The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) has published new export controls on certain cybersecurity items that ban the export or resale of hacking tools to authoritarian regimes, and it created a new license exception for those items.
The new regulations aim at tightening export controls on cybersecurity tools, including intrusion software, internet protocol network communications surveillance, and related technology that could be used by threat actors to conduct malicious cyber activities and surveillance.
BIS requested public comments for potential revision before the effective date of the interim rule. In December 2021, BIS published 12 sets of comments from industry, summarized in this article.
BIS contends that these controls are narrowly drawn, focusing on specific cyber-intrusion and network surveillance equipment, software and technology, and, when combined with the new license exception, that they should have limited impact. The rule adopts cybersecurity controls previously agreed to at the multilateral Wassenaar Arrangement, bringing U.S. controls into alignment with those already adopted by the European Union and other jurisdictions.
However, network infrastructure manufacturers, cybersecurity software and service providers, IT forensics firms, bug bounty programs and those engaged in vulnerability testing and research may feel the impact of the rule.
Further, exports to national security concern countries such as China and Russia will be highly restricted, and companies dealing with Cypress, Israel and Taiwan will have to navigate new restrictions, notwithstanding those countries’ stronger relationships with the U.S.
To learn more, read the full article.
Updated from our October 2021 alert and published in the February 2022 issue of The Computer & Internet Lawyer.