implications. Recent \nreports and the witness testimony today demonstrate that we are \nfar from a consensus on this issue. The administration\'s top \nthree stated priorities include, and I quote, ``protecting the \ncountry\'s critical infrastructure from cyber threats, improving \nour ability to identify and report cyber incidents, and \nengaging with international partners to promote Internet \nfreedom, and building support for an open, interoperable, \nsecure, and reliable cyberspace.\'\'\n    I assume that our government witnesses are well-versed in \nthese goals and their prioritization. Yet, in reading the \ncomments to the proposed rule and general thoughts on the \ncybersecurity section of the Wassenaar Arrangement, one sees a \nprobable contradiction in the first two goals. Additionally, I \nthink it\'s unlikely that this arrangement achieves the open and \ninteroperable cyberspace that is in the public\'s interest. If \nwe are to expect the cybersecurity provisions of this \narrangement to be workable, we need to make sure that our \nstated intentions and actions are not contradictory. If we \ncan\'t do that, I question why as a country we are agreeing to \nthis updated arrangement.\n    Just last month, Congress passed legislation to encourage \nthe sharing of cyber threat information. Both the private \nsector and the Government stand to benefit from the increased \nflow of valuable cyber-threat information. Today, we need to \nhear whether the Wassenaar Arrangement would have a \ncounterproductive impact on such sharing, and whether it would \nundermine the law that the President just signed. As a Nation, \nwe advocate for human rights, and we assist those harmed by \nauthoritarian regimes. However, we must, first and foremost, \nsafeguard the security of our Nation and our citizens.\n    I look forward to hearing from the witnesses about the best \npath forward and how we can come together to best protect the \nAmerican people. And I yield back.\n    Mr. Hurd. It\'s now my pleasure to recognize the \ndistinguished gentleman from the great State of Louisiana, Mr. \nRichmond, the ranking member of the Subcommittee on \nCybersecurity, Infrastructure Protection, and Security \nTechnologies, for his opening statement. Mr. Richmond, you\'re \nrecognized for 5 minutes.\n    Mr. Richmond. Thank you, Chairman Hurd and Chairman \nRatcliffe, also Ranking Member Kelly, for convening this joint \nhearing on U.S. rulemaking regarding cybersecurity technology \nissues in the Wassenaar Arrangement. I also want to thank our \npanel of witnesses today, both the government and industry \nrepresentatives.\n    The Wassenaar Arrangement consists of America\'s efforts, in \ncollaboration with 40 of our trading partners, to put into \nplace export controls for conventional arms and dual-use goods \nand technologies. As we know, dual-use goods and commodities, \nprocesses are technologies used primarily for civilian \npurposes, which can also be used to develop or enhance the \ncapabilities of military equipment or initiatives. We find \nourselves in rapidly changing times. And dual-use goods and \ntechnologies now encompass cybersecurity technologies, which \nare vital in protecting private, commercial, and governmental \ndata, and protecting the operation of our information networks, \nboth public and private. The 41 nations participating in the \nWassenaar Arrangement agreed to include cybersecurity issues. \nAnd the United States has led the way.\n    The Department of Homeland Security\'s Cybersecurity and \nCommunications Office, within the National Protection and \nPrograms Directorate, is the storehouse of a great deal of our \nNation\'s civilian cybersecurity expertise. And I\'m glad to see \nDr. Schneck as one of our witnesses today, and look forward, \nespecially, to her perspective.\n    I found it helpful to frame the cybersecurity issues \ncontained in the Wassenaar Arrangement as a series of \nquestions. Does the proposed rule fulfill its intended goal? \nDoes the proposed rule have any negative unintended side \neffects? Will modification of the proposed rule address \nconcerns adequately?\n    And, finally, should the Wassenaar provision be \nrenegotiated, or an alternative be found? If the critics of the \nwording of the current proposed rulemaking are right, then I\'m \nsure the answers will be no, yes, no, yes. According to a large \nnumber of professionals, the expert restrictions for the \ndefined cybersecurity products and technologies in the rule may \ncertainly reduce the likelihood of repressive governments \nobtaining surveillance technology through legal sources, but \nthe criminal underground would not be subject to such \nrestrictions. And such repressive regimes might switch to those \nsuppliers.\n    But let us not speculate. While my subcommittee does not \nappear to have any immediate legislative or oversight \njurisdiction on this matter, testimony today from industry and \ngovernment agencies involved, would help us to learn about the \nimpacts of the proposed rule as drafted and how it will affect \nor impede not only research on the specifics of cybersecurity, \nbut possible effects on the larger global cybersecurity \ncommunity.\n    Mr. Chairman, at this time, I would like to yield 1-1/2 \nminutes to Mr. Langevin, who has been a leader and an expert in \nour caucus on this issue.\n    Mr. Ratcliffe. [presiding.] The gentleman is recognized.\n    Mr. Langevin. Thank you, Mr. Chairman. I want to thank the \nranking member, Ranking Member Richmond, for yielding the time. \nAnd I want to thank both chairmen and ranking members of the \ncommittee for holding this hearing. I\'ve been closely following \nthe intrusion software additions since BIS proposed the \noriginal rule last May. In July, several of my colleagues \njoined me in voicing our concerns with that regulation as part \nof the public comment period. And last month, 125 members \njoined Chairman McCaul and me in a bipartisan effort in \nhighlighting some of those thoughts in a letter to the \nPresident\'s National Security Advisor.\n    Throughout this period, I\'ve been thoroughly impressed by \nBureau of Industry and Security\'s efforts to be as open as \npossible during the rulemaking process. And I commend you, \nAssistant Secretary Wolf, and your staff, for your willingness \nto listen to constructive feedback. I thank you for your work \nin that respect. I think all of us here today believe that \nintrusion software can be dangerous in the wrong hands. But the \noriginal proposed rule had many unintended consequences that \nmust be addressed. I hope we will explore those barriers during \nthis hearing, which could be detrimental to both our economic \ncompetitiveness and our national security, and that we will \nalso come out with a clear understanding of the way forward and \nhow to better incorporate stakeholder feedback from the outset \nin future rulemaking.\n    With that, I would like to, again, thank Chairmen Ratcliffe \nand Hurd and Ranking Members Richmond and Kelly for addressing \nthis very important topic. And I\'ll submit my full statement \nfor the record. And I would yield back the balance of my time.\n    Mr. Richmond. And with that, Mr. Chairman, I will yield \nback the balance of my time.\n    Mr. Ratcliffe. I thank the gentlemen from both Louisiana \nand Rhode Island. The chair now recognizes the chairman of the \nHomeland Security Committee, my friend, the gentleman from \nTexas, Mr. McCaul.\n    Mr. McCaul. I thank the gentlemen from Texas, both Mr. \nRatcliffe and Mr. Hurd, for having this hearing today on a very \nimportant issue. It\'s consequential. Strengthening our Nation\'s \ncybersecurity is of the upmost importance right now, and will \ndetermine our Nation\'s position as a world leader in the \nfuture. The playing field for international conflict is \nconstantly evolving. Cyber attacks can come from anywhere at \nany time, and without any prior notifications.\n    As chairman of the Homeland Security Committee, keeping \nAmericans safe is my primary concern. And that is no simple \ntask in such a dynamic environment. Unfortunately, the \namendment to the Wassenaar Arrangement would depreciate the \nresearch, development, and deployment of important tools that \nwe all use every day to secure against cyber attacks.\n    The United States has a duty to be a world leader. The \nestablishment of a multi-national arrangement to restrict the \ntrade of conventional arms and dual-use goods and technologies \nhas only been possible through strong American leadership. To \ncontinue fulfilling this imperative role, the United States \nmust ensure that such agreements support technically and \npractically intelligent policies on cybersecurity.\n    If the matter at hand was simply a question of efficacy, we \nwouldn\'t be here today. If the only concern was that the \nWassenaar Arrangement might have room for improvement, this \nconversation would be very different. But what has been \nviolated here is the fundamental adage of do no harm. The State \nDepartment agreed to an arrangement that would restrict a group \nof information security tools and products. This agreement and \nthe proposed implementation could hobble the entire \ncybersecurity ecosystem, as well as cross-border data flows, \nand global collaboration that support it. Weakening our cyber \nresearchers and innovative service providers is bad enough. But \nas we have seen again and again, any weakness in our cyber \nposture will percolate to other industries and harm individual \nAmericans.\n    Furthermore, under the arrangement, participating States \nalready exchange specific information on a regular basis about \nglobal transfers of certain goods and technologies. Part of the \nWassenaar Arrangement is looking at that information to find \ndubious acquisition trends. I don\'t see any limitation on the \nability of the Wassenaar Arrangement to pursue the stated goals \nof increased transparency without adding burdensome and \ncounterproductive licensing requirements.\n    I hope that the witnesses are able to speak today about why \nthe addition of intrusion software language to the arrangement \nwas preferred as the best means of achieving American goals, \ninstead of other options, such as through sanctions, which \nwould address bad actors more directly without unintended \nconsequences.\n    Lastly, the Homeland Security Committee worked hard in \nputting together and shaping information, sharing legislation \nwhich was signed into law in December. That legislation \nfacilitates a sharing of cyber information between the Federal \nGovernment and the private sector to assist security experts \nand others in rapidly identifying and resolving vulnerabilities \nthat threaten the security of our networks.\n    We must not backtrack on this progress. It is a priority of \nthe Homeland Security Committee to investigate whether the \ndomestic execution of the relevant cybersecurity section of the \nWassenaar Arrangement would obstruct positive collaboration on \ncybersecurity that protects American information and \ninformation systems.\n    I hope the backlash received and the response here in the \nCongress will prevent the State Department from attempting to \ntake momentous negotiations upon themselves without \nconsultation from the stakeholders in the future. The \nadministration must not ignore the serious, broad implication \nof the results. What we won\'t stand for is a de facto \nregulation of a thriving sector and cornerstone of American \nindustry, an industry that provides the tools that we all, \nincluding governments, use to secure ourselves. I expect this \nhearing today will send an important message that the intrusion \nsoftware language in the Wassenaar Arrangement is simply \nunworkable. We, in the Congress, expect that the administration \nwill work to correct the serious issues in this arrangement \nmoving forward. Again, I want to thank the chair and ranking \nmember for holding this hearing. And I yield back.\n    Mr. Ratcliffe. Thank the chairman. The chair now recognizes \nthe ranking member of the Oversight and Government Reform \nSubcommittee on Information Technology, the gentlelady from \nIllinois, Ms. Kelly.\n    Ms. Kelly. Thank you, Mr. Chairman. Welcome to the \nwitnesses participating in today\'s hearing on export controls \nfor certain cybersecurity tools. The export controls for \nintrusion and surveillance technologies agreed to at the \nWassenaar Arrangement were intended to help prevent repressive \nregimes from obtaining and using intrusive technology against \ntheir own citizens. These are important human rights \nobjectives. It is also critically important that U.S. \ncybersecurity policies advance our overall efforts to protect \ninformation and systems from cyber attacks and data breaches.\n    Today\'s hearing is recognition of the fact that the Federal \nGovernment and private sector must work together effectively to \nthwart cybercrime. The Bureau of Industry and Security\'s \nproposed rule to implement the Wassenaar Arrangement\'s export \ncontrols on cybersecurity intrusion, and surveillance items \ncould seriously hinder the cybersecurity industry and our \nnational security. The language in the proposed rule would \ninterfere with the ability of businesses and of the Federal \nGovernment to acquire and utilize cybersecurity tools that are \ncritical to the security of information systems and data, and \nfrustrate the real-time information sharing of vulnerability, \nwhich is relied upon to prevent or to stop a cyber attack.\n    Going forward, BIS and its interagency partners should \nreconsider their policy approach to this rulemaking, so that \nthe export controls do not negatively affect our Nation\'s \nability to defend against cyber threat and the policy conforms \nwith the broader U.S. cybersecurity strategy and national \nsecurity.\n    The Information Technology Subcommittee has held multiple \nhearings examining the nature of cyber threats and how to \nenhance the security of information and information networks. \nWe have learned that no company or industry is immune from \ncyber attacks, and that cyber attackers are highly \nsophisticated, and constantly evolving their tactics.\n    We are all aware of the major breaches that American \ncompanies, contractors, and government agencies have sustained \nin recent years. Given this persistent threat to information \nsystems, it is critically important that the U.S. policies and \nregulations are designed to enhance the tools and capabilities \nthat ensure the security of critical information targeted by \ncyber attackers.\n    Last month, the Democratic members of this subcommittee, \nalong with 120 other Members of Congress, signed onto a \nbipartisan letter to National Security Advisor Susan Rice, \nrequesting the WhiteHouse\'s collaboration and advice in the \ndevelopment of export control policies for cybersecurity tools. \nIn that letter, we expressed our concerns that the proposed \nrulemaking pertaining to export controls of intrusion software \nand vulnerability research could reduce the ability of private \nbusinesses and the Federal Government to defend against cyber \nthreats and impair national security efforts.\n    I would like to commend BIS for anticipating the need to \nassess the impact of the export controls on the cybersecurity \nindustry and requesting public comment on the effects of this \nproposed rule. The Bureau is currently reviewing the 264 public \ncomments it received.