The Commerce Department’s export control agency, BIS, has proposed a new rule to control exports of equipment and software designed or modified to perform network intrusion and internet protocol communications surveillance. The proposed controls also cover technology used to develop intrusion software or network communications surveillance systems.
“Intrusion software” is defined to include software specially designed or modified to defeat protective countermeasures and monitoring tools that have the ability to extract or modify information on the target device or enable the execution of externally provided instructions.
As drafted, the proposed rule would cover equipment and software designed to perform penetration testing of networks to determine vulnerabilities of computers and network connected devices by the owners of the networks or their security contractors. The rule would impose a license requirement on all exports, except those to Canada.
Some of the items designated in the proposed rule may already require licenses for export under existing export regulation governing encryption, but the new rule is focused directly on the cybersecurity threat such technologies pose.
Another part of the proposed rule restricts export of network traffic analysis systems. Systems that intercept and analyze internet traffic to produce personal, human and social information for the communciations stream also could not be exported anywhere (except Canada) without a license.
Parties interested in commenting on this proposed rule may do so at the www.regulations.gov website, under Docket No. BIS-2015-0011. The comment period closes July 20, 2015.