Internet Architecture Board


IAB Correspondence to U.S. Bureau of Industry and Security, re RIN 0694-AG49

Home»Documents»IAB Correspondence, Reports, and Selected Documents»2015»IAB Correspondence to U.S. Bureau of Industry and Security, re RIN 0694-AG49

On 24 June 2015, the IAB sent correspondence to the United States Department of Commerce, Bureau of Industry and Security, in regards to a Proposed Rule on Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items. The text of that correspondence is as follows:

Subject: RIN 0694-AG49

The Internet Architecture Board would like to draw the attention of the Industry and Security Bureau to the IAB’s recent Statement on the Trade in Security Technologies.  The statement can be found here: and it is reprinted below for your convenience.

The IAB believes that the principles embodied in this statement are consistent with those given by the U.S. State department’s Secretary Kerry, such as “An Open and Secure Internet: We must have both” <> as well as those consistently put forward by Coordinator Chris Painter of the State Department Office of the Coordinator for Cyber Issues.

We thank you for the opportunity to comment,

Andrew Sullivan
Chair, IAB

IAB Statement on the Trade in Security Technologies

12 June 2015

The Internet Architecture Board is deeply sympathetic with the desire
to enhance the security of Internet protocols, infrastructure, and
Internet-connected systems. We believe, however, that efforts to
enhance Internet security must proceed from a thorough knowledge of
the threats against the network, its protocols, and the systems
attached to it. Efforts to limit the export or transfer of Internet
security technologies seem likely to limit that knowledge in ways that
ultimately will frustrate the general goal of a secure and stable

The identification of vulnerabilities is a fundamental part of
security practice. Restrictions on systems which perform that function
will make it substantially more difficult for those performing that
function to design and deploy secure systems.

Traffic analysis systems, though they may be used in other ways, are a
similarly crucial part of the methods used to identify attacks and to
analyze the success of remediations put in place. The Internet is a
deeply interconnected set of networks that spans international
borders, and attacks may occur in one part of the Internet that have
extensive ramifications for the operation of the whole. Limiting
traffic analysis technologies to specific territories seems likely to
hinder efforts to detect and thwart both active threats and other
network issues.

We note that in 1996 the IAB and Internet Engineering Steering Group
(IESG) jointly published RFC 1984, with the following comments on a
similar matter, the export of encryption technology:

Export controls on encryption place companies in that country at a
competitive disadvantage. Their competitors from countries without
export restrictions can sell systems whose only design constraint is
being secure, and easy to use.

Usage controls on encryption will also place companies in that country
at a competitive disadvantage because these companies cannot securely
and easily engage in electronic commerce.

Export controls and usage controls are slowing the deployment of
security at the same time as the Internet is exponentially increasing
in size and attackers are increasing in sophistication. This puts
users in a dangerous position as they are forced to rely on insecure
electronic communication.

We believe the same points to be fundamentally true for the export of
traffic analysis, penetration testing, and similar security

While it may appear possible to narrowly circumscribe restrictions so
that they target technologies that serve no possible purpose but
attack, any modular system, including those intended solely for
research, will like have some elements that, divorced from the system,
would serve no other purpose. Efforts to target such systems will thus
likely sweep up many other security technologies. We therefore
recommend that export restrictions on security technologies be
generally avoided.