On October 21, 2021, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS), published new export controls on certain cybersecurity items that ban the export or resale of hacking tools to authoritarian regimes, and it created a new license exception for those items. The new regulations aim at tightening export controls on cybersecurity tools, including intrusion software, Internet Protocol (IP) network communications surveillance, and related technology that could be used by threat actors to conduct malicious cyber activities and surveillance. BIS is requesting public comments until December 6, 2021, for potential revision before the interim final rule takes effect on January 19, 2022.
BIS contends that these controls are narrowly drawn, focusing on specific cyber-intrusion and network surveillance equipment, software and technology, and, when combined with the new license exception, that they should have limited impact. The rule adopts cybersecurity controls previously agreed to at the multilateral Wassenaar Arrangement, bringing U.S. controls into alignment with those already adopted by the EU and other jurisdictions. However, network infrastructure manufacturers, cybersecurity software and service providers, IT forensics firms, bug bounty programs, and those engaged in vulnerability testing and research may feel the impact of the rule. Further, exports to national security concern countries such as China and Russia will be highly restricted, and companies dealing with Cypress, Israel and Taiwan will have to navigate new restrictions, notwithstanding those countries’ stronger relationships with the U.S.
This rulemaking provides an opportunity for companies engaged in cybersecurity activities to evaluate whether the controls are indeed narrow enough to exclude their legitimate routine business activities, and to provide comments to BIS on any unintended consequences of these controls.
These new cybersecurity export controls close the loop on a proposed rule, issued by BIS in 2015, to implement multilateral controls agreed to by the Wassenaar Arrangement in 2013. After issuing the proposed rule, BIS received overwhelming feedback from industry, including hundreds of public comments on the record, criticizing the effort as having severe negative unintended consequences on legitimate cross-border cybersecurity work. General themes from the criticism included that the controls were overly broad in the defined scope of tools and technologies, that they imposed a cumbersome export licensing requirement that would impede the work of white-hat hackers and bug bounty program participants, and that the restrictions on the development of intrusion software would inhibit international cybersecurity research.
BIS renegotiated the controls at Wassenaar to address these concerns, leading to the multilateral adoption of revised controls in 2017. This new interim final rule from BIS implements that most recent version.
Overview of New Cybersecurity Controls
BIS is establishing new controls on certain cybersecurity items for National Security (NS) and Anti-terrorism (AT) reasons, through the creation of new export control classification numbers (ECCNs) on the Commerce Control List (CCL) and definitions in the Export Administration Regulations (EAR). Additionally, BIS is creating a new license exception for Authorized Cybersecurity Exports (ACE), authorizing export transactions involving these newly controlled items to most destinations while restricting exports to a national security concern group of countries.
A high-level summary of the new controls is provided below. We are happy to speak with companies in more detail about nuances that might impact their businesses:
New License Exception ACE
BIS is also establishing a new License Exception Authorized Cybersecurity Exports at § 740.22 of the EAR. This is an evident response to the industry criticism in 2015, as BIS stated its intention behind ACE is to “avoid impeding legitimate cybersecurity research and incident response activities.” The exception begins with definitions of the following terms, for specific use within the context of the ACE exception: “cybersecurity items,” “digital artifacts,” “favorable treatment cybersecurity end user” and “government end user.”
Note that similar terms are used elsewhere with different meaning in the EAR. For example, License Exception GOV at § 740.11 of the EAR for exports to government end users and License Exception ENC at § 740.17 of the EAR for encryption exports both define the concept of a government end user differently. License Exception ACE takes a broader view of that term, covering traditional governmental functions, as well as government operated research institutions, entities and individuals who are acting on behalf of a government, and private sector entities such as retail or wholesale firms engaged in the manufacture, distribution or provision of defense articles or services.
As explained by BIS, License Exception ACE allows the export, reexport and transfer (in country) of cybersecurity items to most destinations, except to regions subject to trade embargoes. The exception also takes a restrictive approach to national security concern countries such as China and Russia. In particular, ACE does not authorize exports for government end-users in Country Groups D:1, D:2, D:3, D:4 or D:5, as well as to nongovernment end-user in Country Group D:1 or D:5. However, BIS did include relief for certain exports to Country Group D countries that are also listed in the close ally Country Group A:6 – specifically Cyprus, Israel and Taiwan. In addition, License Exception ACE will not permit end uses where the exporter has reason to know the cybersecurity item “will be used to affect the confidentiality, integrity or availability of information or information systems.”
Comments Welcome Until December 6, 2021
Although BIS asserts that it has appropriately tailored the new controls for narrow impact, it is delaying the effective date to hear from industry. Specifically, BIS seeks comments to “ensure full consideration of the potential impact of this rule, including comments on the potential cost of complying … and any impacts this rule has on legitimate cybersecurity activities.”
As companies consider whether to submit comments, they should evaluate the impact of these controls to their business operations, whether there are more effective ways to draw lines around controlled products and whether they can propose more accurate definitions that reflect industry understanding of the terminology used in the rule.
Questions? Please contact Melissa Duffy, Jim Koenig, Tyler Newby, David Feder, Jean Chang or any member of Fenwick’s Trade Regulatory Group and/or Privacy & Cybersecurity Practice.