On May 20, 2015, the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) published a proposed rule to add export controls for certain cybersecurity products. In particular, the new controls would cover items related to intrusion software and Internet Protocol (IP) network communications surveillance. While many of these products were already controlled as encryption items, the proposed rule would change their classification, increase export control requirements, and significantly reduce the availability of license exceptions. Accordingly, this rule would tighten BIS control over these cybersecurity products and potentially impede exports to certain countries or end-users.

In December 2013, the multilateral Wassenaar Arrangement added these cybersecurity products to its list of dual-use goods. As a Wassenaar member, the United States has been considering since that time how to implement this change in the Export Administration Regulations (EAR) consistent with U.S. national security and foreign policy interests. While BIS has proposed a way to implement these new controls, it has acknowledged that the impact of this rule is unknown, and it welcomes comments from exporters on the anticipated impact on their business. BIS will accept public comments on the proposed rule until July 20, 2015.

New Controls for Intrusion and Surveillance Items

The proposed rule would apply to specific types of intrusion and surveillance items as designated by Wassenaar. The term “intrusion software” as it would be used throughout the EAR would be defined as software “specially designed” or modified to avoid detection by monitoring tools, or to defeat protective countermeasures, of a computer or network-capable device, and performing:

  1. the extraction of data or information, from the computer or device, or the modification of system or user data; or
  2. the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.  

While some of these terms are described further in the rule, “intrusion software” will cover penetration testing products and other offensive intrusion items, but not hypervisors, debuggers, software reverse engineering (SRE) tools, or digital rights management (DRM) software.

The designated surveillance items are also limited, and must meet all of the following criteria for intercepting and analyzing communications traffic:

  1. Performing all of the following on a carrier class IP network (e.g., national grade IP backbone):
    1. Analysis at the application layer (e.g., Layer 7 of Open Systems Interconnection (OSI) model (ISO/IEC 7498-1));
    2. Extraction  of  selected  metadata  and  application  content  (e.g.,  voice,  video,  messages, attachments); and
    3. Indexing of extracted data; and
  2. Being “specially designed” to carry out all of the following:
    1. Execution of searches on the basis of ‘hard selectors’; and
    2. Mapping of the relational network of an individual or of a group of people.

The proposed rule would create new ECCNs and revise others to add specific controls for the specified cybersecurity products.

  • New ECCN 4A005 would cover systems, equipment, and components “specially designed” for the generation, operation or delivery of, or communication with, intrusion software.
  • New ECCN 4D004 would cover software “specially designed” for the generation, operation or delivery of, or communication with, intrusion software.
  • ECCN 4D001 would be revised so 4D001.a would also cover software specially designed or modified for the development or production of ECCN 4A005 commodities and 4D004 software.
  • ECCN 4E001 would be revised so 4E001.a would also cover technology required for ECCN 4A005 commodities and 4D004 software, as well as 4D001.a software related to intrusion software.
  • New ECCN 5A001.j would cover IP network communications surveillance systems or equipment and test, inspection, production equipment, and specially designed components therefor.

Each of these cybersecurity ECCNs would require an export license for all destinations other than Canada. Also, no license exceptions would be available except for certain exports under License Exception GOV for exports to or on behalf of the U.S. Government. Similar revisions would be made to ECCNs 5D001 and 5E001 for software and technology related to ECCN 5A001.j surveillance items.

Relationship to Encryption Controls

BIS has indicated that most of the cybersecurity items covered by this rule are currently controlled as encryption items. Under the proposed rule, while these items would now be classified under new ECCNs, they still must satisfy the registration, review, and reporting requirements under the EAR’s encryption export controls. This rule would essentially double the compliance burden for cybersecurity items with encryption functionality – exporters would have to fulfill the administrative requirements under the encryption rules and then apply for an export license under the new ECCNs. While BIS states that it anticipates  “licensing  broad  authorizations  to  certain  types  of  end  users  and  destinations”  to counterbalance the loss of the use of License Exception ENC, BIS has not specified any details of those authorizations. Also, in the absence of  License Exception ENC, deemed exports of cybersecurity technology may become a compliance concern, whereas this technology was largely subject to a license exception when controlled for encryption reasons. Finally, while BIS has traditionally not applied the deemed export rules to encryption source code, that policy is not likely to continue for cybersecurity source code.

Licensing Policy and License Applications

As stated above, these cybersecurity products would all require a license for export to all destinations other than Canada. They would be controlled for NS (National Security), RS (Regional Stability), and AT (Anti-Terrorism) reasons. The proposed rule would require that export license applications include specific technical information on the cybersecurity functions. BIS could also, at its option, request a copy of the sections of source code that implement these cybersecurity functions.

BIS would also add a new RS license review policy for cybersecurity items. These items would be reviewed favorable if destined for (a) a U.S. company or subsidiary not located in Country Group D:1 or E:1; (b) commercial partners in Country Group A:5; and (c) government end-users in Australia, Canada, New Zealand, and the United Kingdom. Otherwise, licenses will be reviewed on a case-by-case basis considering U.S. national security and foreign policy, including U.S. interest in promoting global human rights. This licensing policy is far stricter than the current export authorization for some cybersecurity items that are now controlled as encryption items, which can often be exported under License Exception ENC.

Conclusion

This proposed rule may affect many tech companies in the cybersecurity space. If implemented as proposed, it would significantly change the export control requirements for many intrusion and surveillance products currently subject to the EAR’s encryption control rules. Comments may be submitted to BIS until July 20, 2015. While BIS will accept comments on any aspects of the proposed rule, it has highlighted certain subjects on which comments would be especially useful. These topics include:

  1. How many additional license applications would your company be required to submit per year under the requirements of this proposed rule? If any, of those applications:
    1. How many additional applications would be for products that are currently eligible for license exceptions?
    2. How many additional applications would be for products that currently are classified EAR99?
  2. How many deemed export license applications would your company be required to submit per year under the requirements of this rule?
  3. Would the rule have negative effects on your legitimate vulnerability research, audits, testing or screening and your company's ability to protect your own or your client’s networks? If so, explain how.
  4. How long would it take you to answer the questions in proposed paragraph (z) to Supplement No. 2 to part 748 (i.e., license application requirements)? Is this information you already have for your products?