The export of these tools and instructions for using them is new enough that industry and government are still struggling to define a threshold that ensures that U.S. firms remain competitive in the global market, that allies can defend themselves and that the skills and technology do not wind up in the wrong hands.
U.S. officials note that they can regulate only U.S. companies. “There’s a lot more to be worried about when it comes to firms, organized crime, and others outside the United States who may recognize there are certain countries and organizations willing to pay quite a lot of money” for destructive malware and other cyber-capabilities, said a senior U.S. defense official who was not authorized to speak on the record. “That is extremely worrisome.”
But helping friendly countries boost their cyberdefenses against a common foe is desirable to many in and out of the U.S. government.
“Every modern country in the world is creating some sort of offensive or defensive cyber-capability either in its military or intelligence service,” said Richard A. Clarke, a former senior U.S. counterterrorism official whose firm Good Harbor provides cybersecurity advice but does not currently work for any foreign government
in that area. “It’s
getting to be the norm.”
Benjamin A. Powell, a former national security official, said the uncertainty of the new terrain means companies are treading carefully. “It’s a sensitive thing for a company to go down the path of training for offense, even with approval,” said Powell, a partner at the WilmerHale law firm who advises companies on export controls. “You’re closer to the pointy end of the spear.”
One challenge is that technology is evolving so quickly that it is difficult for the rules to keep up. Another is that the field is so new that many companies, especially smaller ones, may not always know what is required.
“There’s not a lot of convention and structure around this,” Powell said.
Under State Department export-control rules, U.S. companies need a license to train foreign governments in cyber-capabilities for a national security purpose. License applications are reviewed by the Pentagon’s Defense Technology Security Administration. The National Security Agency, which conducts electronic surveillance on foreign intelligence targets overseas, may also be consulted.
The State Department declined to say how many licenses have been issued. But one company, CyberPoint of Baltimore, was granted a license to provide advice on cyberdefense and policy to the United Arab Emirates. In September, the UAE established the National Electronic Security Authority to protect its computers against cyberthreats. Cyber Point declined to talk about the UAE license, but industry officials said its work is defensive, not operational.