\n    I look forward to hearing from today\'s witnesses on the \nimpact of this proposed rule and discussing a path forward that \nachieves the human rights objectives of the export controls \nwithout negatively affecting innovation and research on \ncybersecurity tools and vulnerability. Thank you, Mr. Chairman. \nAnd I look forward to the witnesses\' testimony.\n    Mr. Ratcliffe. I thank the gentlelady. The chair now \nrecognizes the ranking member of the Homeland Security \nCommittee, the gentleman from Mississippi, Mr. Thompson.\n    Mr. Thompson. Thank you very much. Thank you, Chairman \nHurd, Ranking Member Kelly, Chairman Ratcliffe, and Ranking \nMember Richmond, for your leadership in calling this joint \nsubcommittee hearing today. I particularly want to thank the \ndistinguished panel of witnesses before us today. You all play \nan important role in America\'s vital trade and business life. \nAnd I\'m grateful you took the time to come help us understand a \nvery complicated issue.\n    The concept of cyber and information security is \nfundamental to our economy across all sectors, not only for \nbusiness computers and networks, but also because the issue \ncrosses the lanes of private, personal information, and \npolicies that governance consideration. Cyber and information \nsecurity are also issues that involve the ingenuity and \ninitiative that makes American entrepreneurs and computer \nsoftware scientists leaders in the world market.\n    The Wassenaar Arrangement for the export control of dual-\nuse cybersecurity products is not only technically complex, but \nalso involves moral and ethical considerations that must be \ntaken into account.\n    The United States economy is the largest in the world and \nthe most creative, innovative, and productive. The strength of \nour engineers, scientists, and industrial leaders and across \nall sectors of American industry is unmatched. While the \nAmerican worker is recognized as the most productive worker in \nthe world, the electronic world dominates our business, \ninformation, security processes. And we depend most heavily on \neffective functioning of machine and computer system controls \nto achieve our high level of productivity. We cannot maintain \nthese high levels of productivity without comprehensive and \nmassive security efforts to protect not only machines and \ncomputers, but the electronic networks that we all depend on in \nour daily lives, ones that sustain the highest standard of \nliving in the world for American families.\n    The United States leads the world in the production of \ncybersecurity products and systems that not only produce the \nsoftware applications that keep our economy running, but also \nthe information security products that protect our vital \npersonal data, business information, and communications \nnetwork. The treaties, agreements, and arrangements we have \nwith our international trading partners play a fundamental role \nin allowing our U.S.-made products to be exported easily and \nwithout interference. And those are often intricate and \ndetailed provisions. I am very pleased we are holding this \nhearing to learn more about one of the most complex issues \nfacing international trade today. I look forward to the \ntestimony of our witnesses. With that, I yield back.\n    Mr. Ratcliffe. I thank the ranking member for his remarks. \nThe chair how recognizes the chairman of the Oversight and \nGovernment Reform Subcommittee on Information Technology, my \ngood friend from Texas, Mr. Hurd.\n    Mr. Hurd. Mr. Chairman, thank you. And I look forward to \ngetting this institution focused on solving problems rather \nthan jurisdictional issues. And I would like to thank Chairman \nMcCaul and Chairman Chaffetz for their leadership and Ranking \nMembers Thompson and Cummings for working on issues like this \nin a bipartisan fashion. It\'s great working alongside you, Mr. \nRichmond. And I would especially like to thank my good friend, \nRobin Kelly, for her partnership over the last year. And I\'m \nlooking forward to working together with you this year.\n    This is an important topic, eight panelists, a bunch of \nchairmen, a bunch of subcommittee chairmen, a lot of ranking \nmembers. And one of the reasons is that it\'s been estimated \nthat 97 percent of all Fortune 500 companies have been hacked, \nand the other 3 percent have been and just don\'t know it. And \nthis is the size and scope of the cyber problems this Nation is \nfacing. BlueCross BlueShield, Anthem, most recently, Juniper \nNetworks and OPM, where the sensitive PII of 21.5 million \nAmericans whose data was stolen are just a few examples of the \nongoing digital threat our Nation faces every single day.\n    Our adversaries are constantly targeting our information \ntechnology. And in doing so, they steal our intellectual \nproperty, healthcare data, and the most private details of the \nlives of millions of Americans. So when in May of last year, \nthe Bureau of Industry and Security at the Department of \nCommerce published a draft rule implementing an export control \nregime on some of the most basic cybersecurity tools and \nmethods, I became deeply concerned about the potential for \nunintended circumstances and consequences.\n    The truth is that cyber weapons are not analogous to \nconventional weapons that the Wassenaar Agreement has been \ndiscussing and regulating since its inception. The same code \nthat can be used to steal, disrupt, or destroy can also be used \nto protect. My concern, a concern shared by many of those \ncompanies and experts who submitted comments to BIS over the \nsummer, is that the language of the proposed rule is so broad \nand vague that if implemented, it would do profound damage to \nour Nation\'s cybersecurity posture. The IT Subcommittee is very \ninterested in the process that the State Department employed \nwhen adding these highly technical and complex cybersecurity \nitems to the Wassenaar\'s export control regime, were experts, \nthe cybersecurity industry, or the IT community at large, \nincluded in the discussions leading up to the agreement? If \nnot, why? And how can we make sure they are consulted in the \nfuture so this kind of thing doesn\'t happen again.\n    Cybersecurity practitioners have to move at the pace of \ntechnology. They cannot stop and wait to push a critical patch \nout to their international partners or clients who are left \nvulnerable while regulators delay and bureaucrats impose \nmountains of red tape. In the cybersecurity business, the clock \nstarts when you know you\'ve got an indicator of compromise and \ndoesn\'t stop until you know it\'s been patched. In no time at \nall, a vulnerability can be exploited and data extracted. With \nmonths, hackers can take their time and do unspeakable damage \nto American interests.\n    One of the reasons the IT Subcommittee exists is to examine \nthe impacts information technology has on our laws, \ngovernmental structures, society writ large, and our regulatory \napproach.\n    The question here today is not only whether or not the \nWassenaar nations need to re-think and re-draft those cyber \ntool controls, but also, whether or not an export control \nregime is the correct institution to solve the problem of \nkeeping dangerous digital tools out of the hands of despots. I \nthank Chairman Ratcliffe for his shared interest in this issue. \nAnd I look forward to today\'s discussion. And I yield back.\n    Mr. Ratcliffe. I thank the gentleman from Texas. Other \nmembers are reminded that opening statements may be submitted \nfor the record. And as noted by others, we are pleased today to \nhave with us a very distinguished panel of witnesses on an \nimportant topic, including Mr. Vann Van Diepen, the principal \nDeputy Assistant Secretary for the Bureau of International \nSecurity and Nonproliferation at the U.S. Department of State; \nMs. Ann Ganzer, the Director of Conventional Arms Threat \nReduction for the Bureau of International Security and \nNonproliferation at the U.S. Department of State; the Honorable \nKevin Wolf, the Assistant Secretary for Export Administration \nat the U.S. Department of Commerce; Dr. Phyllis Schneck, the \nDeputy Under Secretary for Cybersecurity and Communications for \nthe National Protection and Programs Directorate at the U.S. \nDepartment of Homeland Security; Ms. Cheri Flynn McGuire, the \nvice president for Global Government Affairs and Cybersecurity \nPolicy at Symantec; Mr. Iain Mulholland, the vice president for \nEngineering Trust and Assurance at VMware; Ms. Cristin Flynn \nGoodwin, the assistant general counsel for Cybersecurity at \nMicrosoft; and, finally, Mr. Dean Garfield, the president and \nCEO of the Information Technology Industry Council.\n    Thank you all for being here today. The witnesses\' full \nwritten statements will appear in the record. And at this time, \nI would ask all of the witnesses to stand and raise your right \nhand so that I can swear you in for your testimony.\n    Do each of you swear or affirm that the testimony you are \nabout to provide today shall be the truth, the whole truth, and \nnothing but the truth so help you God? Let the record reflect \nthat the witnesses answered in the affirmative. The chair now \nrecognizes Mr. Van Diepen for his opening statement.\n\n                       WITNESS STATEMENTS\n\n                STATEMENT OF VANN H. VAN DIEPEN\n\n    Mr. Van Diepen. Thank you, Chairman Hurd and Chairman \nRatcliffe, Ranking Members Kelly and Richmond, and members of \nthe committees, for the opportunity to talk today about export \ncontrol efforts in the challenging new area of cyber tools. As \nwe\'ve heard from you all, we hear almost daily about malicious \ncyber activities that disrupt businesses, compromise privacy, \nor threaten national security.\n    Congress itself has also recognized the overall \ncybersecurity threat in legislation. The 2014 National Defense \nAuthorization Act required developing an integrated policy to \ncontrol the proliferation of what it termed ``cyber weapons,\'\' \nincluding through multilateral enforcement activities and \ndiplomatic engagement. To be most effective, export controls \nshould be multilateral. The Wassenaar Arrangement has the \nresponsibility for multilateral national security export \ncontrols on dual-use items not related to weapons of mass \ndestruction, such as cyber tools. This 41-country regime was \nestablished in 1996 to contribute to regional and international \nsecurity and stability by promoting transparency and greater \nresponsibility in transfers of conventional arms and related \ndual-use goods and technologies, thus preventing destabilizing \naccumulations.\n    Upholding our international export control commitments is \ncentral to our ability to get other countries to uphold theirs, \nnot just in Wassenaar, but in the nuclear, chemical, \nbiological, and missile control regimes as well. Because these \nsame cyber tools can also be used for beneficial purposes, such \nas identifying vulnerabilities and improving cybersecurity, we \nneed to strike the appropriate balance in implementing such \ncontrols to promote national security objectives, while making \nsure that the controls\' benefits clearly exceed any commercial \nor national security costs.\n    Recognizing the challenge in implementing the cyber \ncontrol, the U.S. Government took the uncommon step of going \nthrough a public notice and comment process. The comments were \ninstructive. And we take them very seriously. It is clear from \nthe comments received that the first version of the proposed \nU.S. rule to implement the Wassenaar control missed the mark. \nAnd the interagency continues to work through the concerns \nraised.\n    Fortunately, the cyber control is included on the least \nsensitive portion of the Wassenaar list. This provides us with \nsubstantial flexibilities we can employ in the process of \nimplementing that control nationally, just as most other \nWassenaar members have done in already having implemented the \ncyber control for over a year without apparent controversy.\n    We appreciate your committee\'s interest in this issue. And \nwe are committed to working closely with all the other \nstakeholders in the interagency, as well as industry, and the \nother relevant external stakeholders, to seek a balanced way \nforward that meets our important policy objectives while \naddressing the concerns raised. Thank you.\n    [Prepared statement of Mr. Van Diepen follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Ratcliffe. Thank you, Mr. Van Diepen. The chair now \nrecognizes the Honorable Kevin Wolf for his statement.\n\n\n                STATEMENT OF HON. KEVIN J. WOLF\n\n    Mr. Wolf. Thank you, Chairmen Hurd and Ratcliffe, Members \nKelly and Richmond. My colleague from the State Department \ndescribed well the background and purposes of the Wassenaar \nArrangement. The U.S. Department of State leads the U.S. \ndelegation to the Wassenaar Arrangement. But it is my agency, \nthe Commerce Department\'s Bureau of Industry and Security, \nwhich is responsible for developing and administering the set \nof regulations, the Export Administration regulations that \nwould implement the multilateral agreements that were just \ndescribed. And in this case, the Wassenaar Arrangement for us \npertains to dual-use items and some military items on the \nWassenaar list.\n    Other agencies, primarily the Department of Defense, \nparticipates in developing proposed changes to these lists, \nproposed controls to submit to the Wassenaar and other \narrangements, deciding which ones to agree upon, and then \nreview the regulations that we would implement to implement the \nagreement. And then Congress also has technical advisory \ncommittees that work with us on reviewing the proposed changes \nand proposals to be submitted to the various regimes.\n    In December of 2013, the Wassenaar Arrangement approved new \nexport controls on command and delivery platforms for intrusion \nsoftware and related technology. Specifically, the entries in \ncategory 4 dealing with computers of the dual-use control list \nwould control non-publicly available software that generates, \noperates, delivers, or communicates with intrusion software. \nAnd an intrusion software was defined as software designed to \ncovertly gain access to a computer or other network device and, \nonce inside, to extract or modify data or modify an execution \npath of the device to allow the execution of externally \nprovided instructions.\n    Related hardware and technology entries would control \nsystems and equipment for generating, operating, delivering, or \ncommunicating with this intrusion software. And then, also, \ntechnology for developing the intrusion software was controlled \nas well.\n    The original proposal for these controls came from another \nWassenaar member in 2012. And the examples of the types of \ncommercial hacking software intended to be captured by the \ncontrol included those offered by Hacking Team from Italy, \nGamma/Fin-Fisher from Germany, and Vupen in France.