On October 21, 2021, the US Department of Commerce’s Bureau of Industry and Security (BIS) published and created a new license exemption for certain cybersecurity items that prohibit the export or resale of hacking tools to authoritarian regimes. The new regulations aim to tighten export controls on cybersecurity tools, including intrusion software, Internet Protocol (IP) network communications surveillance, and related technologies that could be used by threat actors to conduct malicious cyber activity and surveillance. The BIS is asking for public comments by December 6, 2021 for a possible revision before the provisional final regulation comes into force on January 19, 2022.
BIS contends that these controls are narrow and focus on specific devices, software and technology used for cyber intrusion and network monitoring and that they should have limited impact when combined with the new license exemption. The rule adopts cybersecurity controls previously agreed in the Wassenaar multilateral arrangement and brings US controls in line with those already adopted by the EU and other jurisdictions. However, network infrastructure manufacturers, cybersecurity software and services providers, IT forensics companies, bug bounty programs, and those involved in vulnerability testing and research can all feel the effects of the rule. In addition, exports to national security-related countries like China and Russia will be severely restricted, and companies trading with Cyprus, Israel and Taiwan will face new restrictions despite these countries’ stronger ties with the US
These rulings provide organizations involved in cybersecurity activities with the opportunity to assess whether controls are indeed tight enough to preclude their legitimate, routine business activities and to provide the BIS with comments on the unintended consequences of those controls.
These new export controls for cybersecurity close the loop on a proposed rule issued by the BIS in 2015 to implement multilateral controls agreed in the Wassenaar Arrangement on record in 2013, criticizing the efforts for causing serious negative unintended consequences who have legitimate cross-border cybersecurity work. The general themes of criticism included that the controls in the defined scope of tools and technologies were too broad, that they imposed a cumbersome export license requirement that would hinder the work of white hat hackers and participants in bug bounty programs, and that the restrictions on the development of intrusion software would hamper international cybersecurity research.
The BIS renegotiated controls in Wassenaar to address these concerns, leading to the multilateral adoption of revised controls in 2017. This new preliminary final rule of the BIS implements this latest version.
Overview of new cybersecurity controls
The BIS introduces new controls for certain cybersecurity elements for national security (NS) and counter-terrorism (AT) reasons by creating new Export Control Classification Numbers (ECCNs) on the Commerce Control List (CCL) and definitions in the Export Administration Regulations (EAR) . In addition, BIS is creating a new Authorized Cybersecurity Export License Exemption (ACE) that authorizes export transactions on these newly inspected items to most destinations while restricting exports to a group of countries with national security concerns.
Below is a general summary of the new controls. We’d love to talk to companies in more detail about nuances that could affect their business:
- Burglary objects. The BIS adds new ECCNs 4A005 (equipment) and 4D004 (software) as well as an updated paragraph 4E001.a and a new paragraph .c (technology) to Category 4 of the CCL, which regulates data processing items. These new controls include devices, software and technology used in cyber intrusion activities. However, the new controls include providing essential software updates and upgrades, as well as activities related to vulnerability disclosure and cyber incident response. The BIS is also amending 5A004 for systems, equipment and components used to bypass, weaken or bypass information security to link them to elements in the new 4A005.
- Surveillance objects. The BIS amends ECCN 5A001, which governs sensitive telecommunications infrastructures, with a new paragraph 5A001.j, which concerns Internet IP (Internet Protocol) network communication monitoring systems or equipment. Corresponding updates will be made to ECCNs 5B001 (test, inspection and production equipment), 5D001 (software) and 5E001 (technology) for items related to the new 5A001.j.
- Definitions. The terms “cyber incident response” and “disclosure of vulnerabilities” are added to the definition section of the EAR in Part 772.
- Response to cyber incidents refers to the process of exchanging necessary information about a cyber security incident with persons or organizations that are responsible for carrying out or coordinating the resolution of the cyber security incident.
- Vulnerability disclosure means the process of identifying, reporting, or reporting a vulnerability to, or analyzing, a vulnerability with the persons or organizations responsible for performing or coordinating the remediation for the purpose of remediating the vulnerability.
- Exclusions from the new controls:
- Published information. Software and technology that is in the public domain and qualifies as “published” information under 15 CFR § 734.7 are still not subject to the EAR and are therefore exempt from these controls.
- Encryption Controlled Items. If a cybersecurity article also contains information security functions so that it is subject to the encryption controls in Category 5, Part 2 of the EAR, then those encryption controls take precedence, provided that the information security functionality remains present and usable within the cybersecurity end article or executable software. However, encryption controls do not take precedence over software source code or technology that implements functionality that is controlled elsewhere in the CCL, or over items where information security functionality is missing, removed, or otherwise absent.
- Stealthy listening checks. Articles that are already checked under another ECCN for reasons of clandestine eavesdropping (SL) will continue to be classified under the corresponding SL-controlled ECCN.
New license exception ACE
The BIS is also establishing a new license with the exception of authorized cybersecurity exports under Section 740.22 EAR. This is an obvious response to criticism from the industry in 2015 as the BIS stated that its intent behind ACE is to “prevent legitimate cybersecurity research and incident response activities.” The exception begins with definitions of the following terms for specific use in the context of the ACE exception: “cybersecurity items”, “digital artifacts”, “cybersecurity end users with favorable treatment” and “government end users”.
Note that similar terms are used elsewhere in the EAR with different meanings. For example, the license exception GOV according to § 740.11 EAR for exports to government end users and the license exception ENC according to § 740.17 EAR for encryption exports both define the concept of a government end user differently. License Exemption ACE takes a broader look at this term and encompasses traditional government functions as well as state-run research organizations, corporations and individuals acting on behalf of a government, and private companies such as retail or wholesalers that manufacture, distribute or supply defense articles or -Services.
As explained by BIS, License Exception ACE allows the export, re-export and transfer (in-country) of cybersecurity items to most destinations, with the exception of regions that are subject to trade embargoes. The exception also takes a restrictive approach towards countries such as China and Russia when it comes to national security. In particular, ACE does not approve exports to government end users in country groups D: 1, D: 2, D: 3, D: 4 or D: 5 or to non-government end users in country group D: 1 or D: 5. However, the BIS provides for relief for certain exports to countries in country group D, which are also listed in the closely allied country group A: 6 – in particular Cyprus, Israel and Taiwan. In addition, the ACE license exemption does not allow end-uses where the exporter has reason to believe that the cybersecurity asset is “being used to compromise the confidentiality, integrity or availability of information or information systems”.
Comments Welcome Until December 6th, 2021
Although the BIS claims to have properly tailored the new controls for low impact, it is delaying the effective date to hear from the industry. In particular, BIS is soliciting comments to “ensure a full consideration of the potential impact of this regulation, including comments on the potential cost of compliance … and any impact this regulation has on legitimate cybersecurity activities”.
When considering whether or not to comment, companies should evaluate the impact of these controls on their business operations, whether there are more effective ways to delineate controlled products, and whether they can suggest more precise definitions that reflect the industry’s understanding of the terminology used – the rule.
Ask? Please contact Melissa Duffy, Jim Koenig, Tyler Newby, David Feder, Jean Chang, or a member of the Trade Regulatory Group and / or Fenwick’s Privacy & Cybersecurity Practice.