\n    The controls were novel in that they were the first foray \nby a multilateral regime into the area of offensive cyber \ntools. The agreed-upon entries covering software intentionally \nexcluded intrusion software itself from control, that is, \ncertain kinds of malware, because of a general understanding \nthat everyone with a mobile device might have such software \nunwittingly on their device and didn\'t want to expose them to \nperpetual liability. In beginning, however, the process at \nCommerce of drafting the regulation to implement the control, \nwe grew concerned that despite several exclusions set forth in \nthe definition of intrusion software, the scope of the \ncontrols, particularly the developmental technology controls, \nmight be far broader in scope than originally understood by \nCommerce and its advisory committees.\n    We particularly became concerned that the category 4 \ntechnology control list entry in the draft regulation \ntechnology for the development of intrusion software could \ninadvertently significantly harm both U.S. Government and U.S. \nprivate sector cybersecurity programs and efforts if \nimplemented.\n    So in order to not take action that would inadvertently \nharm our Nation\'s ability to engage in critical cyber defense \nand related research work, we decided, in May of 2015, to take \nthe unprecedented step of publishing these Wassenaar control \nlist entries as a proposed rule with a request for private \nsector comments, rather than our usual step of publishing it as \na final rule.\n    Our hope was that the private sector comments would give us \na better sense for whether the rule would have unintended \nimpacts on our cyber defense and cyber research ecosystems. All \ndual-use controls have consequences and impose cost on the \nprivate sector. That\'s the nature of controls. But this one was \ndifferent because the impact would not just be on the economic \nbottom line of a company, but on our Government\'s and our \nNation\'s ability to share efficiently and quickly the types of \ntechnology necessary to conduct cyber defense and related \nresearch.\n    Also, immediately following the publication of the proposed \nrule, we received questions from U.S. private sector and others \nin the U.S. Government about the intended scope of the \ncontrols. And in order to make sure that we addressed all of \ntheir concerns, we published a series of FAQs. As will be \ndescribed later by our industry panelists and as is described \nin more detail in my testimony, we received over 260 comments, \ngenerally, all of them negative, describing several concerns \nthat you\'ve all summarized well in your opening statements.\n    I want to make clear that the administration has not made \nany decisions regarding what the next step will be other than \nthat the next step will not be a final rule. We\'re continuing \nto review the comments. We\'re continuing to work with our \ncolleagues in government and industry with expertise in \nequities and cyber defense and related research. We welcome all \nviews and all information, which is why we thank you for this \nhearing and whatever input or suggestions or advice that you \nhave for us. So thank you very much.\n    [Prepared statement of Mr. Wolf follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Ratcliffe. Thank you, Mr. Wolf. Dr. Schneck, you\'re \nrecognized for 5 minutes.\n\n\n                  STATEMENT OF PHYLLIS SCHNECK\n\n    Ms. Schneck. Thank you. Chairman Hurd, Chairman Ratcliffe, \nRanking Member Kelly, Ranking Member Richmond, and members of \nthese committees, thank you for the opportunity to testify \ntoday. And thank you as well for all the support that all of \nyour committee continue to provide to the Department of \nHomeland Security, most recently in the Cybersecurity Act of \n2015, which was discussed earlier. Because of that legislation, \nwe will be able to, at the Department, with our industry \npartners, with our interagency partners, and global partners, \nshare cyber threat information more rapidly, and in near real \ntime.\n    We appreciate the critical part that export controls play \nin ensuring that bad-intentioned people do not get their hands \non good technology to hurt others. We also appreciate the \nconcerns expressed by our partners and mentioned in previous \ntestimony that show how some of these controls that are talked \nabout today can actually potentially hurt cybersecurity \nefforts.\n    So based on these concerns raised by industry and the \npotential impact on the Nation\'s cybersecurity, the Department \nof Homeland Security believes that the interagency together \nshould reexamine the merits of the proposed rule. DHS plays an \nincreasing role in cyber and in export control. And we seek a \nbalance between getting to that right place in protecting dual-\nuse technology, and also incorporating the best expertise \nglobally and protecting our cyber infrastructure from the very \nrapid change that we see and the sophistication of the actors \nof which I and others have testified before you.\n    In my experience, before the 2-plus years I\'ve spent at the \nDepartment, I was in private industry. I experienced product \ndesign. I experienced research. I experienced threat \ndissemination and sharing with both other private sector \ncolleagues and companies, as well as our interagency partners \nin government, as well as around the world. That is the best \nthing that we can do to protect our cyber infrastructures is, \nas the Cybersecurity Act that you just gave us allows us to do, \nput threat pictures together, put indicators together, work \nwith the smart people around the world at the speed of light, \nin the speed of cybersecurity that our adversaries are \noperating in.\n    We hear a lot about the Internet of things. That means that \nalmost anything you can see and touch has a computer processor \nin it in the future. That means that all those things are \nexposed to cybersecurity vulnerabilities. And that means we \nneed the power of speed to put that story together, to \ndisseminate it rapidly, to share research, and design products \nthat protect better. We need the collaboration.\n    In this environment, researchers and developers need to be \nable to work together with alacrity. They need that in the \ngovernment. We need it in the private sector. And we need to be \nable to work together at the very speed and hopefully greater \nthan that speed at which our adversaries are working today. A \ngood example of how the Department works was in the Heartbleed \nepisode in April, 2 years ago. The Department of Homeland \nSecurity received information from another government that \nthere was a vulnerability in an open source encryption \nalgorithm, as you well know. We were able to, through our \nUnited States Computer Emergency Response Team, disseminate \nthat information internationally. Our CERT works, that\'s the \nComputer Emergency Response Team, our CERT works with over 300 \ndifferent CERTs internationally to get that information out \nthere.\n    Our cybersecurity companies and our private sector are \nglobal. Our government needs to work with other governments. \nThe U.S. has taken a leadership role because of our ability to \nshare and collaborate and push cybersecurity and cyber threat \ninformation out as far as we can. And companies and governments \nneed these tools and need to be enabled to have the same \nalacrity with which our adversaries are enabled.\n    Our adversary works, as I mentioned before, without \nlawyers. They have plenty of money. They have no boundaries. \nAnd as was mentioned earlier, we want to bypass jurisdictional \nroadblocks. We thank you for that. We in cybersecurity need to \nbypass competitive roadblocks. We need to bypass time \nroadblocks. And we need to be able to collaborate, again, \nwithout interruption.\n    Cybersecurity is a joint effort, involving government, \nprivate sector, and academia. We welcome the chance to work \ntogether, our three agencies, our entire administration, the \ninteragency, with all of our government partners to ensure, \nagain, our global leadership in cybersecurity, our global \nability to share this threat information. This is the main \nthing our adversaries cannot do. This is the product set that \nour companies can build for us. This is the ability for us as a \ngovernment to leverage all that innovation in the private \nsector and push it forward.\n    And our position is we would like to, as an interagency \ntogether, reexamine the merits of that rule by striking a very \ngood balance, getting it right, ensuring that we have all the \nbenefits of the hard work that\'s done in export control, but \nalso ensuring that cybersecurity doesn\'t stop. Anything we do \nto delay the collaboration between any smart mind that we can \nfind, human or machine, enables our adversary. So thank you. \nAnd I look forward to your questions.\n    [Prepared statement of Ms. Schneck follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Ratcliffe. Thank you, Dr. Schneck. The chair now \nrecognizes Ms. McGuire for her opening statement.\n\n\n                 STATEMENT OF CHERI F. MCGUIRE\n\n    Ms. McGuire. Chairman Ratcliffe, Chairman Hurd, Ranking \nMember Kelly, and Chairman Thompson, other distinguished \nmembers of the committee, thank you for the opportunity to \ntestify today on behalf of Symantec Corporation. This hearing \nis extremely timely. And we very much appreciate your shining a \nspotlight on a vital issue that threatens the cybersecurity of \nnot only the U.S. technology industry, but also that of all \nU.S. critical infrastructure companies and organizations that \nrely on cybersecurity.\n    The proposed U.S. cybersecurity export regulation under the \nWassenaar Arrangement would severely damage our ability to \ninnovate and develop new cybersecurity product, conduct real-\ntime global research, and share information on vulnerabilities \nand exploits, as well as to test and secure global networks and \nnew technology products.\n    These new regulations would restrict the free flow of \ninformation across borders and impose major new export \ncompliance burdens on all U.S. multinational industries. While \nthe regulation grew out of well-intended concerns over the \navailability of intrusion and surveillance software to \nrepressive regimes, the end result has swept in the core \nfunctionality of cybersecurity products and technology, and \nputs untenable restrictions on security testing and research.\n    The fact is, this is not an export control on a few \nspecific tools. It is a stringent new regulation on the entire \ncybersecurity industry, and our customers that would harm the \neconomic and national security of the United States. \nUltimately, it would leave every American less protected and \nvulnerable to cyber criminals and cyber terrorists.\n    The regulations would capture many common and critical \nsecurity tools. One of these is penetration testing. These \ntests are designed to stress systems just as real attackers \nwould and expose weaknesses that would allow an organization to \nimprove its defenses. Yet, under the proposed regulations, \nfinancial services, health care, energy, and other \nmultinational companies would need export licenses merely to do \nsecurity testing on their overseas systems and products.\n    We have other concerns, but I feel compelled that I need to \nraise one more. As you all know, Congress and the \nadministration have just acted to improve cyber threat \ninformation sharing. Yet, these regulations would undo much of \nthat effort. As many of you have said today, cybersecurity \nknows no borders. But at Symantec, in our business practices, \nwe also operate security operations centers around the world. \nUnder these regulations, we would be required to apply for and \nwait for an export license before discussing much of our \nsecurity research with a U.S. citizen who was working in one of \nour international centers. And the underlying rule does not \neven envision the accommodation of real-time machine-to-machine \ninformation sharing across borders.\n    As we all know, cyber threats move at light speed, not \nbureaucratic speed. And as Chairman Hurd said, the clock starts \nticking when an indicator of compromise is identified.\n    To provide some perspective, Symantec\'s intrusion \nprevention systems blocked approximately 300 million exploit \nkits for our global customers in 2015, one of the exact \ntechnologies that would be restricted under this rule. \nCompanies like ours rely on unfettered research and \ncommunication to innovate and develop the next generation of \nsecurity technologies. At Symantec, our preliminary assessment \nshowed we would need at least 1,000 new licenses. Today, we \nneed less than a dozen. But the truth is that we\'ve stopped \ncounting, as the number is likely to go even higher. Coupled \nwith an average lead time of 6 months to develop a license \napplication, there is no doubt that these new burdens would \ncripple our ability to respond to real-time threats and cyber \nattacks.\n    Another issue is that countries that are party to the \nWassenaar Arrangement and have implemented the rule have taken \nvastly different approaches. There are multiple interpretations \nof the underlying language that have led to confusion, and \nimplementation differs significantly from country to country. \nIn fact, today, we at Symantec are holding up a product \nreleased in one country, while our lawyers try to figure out \nthe next steps that should be taken. And we\'ve seen other U.S. \ncompanies who are already pulling back on international \nresearch engagements because their attorneys say there is too \nmuch risk for cross-border research flows.\n    The simple fact is that the rule will do little to stop the \nspread of malicious intrusion and surveillance tools, or \ncurtail illicit hacking and intrusions in any way. In fact, the \ncurrent rule would do just the opposite. It would handcuff \nsecurity vendors and multinational companies from using all the \ntools available to them, while imposing no restrictions on \ncyber criminals. After hearing significant concerns, the \nDepartment of Commerce, to its credit, quickly withdrew the \nproposed rule. The conversations that have followed have been \nextensive and frank, but, ultimately, unsuccessful. This is not \nbecause of a lack of good faith on either side, but because of \ndefects routed in the 2013 Wassenaar cybersecurity agreement.\n    For this reason, we strongly recommend that the rule be \nremanded back to Wassenaar to be renegotiated and more narrowly \ndefined. Of course, we look forward to continuing to work with \nCongress and our U.S. Government partners, to share our \ntechnical expertise on this very important issue to our \nindustry and critical infrastructure in the U.S. Thank you for \nthe opportunity to testify today. And I look forward to any \nquestions you might have.\n    [Prepared statement of Ms. McGuire follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Ratcliffe. Thank you, Ms. McGuire. The chair now \nrecognizes Mr. Mulholland for his opening statement.\n\n\n                  STATEMENT OF IAIN MULHOLLAND\n\n    Mr. Mulholland. Chairmen Hurd and Ratcliffe, Ranking \nMembers Kelly and Richmond, thank you for the opportunity to \ntestify today at this important hearing. I\'m Iain Mulholland, \nthe head of the Engineering Trust and Assurance Group at \nVMware, and I am our senior security engineer. VMware is \nheadquartered in Palo Alto, California, and is the fourth \nlargest software company in the world, with 2014 revenues of \nover $6 billion and over 18,000 employees globally. Ironically, \nI may be one of the few people in the room, other than, \nperhaps, Ms. Ganzer, who has actually spent any time in \nWassenaar, as my then-fiancee lived there in the 1990s. I spent \na summer in Wassenaar reading books on computer security during \nmy transition out of service in the British military.\n    I now have almost 20 years\' experience in the software \nsecurity engineering field. I came to the U.S. in 2002 as one \nof the early members of the Microsoft Trustworthy Computing \nGroup. And in 2011, I established VMware\'s Product Security \nGroup.\n    If implemented, the 2013 Wassenaar Arrangement could \nundermine our strong security posture and hinder our ability to \nadequately protect our customers and our products. It would \nintroduce significant hurdles to rapidly receiving and sharing \nthreat information, in particular, vulnerability exploit code \nthat is critical to the swift development of security patches \nthat protect software users, something that Chairman Hurd \nalluded to.\n    This introduction of a requirement to apply for and obtain \nlicenses during critical, time-sensitive responses to security \nvulnerabilities, which may already be under active \nexploitation, creates an asymmetry that is to an attackers\' \nadvantage, since, unlike the defender, the attacker has few \nsuch constraints.\n    In my written testimony, I included three different \nexamples that speak to the core challenges that implementing \nthe 2013 rules would present not only VMware, but as some \ntestimony has already alluded to, other U.S. technology \ncompanies. In the interest of time, I would like to share one \nof them with you. In the last 12 months, VMware has \ncollaborated with several small security research organizations \nin Europe to remediate critical security vulnerabilities that \nthey identified in our products. These vulnerabilities, if left \nunpatched, could have allowed a malicious attacker to take \ncomplete control over critical infrastructure. During the \ncourse of our investigations, researchers often provide VMware \nwith sample exploit code that demonstrates the flaw to our \nsecurity response team.\n    Exploit code is often key in accelerating the speed with \nwhich our engineers are able to understand the flaw and develop \na patch to protect our customers. If a picture paints 1,000 \nwords, then in the field of software security, the exploit is \nour picture. In one example, the security researcher was in \nPoland, his parent company, in the Netherlands, the \ncoordinating VMware incident response team in the U.S. and \nCanada, and the team responsible for developing the security \npatch, in India. In addition, several of our U.S.-based \nemployees were non-U.S. persons. In this example, VMware and \nthe researcher would have required multiple licenses, one from \nPoland to the Netherlands, from Poland to the U.S., from the \nNetherlands to the U.S., from the U.S. to Canada, and several \nwithin the U.S. just to share information across cubical walls \nwith non-U.S. persons based in the United States.\n    Security vulnerability reports typically come through our \nindustry standard security at VMware.com email address, using a \nsecurity research protocol that has been in use in our industry \nfor over 15 years. In 2015 alone, over half the security \nvulnerabilities reported to VMware came from individuals or \norganizations located in Wassenaar countries. In most cases, an \nexport license would have been required for the researcher to \nreport the security issue to us. A security researcher may not \neven have known who or where they were exporting an export to, \nsince security at VMware.com is staffed on a rotational basis \nby a global team, half of whom are outside of the U.S. or non-\nU.S. persons.\n    It is improbable that these small research companies or \nindividuals will take on the administrative and financial \nburden of applying for potentially multiple export licenses \nsimply to report a security vulnerability. And as a result, \nthis important source of information will dry up, or much \nworse, end up in the underground vulnerability market, leaving \nvulnerabilities unreported, unpatched, and under active \nexploitation.\n    Moving forward, we recommend the BIS and the Department of \nCommerce continue to keep all options on the table. We applaud \nthem for reconsidering their original draft, and hosting a \nseries of public forums with a range of stakeholders to try and \nfind a reasonable solution which we are pleased to participate \nin.\n    Ultimately, however, the U.S. should return to Wassenaar \nand renegotiate the 2013 arrangement. We live in a global \ndigital ecosystem that is not constrained by borders. We \nreceive information about threats that affect the security of \nour products and our customers from all over the world. Even if \nthe U.S. fixes its domestic policy, it will not enable us to \ncontinue to receive and share critical and timely information \nthat affects the security of our customers on products from \noutside our borders. We must have the tools and resources on \nhand to act immediately and continue to provide world class \nsecure software and services and ensure customer safety. \nUnfortunately, the 2013 Wassenaar agreement would undermine our \nability to do so.\n    I applaud the leadership of the committee for holding this \nhearing today. Thank you for the opportunity to testify. And I \nlook forward to answering your questions.\n    [Prepared statement of Mr. Mulholland follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Ratcliffe. Thank you, Mr. Mulholland. Ms. Goodwin, \nyou\'re recognized for 5 minutes.\n\n\n               STATEMENT OF CRISTIN FLYNN GOODWIN\n\n    Ms. Goodwin. Chairman Ratcliffe, Chairman Hurd, Ranking \nMember Richmond, Ranking Member Kelly, Chairman McCaul, \nChairman Thompson, members of the subcommittees, my name is \nCristin Flynn Goodwin. And I\'m assistant general counsel for \nCybersecurity at Microsoft. I advise a wide range of teams on \ncybersecurity legal issues, and I manage Microsoft\'s government \nSecurity Program working with governments around the world. \nThank you for convening today\'s hearing and your bipartisan \nleadership to support our Nation\'s cybersecurity. Microsoft has \na deep commitment to cybersecurity. And I\'m happy to be here \ntoday to discuss our perspective of the Wassenaar Arrangement\'s \ncontrols on intrusion software agreed to at the December 2013 \nPlenary and the proposed U.S. implementation.\n    As detailed in my written testimony, Microsoft believes the \nWassenaar Arrangement\'s approach to controlling intrusion \nsoftware and the broad export licensing requirements proposed \nin the U.S. would undermine security research, incident \nresponse, cyber collaboration, and product innovation. We agree \nwith your assessment, assessed in a bipartisan letter to \nAmbassador Rice last month, that without a significant \noverhaul, these broad licensing requirements could seriously \nhinder national security.\n    The intent of the drafters of these provisions was to \nprevent the export of surveillance software to criminal \norganizations or repressive regimes, which is admirable and \nimportant. Unfortunately, due to the very broad definition of \nintrusion software, extensive range of security technologies \nwill now be subject to broad and burdensome licensing \nrequirements in the U.S. If left unchanged, the proposed \ndefinition will have a chilling effect on the development of \nproducts and services and on the discovery of existing \nvulnerabilities. It will also significantly impact security \nincident response, and create new barriers for those seeking to \nsecure themselves against increasingly persistent and \nsophisticated cyber threats. To demonstrate the impact, \nconsider these three very common cybersecurity scenarios.\n    First, a large critical infrastructure provider based in \nGermany is concerned that there is an attacker present on its \ncorporate network and stealing sensitive information. The \ncompany calls in an American security company to come to \nGermany to help investigate whether the attacker is still \npresent, and to use tools to find out what the attacker might \nbe trying to steal or access without tipping them off.\n    Second, a cybersecurity researcher with a small company in \nthe United States finds a new piece of malware that hides \nitself on a user\'s machine, and then automatically deletes log \nfiles that indicate where an attacker is hiding on a machine. \nThe researcher wants to share his analysis of the malware and \ncollaborate with a software vendor in the U.S.\n    Third, an American software company is developing a new \nproduct for commercial sale. Its internal security team, with \nmembers in the U.S., Australia, and Japan, wants to develop a \ntool that will help them test the product\'s security measures \nbefore it is sold.\n    What do these scenarios have in common? Security response, \ncollaboration, and product innovation stops until new export \nlicenses can be processed, which can take weeks or even months. \nIt also means that the attacker will be present for weeks on \nthe German network. The malware identified by the researcher \nwill continue affecting machines. And the software company will \nbe delayed in its effort to develop a new product.\n    Clearly, none of this is in the best interest of American \ncybersecurity. The United States must lead the effort to re-set \nthis flawed approach internationally. Security experts should \nnot have to pick up the phone in the middle of the night to \ncall in an export control adviser to determine whether they can \nshare certain technical information about an ongoing attack or \nas part of their day-to-day work, wait to collaborate with \ninternal or external colleagues on security priorities. In \ntoday\'s global security environment, the ability to collaborate \nwith peers and colleagues should be the default, not the \nexception.\n    As both of your subcommittees know well, developing \ncybersecurity policy requires a deep understanding of the \nproblem, broad input from experts, engagement with the \nexecutive branch and Congress, and a transparent process.\n    Regrettably, to the detriment of cybersecurity, the \nWassenaar Arrangement definition of intrusion software does not \nreflect this type of inclusive process. It must be \nrenegotiated.\n    In conclusion, Microsoft is a committed participant in the \npublic-private partnership, and strongly encourages Congress \nand the executive branch to take the necessary steps \ninternationally, and with our Wassenaar partners, to undo the \noverly broad and complicated export control requirements. \nConcurrently, the administration should suspend any related \nrulemaking efforts until a new agreement can be reached, making \nuse of a robust, consultative process.\n    Ms. Goodwin. I commend you for examining this issue today, \nand thank you for the opportunity to testify. I look forward to \nanswering your questions and working with you on this important \nissue. Thank you.\n    [Prepared statement of Ms. Goodwin follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Ratcliffe. Thank you, Ms. Goodwin. The chair now \nrecognizes the very patient Mr. Garfield for his opening \nstatement.\n\n\n                 STATEMENT OF DEAN C. GARFIELD\n\n    Mr. Garfield. Chairman Ratcliffe, Chairman Hurd, Ranking \nMember Kelly, Ranking Member Richmond, members of the \ncommittee, on behalf of 64 of the most dynamic and innovative \ncompanies in the world, some of whom are also at this table, we \nthank you for hosting this hearing, inviting us to testify, and \nfor your bipartisan approach on this issue, including the \nletter that you sent at the end of last year. I\'ve listened \ncarefully to the testimony of the other folks on this panel, \nand rather than repeating what they\'ve already said so \neloquently, I\'ll try to focus in on some of the questions that \nwere implicit in your testimony, including why is this \nimportant? What should we do about Wassenaar? Can we simply \nrevise the rules? And what are our recommendations or next \nstep?\n    As to the first, why is this important, our company, the \ncompanies that are members of ITI, are really the technology \nplatform for the entire world. There is no sector or industry \nthat\'s exempted from the implications of the Wassenaar \nArrangement. Increasingly, cross-border data flows are the \nsteam of the economic engine worldwide as well as innovation, \nthe innovation ecosystem. The Wassenaar Arrangement impacts all \nbusinesses, whether they are technology-based or otherwise.\n    Can the defects in the rules be cured? Our recommendation \nand answer is no. In spite of the best intentions of the \ndrafters, the fundamental flaws in the proposed rules emanate \nfrom the arrangement itself. And I\'ll point to three areas that \nare--that speak to that.\n    One, the presumptions, the problematic presumptions, around \ndrawing lines between intrusion software, as well as drawing \nlines around IP network surveillance systems are found in the \nrules themselves, but are very much, in fact, grounded in the \nWassenaar Arrangement as developed in 2013.\n    Secondly, the question that Chairman Hurd raised and \nRanking Member Kelly alluded to around whether you can actually \ndeal with the fast-paced world of cybersecurity in cross-border \ndata flows through the lumbering world that is limited by \nborders in export controls, the answer is no.\n    Third, what is really needed here is a multinational \napproach, as a number of the members on this panel and the \ncommittee have noted, given the nature of our economy today, \nits heavy reliance on cross-border data flows, as well as the \nnature of cybersecurity that\'s been advanced by the work of \nthis Congress through the Cybersecurity Act of 2015, as well as \nthe Department of Commerce through NIST.\n    Increasingly, the way to deal with cybersecurity issues is \non a multinational basis through the sharing of cyber threat \ninformation. The Wassenaar Arrangement stands in the way of \nthat.\n    Relatedly, there are a number of nations that are a \ncritical part of advancing cybersecurity that are not a part of \nthe Wassenaar Arrangement, including Brazil, India, and China. \nSo what do we do? Our recommendation is consistent with the \nprivate sector witnesses on this panel. Given that the root of \nthe challenge is grounded in the 2013 developments in Wassenaar \nand the Wassenaar Arrangement, our recommendation is to go back \nto Wassenaar to cure those fatal defects. We say that not out \nof taking any pride in suggesting that the United States go \nback and renegotiate this agreement, but from our perspective, \nit\'s truly an opportunity to exercise leadership.\n    There are a number of countries that are struggling with \ndealing with these same issues, and the United States has an \nopportunity to provide global leadership in dealing with what \nare truly complex issues.\n    Secondly, it\'s important that whatever is done next is \ninformed by experts, including many of those that are in this \nroom, and some of who are not.\n    I thank the committee, again, for this opportunity to \ntestify. And I look forward to your questions and to working \nwith you towards a solution. Thank you.\n    [Prepared statement of Mr. Garfield follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Ratcliffe. Thank you, Mr. Garfield.\n    The chair now recognizes himself for 5 minutes of \nquestions.\n    And I want to start, Ms. Ganzer, with you, because you were \nthe only witness that didn\'t have a statement, and there was \nsome intimation about--about your role, perhaps, in negotiating \nthe Wassenaar Arrangement of 2013 and the inclusion of \nintrusion software. And so I want to take just a minute of my \ntime to give you an opportunity to address whether or not \nthat\'s accurate, or what your role was, if any?\n    Ms. Ganzer. Thank you, Mr. Chairman. I appreciate the \nopportunity to be here today. In my role as the Director of \nConventional Arms Threat Reduction, I am the head of delegation \nfor the Wassenaar Arrangement writ large for the United States. \nSo I was in the chair for the United States when the control \nwas adopted and agreed to on behalf of the United States. I was \nnot responsible, specifically, in the room when it was \nnegotiated. The administration has an integrated team of \nmembers from the interagency generally, including the Commerce \nand Defense Departments; Homeland Security may be there; Energy \nmay be there; depending on what issue is being negotiated. But \nthe administration and an integrated team negotiated these \ncontrols. And, so, there would have been an integrated team \nthat agreed to the specifics.\n    I would note that the control was intended to capture \npurpose-built suites of operated control--operator controlled \nsoftware that extract--are designed to extract data from a \nsystem, modify a system or its data, or modify the system to \nexecute a malicious operator\'s instructions without the systems \nowner\'s knowledge. That was what we intended to control, and \nthat is what we thought we controlled. So the reaction from our \nindustry colleagues here was quite a prize to us. And we \ncontinue to work the issue within the administration to--to do \nno harm, as some of the members mentioned in their statements. \nThank you.\n    Mr. Ratcliffe. Terrific. Thank you. That\'s helpful, Ms. \nGanzer.\n    So based on that, and you answered my next question, was \nbased on the comments you heard today and the more than 300 \nformal comments from industry, were you surprised? And you said \nthat you were.\n    As a follow-up to that, do you think those comments are \njustified?\n    Ms. Ganzer. Sir, the industry knows what they are doing. \nSo, absolutely. Many of the comments were very serious, went \ninto very detailed analysis of the proposed rule, many proposed \nexceptions or different ways that we could address some of \ntheir concerns, and many of them were amplified, or reiterated \nthrough the process of meetings that the Department of Commerce \nhosted, in which I and several members of my team attended to \nlisten to these concerns from industry.\n    So, absolutely, they--they were, in many cases, right on \nthe mark, and we are taking them very seriously.\n    Mr. Ratcliffe. Terrific. Thank you.\n    So let me follow up on the specifics. One of the comments, \nI believe, was from Ms. McGuire and others in the industry, as \ndrafted, what keeps bad actors that the Wassenaar Arrangement \nis seeking to stop from purchasing unlicensed products, or \npurchasing products in a nonparticipating state?\n    Ms. Ganzer. Thank you for that question. That\'s a difficult \none to answer. As Mr. Van Diepen has already indicated, export \ncontrols are most effective when they are multilateral. And so \nthis is why we work through organizations like the Wassenaar \nArrangement when we establish controls, because, first of all, \n41 members of the Wassenaar Arrangement, including many of our \nallies who developed this sophisticated technology, commit to \nthe controls in the Wassenaar Arrangement, and there are a \nnumber of other countries that unilaterally adhere to the \nWassenaar Arrangement controls.\n    So we do capture a good portion of the market by \nestablishing controls in a multilateral form like the Wassenaar \nArrangement.\n    Mr. Ratcliffe. Okay. Well, I appreciate that.\n    Do you think, or would you agree, that as written, there\'s \na security consequence to the domestic implementation of the \nWassenaar Agreement as some folks in industry have indicated?\n    Ms. Ganzer. It--just to clarify, it was a proposed rule. \nNothing has actually been implemented yet. But indeed, since we \ndid not intend to capture many of the scenarios that were--were \npresented to us by industry, this is something that we need to \nfix, and we are working interagency, analyzing the comments, \nfollowing up with them to determine what our next steps forward \nwill be.\n    Mr. Ratcliffe. So I appreciate that.\n    So as my time expires, in terms of coming to that solution, \nyou\'ve heard some calls here from folks in industry for this to \nbe renegotiated. And so my question to you is, why or what are \nthe impediments, if any, to doing that? Because as I was \nunderstanding the arrangement, it meets every year.\n    Ms. Ganzer. Well, first and foremost, we have not yet \ndetermined whether we need to do that. The interagency \ncontinues to work that issue. So saying we are going to go back \nand negotiate would be premature. But I would note that the \nWassenaar Arrangement operates by consensus. All 41 members \nwill have to agree, and 31 members have already implemented \nthis control. So that is--we are also looking at how other \ncountries are controlling this or have implemented it, and that \nwill all be taken into account in the administration\'s decision \non what we will do going forward when we--when we get there.\n    Mr. Ratcliffe. Terrific. Thank you, Ms. Ganzer.\n    My time has expired. The chair now recognizes the ranking \nmember, Ms. Kelly, for her questions.\n    Ms. Kelly. Thank you, Mr. Chair.\n    As I stated in my opening statement, today\'s hearing is a \nrecognition of the fact that the Federal Government and the \nprivate sector must work together effectively to thwart \ncybercrime and to support advancement in cyber defense and \nresearch.\n    Mr. Garfield, you talked about meeting a multinational \napproach, sharing information, curing fatal defects, exercising \nleadership, and that leadership that we exercise needs to be \ninformed by experts.\n    What role do you see that Congress can play to ensure that \nthe private sector\'s concerns pertaining to the proposed \nWassenaar regulations are adequately addressed?\n    Mr. Garfield. Thank you for listening so carefully. You\'ve \nrecounted my testimony more effectively than I did.\n    I think the thing you can do you are, in fact, doing. So \nthe letter that was sent in December making sure that there\'s a \nrecognition that this is not political, it\'s bipartisan, and \nit\'s critically important. I think the second thing is, in \nfact, Congress insisting on getting real answers on what\'s \ngoing to happen next. And so continuing your oversight, I \nthink, is an important part of the role that you can play in \nthis area.\n    You\'ve done a lot through the bills that you\'ve passed on \ncybersecurity, including the Cybersecurity Act of 2015, and we \ncommend you for that.\n    Ms. Kelly. Thank you. This rulemaking is an opportunity for \nthe government and private sector to demonstrate that working \ntogether can produce positive results with no unintended \ncollateral harm to cyber\'s defense capabilities.\n    Ms. Goodwin, one area of your testimony focuses on the \nimportance of the public-private partnership in cyber security \nregulation. I was wondering if you could, if possible, offer \nexamples of private-public partnerships in cybersecurity that \nare working, and that could serve as an example for how the \nimplementation of the Wassenaar Arrangement export controls \nmight be revised to meet the government and private sector?\n    Ms. Goodwin. Thank you, Ranking Member Kelly. There are a \nnumber of things that we can point to in the public-private \npartnership space. The collaboration and coordination that the \nprivate sector and companies like Microsoft has with the \nDepartment of Homeland Security\'s Computer Emergence Response \nTeam, U.S. CERT, its collaborative way in which it comes \ntogether to triage incidents that the security community\'s \nconferences and hacking competitions and prizes to find the \nbest way to disassemble the vacuum cleaner and put it back \ntogether, this is a robust community where the ability to \nexchange information with the government and with other \ncompanies is absolutely essential to our ability to secure \nourselves and our customers.\n    Imagine if Congress were to pass a bill without any \nconstituent input, without any consultation with experts, and \nthen once the bill had been signed into law, then to say, well, \nwe\'ll work on the implementation after the fact. The reality is \nthat we have a very robust public-private partnership that \nwe\'ll have to leverage. In the event that additional export \ncontrol ideas are floated in a community where the private \nsector may not play, we have to rely on our government partners \nto bring this to us and to triage them and to think about the \nimplications and consequences before we take any position.\n    This--Mr. Wolf said that this was an issue of first \ninstance in his testimony. We had not attempted to tackle \ncybersecurity quite like this in the export control space, so \nthis is an opportunity for us to rethink the process so that \nthe public-private partnership can be brought to bear in these \ntypes of questions, so that we don\'t have to, like you said, to \nregulate first and ask questions later.\n    Ms. Kelly. Thank you.\n    Mr. Mulholland, as the engineer on the panel, do you think \nit would be sufficient that the administration, through a \nrevised policy, puts in intracompany license exemption into a \nnew rule?\n    Mr. Mulholland. Thank you, Congresswoman Kelly, for the \nquestion. The simple answer to that is no. The reality is that \nmight help our situation domestically, but the reality is, is \nthat as a global company, I will seek threat information on my \nproducts from anywhere.\n    You know, we heard a few minutes ago that there are 31 \ncountries have already implemented Wassenaar. The reality is, \nin my mind anyway, Wassenaar is not 41 countries in this space, \nit is 40 plus one. There is one country in this world and one \ncountry and not 41 who provides overwhelming leadership in the \ntechnology sector. The reason why I don\'t think we\'ve actually \nseen any negative consequences from the other 31 is because, \nfrankly, their expert ratings are not likely to be injurious to \ntheir industries, because, frankly, they don\'t have \nparticularly vibrant industries.\n    And I, you know, heard many of the members have commented \non our leadership. Ms. McGuire cited an example where a U.S. \ncompany pulled out of Japan, pulled out of participating in a \nvery long, established security research conference in Japan. \nDoes that injure Japan\'s technology industry, or does it injure \nthe U.S. industry? My vote is that it injures the U.S.\n    So in short, no, BIS fixing the situation here in the U.S. \ndoes not fix the problem. The only way the problem gets fixed \nis to go back to Wassenaar, or perhaps, even concerning whether \nexport controls is the right way to tackle this problem.\n    Ms. Kelly. Thank you. And I\'m out of time.\n    Mr. Ratcliffe. I thank the gentlelady.\n    At this time, I ask unanimous consent to insert into the \nrecord a letter from more than 100 Members of Congress to \nAmbassador Susan Rice regarding our collective concerns about \nthe addition to the Wassenaar Arrangement to export controls of \nintrusion software that, in our opinion, could seriously hinder \nnational security.\n    Without objection, it is so ordered.\n    Mr. Ratcliffe. At this time, the chair recognizes my friend \nand colleague from Texas, Congressman Farenthold.\n    Mr. Farenthold. Thank you very much, Mr. Chairman.\n    And I wanted to start out with Ms. Goodwin from Microsoft. \nWe\'ve talked a little bit about, today, about how some of this \nsoftware is available from countries that aren\'t a party to our \nagreement. I know Microsoft is active in fighting software \npiracy as well. Even in the domestic, international stuff that \nwe\'re seeking to regulate, software is pretty portable and \npretty easy to pirate. Do you think there\'s a practical way we \ncan actually put export control on software against, obviously, \na hacker who would be typically unethical to begin with, or a \nstate actor that\'s hostile to us? I imagine y\'all struggle \npretty hard from keeping Microsoft Word from getting pirated?\n    Ms. Goodwin. That\'s a great question, Representative. Not \nonly is it a challenge from a piracy standpoint, it\'s also a \nchallenge from a legal standpoint. If you look at the \nimplementation of the Wassenaar Arrangement thus far, I would \npoint to the hacking team, which is a company that creates this \ntype of intrusion software, and over in the gov--in Italy. And \nthe Italian Government issued them a license to continue to \nsell this software.\n    And when the hacking team was actually hacked itself, and \nits email was disclosed around the world, it was found that \nthis software, which had been licensed by the government in \nItaly under this regime had been sold to regimes like Ethiopia \nand Sudan.\n    And, so, part of the challenge in thinking about how do we \napply export control in the space is what do we do when you \nhave uneven, or different implementations that software \nactually can be licensed, and then sold and used in ways that \nare contrary to the original intent of the regulation? So it is \nextremely difficult to figure out how to solve a challenge like \nthat.\n    Mr. Farenthold. Let me ask you another question. It seems \nlike we\'re focusing on regulating the tools rather than the \npeople. I mean, I think that kind of goes along the--you know, \nnot just even the developers, but the folks that are using it. \nI mean, where do you--where do you see--do you think that\'s a \nbetter idea, and do you think that\'s more doable?\n    Ms. Goodwin. There are criminal laws in place today that \ncan be used to leverage to pursue those that are violating \ncybercrime laws. The European convention on cybercrime is a \nmultilateral tool and instrument that we can use as well. And \nso what we can do is focus more on prosecution and looking at \nnegative implications of how these tools are used. Yes, \nabsolutely.\n    Mr. Farenthold. Thank you very much.\n    And let\'s talk to, I guess, Ms. Ganzer from the State \nDepartment. As y\'all\'s team was getting ready for the \nnegotiations, did y\'all go out and talk to companies like \nMicrosoft or Symantec or VMware? What was your engagement with \nthe industry?\n    Ms. Ganzer. There\'s--thank you for the question, \nCongressman. There\'s an established process by which we share \nthis information with the Commerce Department technical \nadvisory committees who are made up of industry. I actually \nthink it might be more appropriate----\n    Mr. Farenthold. Kevin, do you want to--Mr. Wolf, you want \nto take that one?\n    Mr. Wolf. Sure. Before agreeing to or submitting a proposal \nto Wassenaar or any of the other regimes, we share it with one \nof six technical advisory committees that are all volunteers, \nindustry participants, experts in the area. And the original \nidea was shared with the relevant groups, and they didn\'t have \nany objection on the thought that----\n    Mr. Farenthold. Did it come as a surprise to you that we \ngot so many negative comments?\n    Mr. Wolf. Well, by the time we received the comments, no. \nAt the time we agreed to the control, it would have, because \nthe original understanding was that it was a quite narrow, \nspecific, a very small number of products that would be \naffected. And as we began to learn more and engage in the very \nindustry output that is being discussed here, we began to get \nmore and more concerned of unintended consequences, and that\'s \nwhy I said I think this is the first time we, Commerce, have \nactually pulled out from the implementation rule for a regime \nrule. And instead of gambling and potentially getting it wrong, \nwent out to industry to confirm if our suspicions were correct, \nor maybe we were being too concerned, and then the comments \ncame in.\n    And that was actually part of the plan, was to see if we \nmade a mistake, needed to do something differently at whatever \nlevel. So in a way, the process is actually working exactly as \nintended.\n    Mr. Farenthold. Would you agree with that, Ms. Ganzer?\n    Ms. Ganzer. Absolutely.\n    Mr. Farenthold. And were you surprised with the comment, \nthe number of comments as well or the----\n    Ms. Ganzer. Much as Assistant Secretary Wolf said, by the \ntime they came in, no. But when we first started this process, \nyes. Because we had thought, based on the comments from our \nWassenaar partners, that we had negotiated a rather narrow \ncontrol. Thank you.\n    Mr. Farenthold. I see my time has expired.\n    Thank you, Mr. Chairman.\n    Mr. Ratcliffe. I thank the gentleman.\n    The chair now recognizes the gentlelady from California, \nMs. Sanchez.\n    Ms. Sanchez. Thank you, Mr. Chairman.\n    And it\'s fascinating. Every time I come to a cyber issue, \nit\'s just incredibly fascinating. I remember--I\'m from \nCalifornia, so, of course, we think that we have encryption and \ncyber as far cutting edge as possible.\n    I remember, Mr. Chairman, 20 years ago, when I sat on the \nArmed Services Committee, we had instituted a military--a bloc \non sending encryption out. And at the time, it was Adam Smith \nand myself were the only ones who were going, wait a minute, if \nwe do that, we\'re going to lose encryption ability, or \ntechnology lead in California or the United States. And, in \nfact, we struggled, as Symantec and others will tell you, prior \nto the company, we struggled quite a bit until we were able to \nundo some of those restrictions.\n    So you were surprised, even though you had--you thought you \nhad industry covered through the system. So my question to you \nwould be, have you gone back and rethought different levels you \nmight have interacted at the time with respect to that so we \ndon\'t have the same type of surprise again? Because these \nissues of export controls and what is used and what is the \nstandard and who\'s setting the standard and who\'s got the keys, \nit\'s going to come up over and over and over again.\n    So have you--have any of you gone back and rethought it, \nsay, there might--where you could have interjected industry \nearlier, or was industry just sort of like, yeah, yeah, yeah? \nSometimes that happens here in the Congress. You know, someone \ncomes up to you, yeah, yeah, yeah, sign me on. Then you go \nback, and you think about it, and you have to pick up the phone \nand say, wait a minute, maybe what I agreed to isn\'t exactly \nwhat I was thinking at the time.\n    Mr. Wolf. Sure. I would cite the fact that--as I just said, \nwe pulled out of the implementation rule this specific topic \nonly, and instead of just implementing it, shooting first and \nasking questions later, as was referred to earlier, asking for \nindustry input before deciding.\n    This is also highlighted the complexity of this topic in \ngeneral, and we\'re always looking for new volunteers and \nparticipants with different areas of expertise to join our \ntechnical advisory committee. It\'s a volunteer organization. \nAnd so absolutely, on a going-forward basis, I plan to have \nmore experts in this to help us review this, and to the extent \nthis type of issue comes up in the future.\n    In the short term, in the meantime, we have this particular \nissue. And, you know, with the great benefit of our colleagues \nfrom other parts of the U.S. Government and other industry \nparticipants and the actual comments that have come in, the \ngoal is to think through all the various options and ways to \naddress all the various concerns that were described today to \nachieve the objectives, but without the harm. So the short \nanswer to your question is yes.\n    Ms. Sanchez. Good. That\'s what we like to hear.\n    Mr. Wolf. Yes, ma\'am.\n    Ms. Sanchez. Secondly, so some countries, or signatories to \nthis, have already started to implement, as you say. And, of \ncourse, the big gorilla in the room is the United States, as \nyou know, because we--I think, again, we still hold the edge on \nthis area in the industry, and probably the industry itself.\n    So what is the process to go back and renegotiate if we\'ve \nalready--if some countries have already started implementing? \nWhat would we--what does Congress need to--do you need Congress \ninvolved in this? Or is it just an administrative thing where, \nyou know, the administration could go back and say, Hey, guys, \nwe were kidding; let\'s sit down; we\'ve got to redo this?\n    Mr. Van Diepen. Well, Congresswoman, again, we\'re still, as \nan administration, working through the comments and then the \nvarious options we have for mitigating the problems and then \nconsulting with industry. I think one of the things we\'ll do as \npart of that is consult with the Wassenaar, or the 31-plus \nWassenaar countries that have already been implementing this \ncontrol for a year without apparent controversy to find out \nfrom them well, what has their experience been? Once we sort \nof, you know, canalize the comments, how do you guys deal with \nissues like this and get from them ideas that could help us?\n    Ms. Sanchez. And if that doesn\'t work, the reality is that \nwe do need to renegotiate?\n    Mr. Van Diepen. If at the end of the day, we think that we \nneed to try to renegotiate the control, you know, then, at that \npoint, you know, it\'s a diplomatic discussion amongst 41 \ncountries. And as noted, at the end of the day, any change will \nrequire consensus. All of them would have to agree. And for a \nnumber of them, and, presumably, their starting point is going \nto be, Well, wait a minute, we\'ve been implementing this \ncontrol for a year plus. We haven\'t had any problems. Why are \nyou guys having problems? And so we\'ll have to have that kind \nof discussion going--going back and forth. But at the end of \nthe day, it would require us to be able to convince the other \ncountries to go along with some sort of modification.\n    Ms. Sanchez. Great.\n    Mr. Chairman, thank you for the time. And let me just say \nthat I think this is an important issue and, hopefully, we can \nget a timeline out of the administration about where they might \nbe and--so that we can make sure that we keep up with what\'s \ngoing on on this in case it needs to be renegotiated.\n    Mr. Ratcliffe. I thank the gentlelady for her comments.\n    And at this time, the chair recognizes the former U.S. \nAttorney from Pennsylvania, my friend, Congressman Marino.\n    Mr. Marino. Thank you, Chairman.\n    Good afternoon, ladies and gentlemen. Thank you for being \nhere.\n    Ms. Ganzer, can you clarify something for me, because I was \nrunning in and out to other--other hearings.\n    What specifically was your role in this negotiation? Are \nyou--were you the person that made the final decision in the \nWassenaar Agreement?\n    Ms. Ganzer. As I said, ultimately, it\'s my responsibility, \nCongressman, but, in fact, this had to be agreed across the \nadministration. We all agreed to the control before we said \nokay.\n    Mr. Marino. What part did--maybe Mr. Van Diepen--am I \npronouncing that correctly? What part did you play in this, \nsir?\n    Mr. Van Diepen. I am the Deputy Assistant Secretary \nsupervising Ms. Ganzer\'s office. So among other things, would \nhave approved the interagency guidance cable that set out the \nparameters of what proposals we could and could not agree to in \nthe Wassenaar----\n    Mr. Marino. Okay. Now it\'s starting to make sense.\n    Mr. Wolf and Ms. Schneck.\n    Mr. Wolf. No, I would like to concur. This is--all \nagreements with Wassenaar are as a result of consensus of the \nDepartments of Commerce, State, and Defense. And so it wasn\'t \njust State, you know, unilaterally agreeing to it. It was the \nconsensus of the departments participating.\n    And as I said, we had doubts about it later, but at the \ntime, it was a consensus decision of the administration.\n    Mr. Marino. Okay. Ms. Schneck, am I pronouncing that \ncorrectly?\n    Ms. Schneck. Schneck.\n    Mr. Marino. Schneck. I\'m sorry.\n    Ms. Schneck. Close enough.\n    Mr. Marino. Okay. What part did Homeland Security play in \nthis?\n    Ms. Schneck. So we provided technical insights. Our Office \nof Science and Technology holds our export controls portfolio, \nwhich includes Wassenaar. Where I sit, which is a different \ndirectorate, the national protection and programs directorate, \nprovided some technical advice. We\'ve had a challenge in \nfinding a way to adopt export controls in a way that supports, \nagain, our national security without affecting our homeland \nsecurity cybersecurity operations that I oversee and the \ntechnology----\n    Mr. Marino. Okay. Now, I heard Ms. Ganzer say that industry \nwas consulted, and I think Mr. Wolf said industry was \nconsulted. Is that true?\n    Mr. Wolf. Through the technical advisory committee process, \nyes, not through a proposed rule, which would have more broader \nindustry----\n    Mr. Marino. Okay. Did State do that, have that discussion \nwith industry? Then did Commerce have that discussion with \nindustry? And Homeland have that discussion with industry?\n    Mr. Wolf. No, it really wouldn\'t be State\'s process to do \nthat. That\'s really the role of the Commerce Department to use \nits advisory committees to get industry input and then feed \nthat out to the other departments.\n    Mr. Marino. Okay. Now, you talked about, what was it, 30-\nsome or 40-some other countries have already implemented this \nrule?\n    Ms. Ganzer. 31.\n    Mr. Marino. My question is, what weight is that going to \ncarry? You know, are these other countries going to have more \nweight in this? Do they have a bigger dog in this fight than \nour own homegrown U.S. companies?\n    Mr. Van Diepen. Congressman, I\'m not sure it necessarily \nends up being a weight issue. Again, we are going to have to \ndetermine----\n    Mr. Marino. Well, certainly, it\'s going to be a weight \nissue, because it involves jobs here in the United States. It \ninvolves security. It involves business in this country that \ncreate tens of thousands, hundreds of thousands of jobs. And \nthe point I\'m trying to get across is, I want enough attention \npaid to industry here in the United States than letting someone \nin Europe making the determination of how we\'re going to play \nfootball over here.\n    Mr. Van Diepen. Absolutely, Congressman. And what I was \ntrying to just say is the first instance will be, do we think \nwe can come up with a U.S. method of implementation of the \nWassenaar rule that is satisfactory? If that\'s the case, we \nhave the entire unilateral national discretion to implement it \nthat way, and no one else can gainsay us. So that would be a \nproblem.\n    Mr. Marino. Now, is this a still an open, ongoing process?\n    Mr. Wolf. Absolutely.\n    Mr. Marino. And are you going to communicate with four \npeople at the end of the table here and others that I see in \nthe gallery here about what is the most efficient way to do \nthis and what is the best bang for the U.S.? Because I\'m tired \nof us taking a back seat with this administration and worrying \nabout what other countries want.\n    So are you giving us your word here that you are going to \ntalk with these people and not be disingenuous about the \nmeetings with these people, about what they need to continue to \nprovide jobs here in the U.S.?\n    Mr. Wolf. Well, a couple--absolutely. And a couple of \nthings. Unlike any other country, the U.S. Government went out \nand asked for industry comment through a proposed rule. No \nother government did that. We have had multiple open, public \nsessions with these attendees and many, many other countries to \novertly, deliberately, aggressively ask their views and \nexpertise. That process is going to continue over the course of \n2016----\n    Mr. Marino. Okay. I see my time has expired. I would like \nto see an emphasis put on what we need here in the United \nStates. And I trust that you will do that.\n    And I yield back. Thank you.\n    Mr. Ratcliffe. I thank the gentleman.\n    The chair now recognizes the gentleman from Virginia, Mr. \nConnolly.\n    Mr. Connolly. Thank you, Mr. Chairman. Welcome to a very \nlarge panel.\n    Mr. Wolf, I want to go back to the beginning to understand \nthe process. So the Wassenaar Arrangement involving 41 \ncountries, a lot of those members come to us saying, will you \nhelp? We think we need some kind of expert control over \ncybersecurity countermeasures. Is that correct?\n    Mr. Wolf. That is correct, as part of the Wassenaar \ndiscussions.\n    Mr. Connolly. Right. Right. Normally, the Wassenaar \nArrangement involves things, right, defense, goods, and \nproducts?\n    Mr. Wolf. Well, it involves physical things, commodities, \nboth do or use and military, but it also involves software for \nthose things and technology for those things.\n    Mr. Connolly. Right. Okay. All right. Would you not agree \nthat, in the terms or--in the context of export controls, \ncontrolling things, widgets, is easier than controlling thought \nprocesses and methods?\n    Mr. Wolf. Yes.\n    Mr. Connolly. Yes. So different challenge, what we\'re being \nasked to do. So you take that--not you, collectively, take that \nrequest, come up with something that helps us, because we\'re \nworried, your partners in Wassenaar are worried, and you come \nup with a draft rule. Is that correct?\n    Mr. Wolf. Correct.\n    Mr. Connolly. You submit that rule to public comment, \nincluding industry comment. Is that correct?\n    Mr. Wolf. Well, normally, not. Normally with Wassenaar, we \nrely----\n    Mr. Connolly. No. No. I was not asking that question. You \ndid?\n    Mr. Wolf. Oh, yes, absolutely.\n    Mr. Connolly. I\'m just trying to get the sequence.\n    Mr. Wolf. Okay.\n    Mr. Connolly. So let me ask the question. Why wouldn\'t--\nbecause you had to pull the rule. So why wouldn\'t we have \nreversed that sequence and sought industry\'s input before we \nactually issued a draft rule?\n    Mr. Wolf. At the time of the administration\'s agreement \nwith the proposed rule, or the control within Wassenaar, our \nunderstanding and the understanding of our industry advisory \ngroups was that the scope of the control was quite narrow and \nonly would affect a very small number of products.\n    So there was no need to do that, or something along those \nlines. It was only after the fact, as we began to learn more \nand see how other people read exactly the same words that we \nhad read in 2013, that you can come to other very reasonable \nconclusions about the broad--the breadth and the scope and the \nimpact of the control.\n    Mr. Connolly. Right. And to your credit, you pulled them?\n    Mr. Wolf. Yes.\n    Mr. Connolly. But I guess I\'m a little concerned about the \nprocess moving forward, because, okay, this time, we spared \nourselves either an embarrassment or a significant, you know, \nproblem. But I\'m--I\'m looking at something you said, Ms. \nMcGuire. You were talking about the licensing requirement of \nthe rule. And you said, asking a multinational corporation, who \nis at risk of a cyber attack, to wait months for a license, to \nbe able to test its network defenses, or to receive the latest \nprotections because security providers are hampered from \ncommunicating across borders is downright dangerous.\n    Do you want to comment on that in terms of the process? \nAgain, I fully commend, you know, the executive branch for \nseeing an error and pulling it. We don\'t always do that. Good \nwork. But I\'m still worried, though, that maybe the process \ncould have been perfected so that we could have avoided even \nthat. Your comment.\n    Ms. McGuire. So, thank you for the question. And I think \nthe process piece of this is--is critically important. And \nwhile the technical advisory groups within the Department of \nCommerce were consulted on this issue, no cybersecurity \nindustry was consulted on this issue. There were none that were \nsitting on the advisory groups, to our knowledge, at the time.\n    Mr. Connolly. Another problem with the process.\n    Ms. McGuire. In addition, the advisory committee, our \nunderstanding was that the language that was part of the \noriginal proposal that the advisory committees saw was not the \nlanguage that ultimately was adopted at Wassenaar.\n    So while they may have--they may have said, we don\'t think \nthere\'s going to be a lot of problems, what ultimately became \nenacted was not what was put in front of them.\n    Mr. Connolly. That\'s why I suggested--I mean, I\'ve always \nbeen a skeptic about export controls, frankly. I mean, maybe \ngood intentions, but we don\'t live in that kind of world \nanymore. And trying to actually contain knowledge, very \ndifficult to do.\n    I know, Mr. Mulholland--are we Irish?\n    Mr. Mulholland. I am, sir.\n    Mr. Connolly. God bless him. Let\'s give him an extra--give \nhim an extra little bit of time here.\n    Mr. Ratcliffe. I am Irish, too. You get all the time you \nwant.\n    Mr. Mulholland. We\'ll take it.\n    Mr. Connolly. And let\'s call it Irish fairness, right?\n    Mr. Mulholland. I just want to join your point about \nthings. So I used to be in the military, and actually was \nsubject to a predecessor of the Wassenaar inspection and some \nRussian officers turned up and said, we have a list here that \nsays you have 36 missile launchers. And so we dutifully took \nthem through into our hangars, they pointed to 36, and life was \ngood.\n    The thing that we\'re trying to control today is this. And \nthis is actually--Ms. Schneck mentioned partly. This is the \ncode for the Heartbleed security vulnerability. I\'ve blown it \nup for the sake of illustration, but it\'s actually 40 lines of \ncode. If I want to proliferate that, I take it around the \ncorner, and I photocopy it, or I email it, or I post it on the \nInternet. To your point about trying to control knowledge, \nwe\'re trying to use, and, frankly, in my view, the wrong tool \nto control this. We\'re trying to take a physical construct \nthat\'s worked pretty well for 20-odd years, and we\'re trying to \ndrop it into the digital world. And, frankly, my view is that \nthat simply does not work.\n    Mr. Connolly. I couldn\'t agree with you more.\n    Mr. Chairman, and I hope the Congress, on a bipartisan \nbasis, will use this and other forums, Mr. Chairman, to explore \na radical rethinking of what\'s in place right now. And it\'s all \nwell-intentioned, but I just think we\'re in a new world. And I \nthink we spend a lot of time, and industry is asked to spend a \nlot of time and money trying to comply with something that is \nnot efficacious any longer.\n    I thank the chair.\n    Mr. Ratcliffe. I thank the gentleman from Virginia for his \nquestions and his comments.\n    The chair now recognizes the gentleman from North Carolina, \nMr. Walker.\n    Mr. Walker. Thank you, Mr. Chairman.\n    I appreciate the panel being out today for an extended \nwitness time, but we do appreciate all of you being here, as \nwell as staff.\n    Recently completing my first year in the House, it has \nopened my eyes to the problems that we have specifically in the \ncybersecurity arena. Also serving on the Department--or the \nCommittee on Homeland Security, as well as the co-chair of the \ncloud caucus, has really sent me studying this issue and should \ncause us all great concern.\n    Congress recently passed the cybersecurity legislation \ndesigned to facilitate the efficient and effective sharing of \ncyber threat data and indicators between the private and the \npublic sectors.\n    Ms. Schneck, the DHS has a big role to play in that \nprocess. The question for you is how would the proposed Bureau \nof Industry and Security rule, as drafted, impact that sharing?\n    Ms. Schneck. So, thank you for your question. I would defer \na lot of the legal around that to my colleagues from Commerce \nand State, but I\'ll give you a technical explanation. So the \ngreat legislation that you gave us enabled our operation \ncenter, the National Cybersecurity and Communications \nIntegration Center, the NCCIC, to be the Center of Threat \nIndicator Collections with all the best use of private and \ncivil liberties to get it right. But to get the cyber \nindicators together so that we can create a good contextual \npicture and push that information out to our, both public and \nprivate partners, and enable them to use that information.\n    This is real time. This is machine to machine. And one of \nthe worries that we\'re hearing from private sector and others \nis that this proposed rule would, in some cases, hamper the \nreal-time sharing of information.\n    Mr. Walker. Okay. Let me follow-up with you. If you need to \ndefer, that\'s fine. I don\'t know, is there a limit on defers \nbefore you would have to buy somebody dinner, or drink? I don\'t \nknow. We\'ll see. How would the proposed rule impact \ncybersecurity generally for U.S. companies? Frequent questions \nwrapped in one. What about critical infrastructure, government \nagencies? Isn\'t the rule going to put them at risk at some \npoint?\n    Ms. Schneck. Is that for me?\n    Mr. Walker. Yes, it is, unless you need to defer.\n    Ms. Schneck. So our responsibility is to protect all of \nthat, the critical infrastructure, and then the Federal \ncivilian government, and the private industry to include \nacademia, State and local. We also share among 300--at least \n300 other governments\' cyber information.\n    As a scientist, I\'ll give you an operational discussion. \nAnd that is that the best cybersecurity protection we can \nprovide is to understand the most quickly what\'s happening and \nmake sure that when a cyber actor, this is exactly what an \nintrusion is, tries to execute their instruction on a machine \nthey don\'t own, that machine knows, A, not to execute it, or, \nB, that it\'s happening so it can tell everybody else about it \nand not sustain an injury.\n    Mr. Walker. Okay.\n    Ms. Schneck. The ability, or the thought that that would \nget delayed in any of the ways mentioned today is detrimental \nto our cybersecurity.\n    Mr. Walker. Thank you for the----\n    Mr. Wolf, did you want to add anything to that?\n    Mr. Wolf. No. But these are exactly points that--I guess, \nyes. These are exactly the points that were raised in \noverwhelmingly in the comments, which is why we\'re here and why \nwe are continuing through the interagency process to try to \ncome up with a solution to address that very concern.\n    Mr. Walker. That\'s fair.\n    Ms. Goodwin, I believe that technology is a tool I think \nmost of us would agree, tool is a--technology is a tool that \ncould be used for good or bad. In other words, it\'s not \ninherently one direction or the other. I think that\'s a pretty \nsimple concept, but the behavior is.\n    I\'m intrigued by the idea that under Wassenaar, we are \nchoosing to focus on the exporters of software tools instead of \nlooking at the actual users of those tools and how those tools \nare utilized.\n    Question for you: Do you think that, perhaps, we should be \nlooking at a cybersecurity regulatory regime that focused on \nthe users?\n    Ms. Goodwin. We certainly need to be exploring the \nquestions in a public-private partnership. The challenge of how \ndo you deter criminal behavior? How you deter the bad effects \nof using surveillance software against those that we\'re trying \nto protect here? How do you stop a criminal from committing a \ncriminal act? That\'s a challenge. But the reality is that 80--\n81 percent of the security companies in the world are here in \nthe United States.\n    So regardless of the effect that it\'s maybe having outside \nof the United States, it\'s going to have a larger effect inside \nthe United States. So we have to think about where the right \nplace to regulate is, the use of the software, the intent of \nthe criminal.\n    Mr. Walker. Right. And if it is 80 percent, the technology \nis kind of interfused where it\'s hard to even separate from one \ncountry doing business with the other. And I hope--and I\'ll \nyield back with the rest of my time--the international \ncommunity can influence or encourage this positive, and \nhopefully beneficial behavior.\n    Thank you, Mr. Chairman. I yield back.\n    Mr. Ratcliffe. I thank the gentleman.\n    The chair now recognizes the gentleman from Rhode Island, \nMr. Langevin.\n    Mr. Langevin. Thank you, Mr. Chairman. Before I begin my \nquestions, if I could, I would like to submit my original \ncomments to Department of Commerce, the rule and the concerns \nthat I have.\n    Mr. Ratcliffe. Without objection.\n    Mr. Langevin. Thank you, Mr. Chairman.\n    First of all, I want to, again, thank you, Secretary Wolf, \nat the Department of Commerce and BIS for bending over \nbackwards to listen to concerns that have been raised here, and \nin other areas with respect to this rule. You\'ve been very \nhelpful and responsive to those concerns.\n    Ms. Ganzer and Secretary Van Diepen, I hope it\'s very clear \nthat you\'ve hit a wall with respect to the way this was \nnegotiated, what was negotiated, and there\'s pretty broad \nopposition going forward. So we are hoping that you are going \nto take that message and go back and get this right, probably \nby having to renegotiate.\n    So is that a fair statement? You understand that we have \nbroad opposition here?\n    Mr. Van Diepen. I certainly understand your statement, \nCongressman. Again, I think our responsibility is to work hard \nand find the best solution that both gives us some ability to \naddress the security concerns we\'re trying to address while \navoiding these unintended consequences.\n    Mr. Langevin. So with respect to criteria for the selection \nof dual-use items, dual-use goods and technologies to be \ncontrolled are those which are major or are key elements for \nthe indigenous development, reduction, use, or enhancement of \nmilitary capabilities. For selection purposes, the dual-use \nitems should also be evaluated against the following criteria: \nBond availability outside participating states; next, ability \nto control effectively with the export of the goods; next, the \nability to make a clear and objective specification of the \nitem; and, last, control by another regime.\n    So to Ms. Ganzer and Secretary Van Diepen, with respect to \nclear and objective specification of the items, given the \ndiversity of implementation we\'ve seen in participating States, \nis the definition clear at the moment?\n    Furthermore, the director of DARPA has stated that, and I \nquote, ``From a technology perspective, defense and offenses \nare indistinguishable,\'\' of you echoed by the State \nDepartment\'s own defense trade advisory group. Doesn\'t this \npreclude objective specification?\n    Mr. Van Diepen. I don\'t believe so, Congressman. Everything \non the Wassenaar dual-use list, as well as most of the things \nin category 2, the missile technology and control regime annex, \nthe entire nuclear suppliers\' group dual-use list, and the \nentire Australia group\'s chemical biological list are dual-use \nitems. These are things that, again, can inherently be used, \nboth for good purposes and bad purposes.\n    And these have always included not only physical items, but \nsoftware of various types. So there\'s a long, experienced, and \nmultilateral export controls of being able to properly specify \nand properly control dual-use things, including dual-use \nsoftware. And so, I--again, I think that, you know, our \nresponsibility is to do our best to see if we can appropriately \napply that expertise in this instance.\n    Mr. Langevin. Okay. I would have some concerns with that \nanswer, but let me go next.\n    With respect to foreign availability, do you believe that \nintrusion software tools are not available and could not be \ndeveloped in non-Wassenaar participating states like Singapore \nor China, which are home to four of the top 20 engineering and \ntechnology universities in the world according to QS rankings?\n    Mr. Van Diepen. Congressman, I think the genesis of your \nstatement comes from the factors for consideration that \nWassenaar uses in judging items. And these are factors for \nconsideration. It\'s not a checklist that every item must \nabsolutely fulfill each and every one of the things. But we \nhave to look at each of those things and decide whether the \nbenefits or the control outweigh the--the costs or the \ndifficulties of the control.\n    So, for example, in the Australia group, we\'re controlling \nbiological pathogens, many of which you can dig out of your own \nbackyard. So there\'s ubiquitous foreign availability, but it\'s \nbelieved, and we\'ve got a very solid track record, that it\'s \nbeen very advantageous to U.S. security to be able to maintain \nexport controls on those items multilaterally with our \npartners.\n    Mr. Langevin. And with respect to ability to effectively \ncontrol export, do you believe that our regime has the \ncapability to stop transfer of the goods or associated \ntechnology given that software can be sent across the globe \nwithout passing through a port of entry or other border \ncheckpoint?\n    Mr. Van Diepen. And, again, for over 25 years, we\'ve \ncontrolled, multilaterally, a whole host of different types of \nsoftware. And even recognizing the inherent challenges of \nsoftware export controls, it has been felt that we\'ve been able \nto craft controls where the benefits outweigh the costs. And, \nagain, I would also point to the biological case, where, again, \nyou\'re talking about individual cells. If you have two of them, \nthey can self-replicate, so it\'s not all that different from \ncyber export controls, and yet, again, it has been felt that it \nhas been advantageous for us to have those types of export \ncontrols.\n    Mr. Langevin. Mr. Secretary, my time has expired, but I \nhave to say, I respectfully disagree with each one of your \nanswers. This is a checklist against which we should be--we \nshould be evaluating on the states\' value, and I think you\'ve \ndrawn the wrong conclusions. But my time has expired, and I\'ll \nyield back.\n    Mr. Ratcliffe. I thank the gentleman.\n    The chair now recognizes the gentleman from Florida, Mr. \nClawson.\n    Mr. Clawson. I appreciate y\'all coming. I am just going to \nmake one comment, and then I will yield to Congressman Hurd, if \nthat\'s okay.\n    First of all, when I looked at the participating countries, \nI don\'t see a lot of Asian competitors there. And I know what I \nwould think if I was in private business, y\'all. So you were \nnot talking about the obvious. But I had a lot of competition \ncoming from my--from Asia and India, and we can\'t be playing a \ndifferent game than them, or we will lose.\n    So I understand the need to protect the homeland, but \nthere\'s something obviously wrong with this list if you\'re \ngoing to--if you were trying to influence me to join up, and I \nsaw that list, after my technology had already been stolen a \nhalf dozen times, it would be a tough, tough, sell.\n    Number two, with my facilities around the world, which we \nhave, which I had, customers--you know, customers and \nfacilities all on these lists, the foreign corrupt practice \nlaws and everything, I don\'t even know how to do this. I \nwouldn\'t know how to implement it. It just feels, like, it hits \nme like a freight train here.\n    And so--and, look, I spent a lot of time doing this. So, \nyou know, there\'s got to be--you would have to put it in terms. \nI spent, you know, yesterday and today trying to think about \nthese things and think to myself and my own business model, how \nwould I do this? And I never really got there. How can I \ncompete, take care of my customers, take care of my \ncompetitors, and my suppliers across all these different \nborders, and not break the law and keep my country safe? So if \ny\'all are going to do that to sitting CEOs, I recommend that \nyou simplify it so we can understand how we get to do all those \nthings at the same time, because I spent a whole life doing it, \nand I ain\'t getting there just yet.\n    I yield back to Mr. Hurd.\n    Mr. Hurd. I thank my colleague from Florida.\n    This is a lightening round, y\'all. We have a lot more \nquestions to get through, and we have to get to votes.\n    Number one, I always like to start these off by saying \nsomething positive. Mr. Wolf, you and the Department of \nCommerce, great job in recognizing the problems and pulling \nback the rule. And as you\'ve alluded to, that doesn\'t happen \nthat often, and that should be commended. And I\'m hearing you \nright, is the technical advisory committees open to--for people \nto join?\n    Mr. Wolf. Absolutely. We\'re always looking for new \nvolunteers.\n    Mr. Hurd. Do you have one on cybersecurity?\n    Mr. Wolf. We do. We did then, and we have more now.\n    Mr. Hurd. Okay.\n    Mr. Garfield, are you willing to help populate the \ncommittee?\n    Mr. Garfield. Absolutely.\n    Mr. Hurd. Are there other folks on this the panel willing \nto send someone to that committee?\n    Voice. Yes.\n    Mr. Hurd. Mr. Wolf, are you willing to take their input \ninto thinking about what the best next action is?\n    Mr. Wolf. Absolutely, whether it\'s as a tact member or just \na member of the public, both.\n    Mr. Hurd. What is the best next action? Are you going to \nleave here, you are going to say, that was a really long \nhearing, a lot of panelists, Congressman Ratcliffe was very \ninsightful with his questions, and then--and then what happens?\n    Mr. Wolf. Well, we\'ll continue discussing among the \nagencies, bring in not just the usual export control people, \nbut those were expertise----\n    Mr. Hurd. What forum? When is a decision going to be made \nabout whether another proposed rule is going to be done, or you \ngo back to Wassenaar?\n    Mr. Wolf. Well, anything--everything is on the table, \nwhether to go back to Wassenaar, another proposed rule with \nedits and clarifications or interpretations or carve out or \nexceptions.\n    Mr. Hurd. Who makes that decision?\n    Mr. Wolf. Well, ultimately, it depends upon the consensus \nof the agencies involved in the process, Commerce, State, and \nDefense. And then as the one responsible for the rule, I have \nthe final say in terms of signing the rule out. And so the \ngoal, over however many weeks or months we have to work on \nthis, is to see if we can address all of the very legitimate \nconcerns that have been raised today, and then the comments \nthat you all have raised to come up with something that----\n    Mr. Hurd. Copied. Thank you.\n    Mr. Van Diepen, why do you care more about what the other \n31 countries are implementing than the people on this panel and \nthe members of Mr. Garfield\'s organizations?\n    Mr. Van Diepen. Respectively, sir, that does not correctly \ncharacterize my views. I care very much. I am a United States \nGovernment employee. I care about what the United States----\n    Mr. Hurd. What do you think you are going to learn from the \nother 31 countries that have already implemented this rule?\n    Mr. Van Diepen. The kinds of issues that have been raised \nhere are generic. They don\'t uniquely affect the United States. \nAnd so to find out how other countries----\n    Mr. Hurd. So how many of those countries that have \nimplemented that rule have the same cybercrime laws that the \nU.S. has?\n    Mr. Van Diepen. Unclear, and it\'s not clear----\n    Mr. Hurd. How many of those countries have the same robust \necology of companies that focus on cybersecurity and \npractitioners of cybersecurity? I know the answer to this one, \nby the way, but I want to see if you know.\n    Mr. Van Diepen. Well, I think, irrespective of the answer \nto that, all those countries are customers of these people, and \ninformation would have to go through----\n    Mr. Hurd. The answer is zero.\n    Mr. Van Diepen. --and they would have to be licensed----\n    Mr. Hurd. Mr. Van Diepen, the answer is zero. You have a \nwealth of experience and capabilities here, and they are going \nto be the ones that tell you how this is going to ultimately \nbe--should be--it\'s going to be impacted by this industry.\n    Mr. Van Diepen. Which is exactly why we are consulting with \nthem.\n    Mr. Hurd. We are the ones that are protecting the rest of--\nthe rest of--we have to protect ourselves, and we are \nprotecting the rest of the world\'s.\n    Ms. Ganzer, you are in the chair.\n    Ms. Ganzer. Yes.\n    Mr. Hurd. If you were in the chair again in 2013, how would \nyou--how would this have gone differently?\n    Ms. Ganzer. If I had the information I had today, clearly, \nwe would have probably renegotiated this differently. But given \nthe information I had then, I would have made the same \ndecisions.\n    Mr. Hurd. When is the next time you are sitting in the \nchair? February?\n    Ms. Ganzer. The Wassenaar Arrangement works on an annual \ncycle where final decisions are not made until December, but \nproposals are due in--in March and are debated throughout the \nyear.\n    Mr. Hurd. Have you done an industry guidance on this \nforensics rule that has been brought up? Is there not a rule on \nforensics?\n    Ms. Ganzer. We don\'t have one under discussion right now. \nI\'m not aware of one. If we agree to one that we are working to \nimplement, I would have to--I would have to take that question \nback. I don\'t know, sir.\n    Mr. Hurd. Mr. Wolf?\n    Mr. Wolf. Well, the topic is of general discussion, but \nthere isn\'t anything specific on the table to be able to \nrespond to, no.\n    Mr. Hurd. So the general topic of forensics, forensics \ntools, for use on understanding a person\'s network is going to \nbe up for general discussion at Wassenaar at the next \nconversation?\n    Mr. Wolf. Perhaps. I don\'t know what some other country \nmight bring up, but it\'s not something that we have right now \nunder discussion.\n    Mr. Hurd. If this does come up, I would suggest you reach \nout to industry first and before you have to figure out what \nyour left and right bound is for negotiation.\n    I yield back the time that I do not have.\n    Thank you very much, Mr. Chairman.\n    Mr. Ratcliffe. I thank the gentleman.\n    The chair recognizes my friend and colleague from Texas, \nSheila Jackson Lee.\n    Ms. Jackson Lee. Thank you so very much. We have a vote on \nthe floor of the House, but I indicated that this was so \nimportant and provocative, I\'m going to try to be as quickly as \nI can. And be as successful as the on-site kick was last \nevening.\n    But let me try to get to the government. Mr. Wolf and our \ntwo distinguished State Department representatives, you have \nhad a series of questions by members. Can I get a yes-or-no \nanswer that you are going back to the drawing board. We know \nthat there is an agreement that\'s going to be coming forward, \nsuggestions and ideas, to give us an opportunity to go back to \nthis issue again, Ms. Ganzer. But am I sensing that you \nunderstand that there needs to be a regulatory revisit on these \nissues?\n    Mr. Wolf, yes or no, please?\n    Mr. Wolf. Yes.\n    Ms. Jackson Lee. Ms. Ganzer?\n    Ms. Ganzer. Absolutely.\n    Ms. Jackson Lee. Mr. Van Diepen?\n    Mr. Van Diepen. On the rule, yes, ma\'am.\n    Ms. Jackson Lee. All right. Let me--and we have \nopportunities for the agreement itself coming--going forward. \nBut let me--let me try to pointedly get back to our experts \nhere and say, this reminds me of the DMCA, which Congress did \npass, but negatively impacted encryption research. And \ninterestingly enough, all of us are talking about encryption \nnow.\n    So I want to get to the point of saying where we are in \nterms of impacting you and the new partnerships. The President \njust had meetings with those in Silicon Valley. We know that we \nare intertwined together.\n    May I start with Mr. Garfield to find out from you how much \nthis will impact negatively research, and getting to the \nsolutions of what we are interested in as you represent your \nvast number of participants?\n    Mr. Garfield?\n    Mr. Garfield. I\'ll be brief. It will impact significantly. \nAnd part of the frustration with the current course of the \ndiscussions is rather than recognizing that the issue at play \nhere is not just the regulation of software, but the need for \nreal-time reaction in response to cybersecurity, we\'re thinking \nabout this as simply something we have faced before.\n    That\'s why we need to think beyond the box of export \ncontrol and really start over.\n    Ms. Jackson Lee. Well, and I don\'t necessarily like it for \nstarting over, but I like it for the forthright way that you\'re \nsaying that we have an issue that needs serious attention.\n    Let me just go quickly to Ms. Goodwin and Mr. Mulholland. \nAnd, Mr. Mulholland, I think it was you that said, all options \nare on the table. I have introduced H.R. 85, Terrorism \nPrevention and Critical Infrastructure and Protection Act, \nwhich deals with identifying threats, isolating damaging \nactivities, but really, wants to work with industry on these \nelements. But if I can just get you to answer the question. As \nI said, I\'m speaking fast only because my colleagues are here \nand we are voting. But to get to the point of what the impact \nwould be if we do not fix it. And Mr. Mulholland as well, and I \nthink we have Ms. McGuire there as well. And let me thank Dr. \nSchneck very much for the work she\'s done with us in Homeland \nSecurity.\n    Ms. Goodwin.\n    Ms. Goodwin. Ms. Jackson Lee, we get over 1,000 \nvulnerability reports that come into Microsoft every year, and \nthose need to be triaged. We need to work them with the finders \nfrom around the world and with our teams internally, and those \ninternal teams sit all around the world. So we can be looking \nat 1,000 vulnerabilities times three, four, five export \nlicenses just to triage vulnerabilities. That\'s not talking \nmalware; that\'s not talking about new tools or new issues. \nThat\'s just to be able to do our daily work.\n    And so that would, from what we understand, eclipse the \ntotal volume of licenses that the Department of Commerce \ngrants.\n    Ms. Jackson Lee. That would not work.\n    Mr. Mulholland.\n    Mr. Mulholland. So I will echo the points that Ms. Goodwin \nmade. We have a similar situation. But let me take a different \nangle. Security research is not going to stop. There are--Siri \ntold me there are 206 countries in the world. There\'s 41 in \nWassenaar. My math tells me that\'s 165 countries that are not \nin Wassenaar, perhaps two-thirds of software developers in the \nworld. Software security research will continue, but it will \nhappen in three different ways.\n    Mr. Mulholland. Either security researchers will finally \njust give up, it\'s just too hard. That\'s not good for us. They \nwill publish the information on the Internet because there is a \ncarve-out, from my understanding, that if the information is \nmade public on the Internet, effectively open-sourced, then it \ndoes not require a license. That doesn\'t help me because the \nbad guys have just found out about the issue at the same time I \nhave. That\'s not good for us. It\'s not good for U.S. companies. \nOr the third one, which, frankly, 20 years of working in this \nindustry and the cynicism that can develop with that, these \nexploits will, frankly, end up on the black market. And there \nwill be cottage industries developing in some of the countries \nthat have been mentioned that will spring up. And these \noppressive regimes, the only impact that they will find is that \nthey will have to spend more money because they will be going \nto the highest bidder----\n    Ms. Jackson Lee. Thank you. I want to get Ms. McGuire. And \nI\'m going to let Dr. Schneck, Ms. Schneck, just finish, that \nHomeland Security is committed to working, too. Ms. McGuire, in \nthis brief moment.\n    Ms. McGuire. I will just echo that the rule as proposed \nhere in the United States will not do anything to deter the \navailability of these tools. And I will just finish by saying \nat the end of the day, the underlying language in the Wassenaar \nArrangement on cybersecurity is flawed and must be \nrenegotiated.\n    Ms. Jackson Lee. Thank you. Ms. Schneck, Homeland \nSecurity----\n    Ms. Schneck. Bottom line, we have to, together as \ninteragency, with all of our industry partners and any input we \ncan possibly get absolutely revisit this proposed rule.\n    Ms. Jackson Lee. Let me thank the chairman and Ms. Kelly so \nvery much for your kindness. And may I ask unanimous consent, \nMr. Chairman, thank the witnesses, to submit into the record \nfrom the Internet Association a letter dated January 12, 2016.\n    Mr. Ratcliffe. Without objection.\n    Ms. Jackson Lee. Thank you so very much, Mr. Chairman.\n    Mr. Ratcliffe. I thank the witnesses for their testimony. I \ncan pretty much assure you that at least some members will have \nsome additional questions for the witnesses. And we will ask \nyou to respond to those in writing. The hearing record will be \nopen for 10 days. Without objection, the subcommittees stand \nadjourned. Thank you.\n    [Whereupon, at 4:27 p.m., the subcommittee was adjourned.]\n\n                                APPENDIX\n\n                              ----------                              \n\n\n               Material Submitted for the Hearing Record\n               \n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'