On May 20, 2015, the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) published a proposed rule to impose new export controls on certain cybersecurity items. The proposed rule would amend the Export Administration Regulations (“EAR”) by adding new Export Control Classification Numbers (“ECCNs”) and revising existing ECCNs to add specific controls for intrusion software, Internet Protocol (IP) network communications surveillance, and related systems, equipment, software, and components. Although many of these cybersecurity items are already controlled on the Commerce Control List (“CCL”) for their ‘‘information security’’ functionality, the proposed rule would change the items’ classification and reduce the availability of most license exceptions, including the encryption (“ENC”) license exception.
If finalized, the rule would implement the United States’ obligations under agreements made by the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Technologies (“Wassenaar Arrangement”), which added these cybersecurity items to its list of dual-use goods in December 2013. The Wassenaar Arrangement is a multi-national group of 41 countries that seek to promote transparency and responsibility in transfers of conventional arms and dual-use goods and technologies to prevent destabilizing accumulations of arms. As a Wassenaar member, the United States has committed to controlling all items on the Wassenaar Arrangement control lists for export.
New Controls for “Intrusion Software” Items
The proposed rule would add a new definition for the term “intrusion software” to EAR Section 772.1. Intrusion software, under the proposed definition, would include software specially designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures, of a computer or network-capable device, and performing any of the following:
- the extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or
- the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.
The proposed definition of “intrusion software” does not include (i) hypervisors, debuggers, Software Reverse Engineering (SRE) tools; (ii) Digital Rights Management (DRM) software; or (iii) software designed to be installed by manufacturers, administrators or users, for the purposes of asset tracking or recovery.
In addition, the proposed rule would create the following new ECCNs for intrusion software and related systems, equipment, components and software:
- ECCN 4A005 - Systems, equipment, and components specially designed for the generation, operation or delivery of, or communication with, intrusion software.
- ECCN 4D004 - Software specially designed for the generation, operation or delivery of, or communication with, intrusion software.
The proposed rule would amend existing ECCNs 4D001 to cover software specially designed or modified for the development or production of ECCN 4A005 commodities and 4D004 software; and 4E001 to cover technology required for ECCN 4A005 commodities and 4D004 software, as well as 4D001 software related to intrusion software.
The new and amended ECCNs for intrusion software would be controlled for National Security (NS), Regional Stability (RS), and Anti-Terrorism (AT) and require a license for all exports and reexports to all destinations other than Canada. No license exceptions would be available except for certain provisions under license exception GOV for exports to or on behalf of the U.S. Government.
New Controls for IP Network Communications Surveillance Items
The proposed rule would create new ECCN 5A001.j to cover IP network communications surveillance systems or equipment and test, inspection, production equipment, and specially designed components therefor. The new ECCN would include systems that intercept and analyze messages to produce personal, human, and social information from network communications traffic. ECCN 5A001.j would not include systems or equipment specially designed for a marketing purpose, network quality of services, or quality of experience. Similar to the ECCNs for intrusion software, 5A001.j would be controlled for NS, RS, and AT, and require a license for all exports and reexports except to Canada. Likewise, 5A001.j would not be eligible for the use of license exceptions except certain provisions for GOV.
Encryption Controls Requirements
Although the proposed rule would classify these cybersecurity items under new ECCNs and no longer by their information security functionality, the cybersecurity items that implement encryption would still be required to comply with the information security registration, review, and reporting requirements under the EAR’s encryption export controls. Under the proposed rule, exporters would still have to satisfy the requirements under the encryption rules as a prerequisite for applying for an export license even though license exception ENC and mass market treatment would no longer be available. With the loss of license exception ENC under the proposed rule, exporters would have to exercise caution to ensure they do not inadvertently transfer cybersecurity technology without prior authorization, including intracompany transfers to foreign U.S. subsidiaries.
Export Licensing Policy and License Applications for Cybersecurity Items
As discussed, the proposed rule would require a license to export or reexport these cybersecurity items to all destinations other than Canada. License requests, however, under the proposed rule would be reviewed favorably if destined for U.S. companies or subsidiaries not located in Country Group D:1 or E:1; commercial partners in Country Group A:5; and government end-users in Australia, Canada, New Zealand, and the United Kingdom. Licenses would otherwise be reviewed on a case-by-case basis to determine whether the transaction is contrary to U.S. national security and foreign policy. Under the proposed rule, there would be a presumption of denial of licenses for items that have or support rootkit or zero-day exploit capabilities.
The proposed rule would require license applications for cybersecurity items to include specific technical information and, upon request, copies of sections of source code and other software (e.g., libraries and header files) that implement or invoke controlled cybersecurity functions.
The proposed licensing requirements are significantly stricter than the current export controls for some cybersecurity items that are already controlled for encryption. Companies in the cybersecurity field should evaluate whether aspects of the proposed rule could affect their operations or research and development activities. If finalized, companies will need to analyze existing licenses and determine if new authorizations are required. Companies would also need to train employees and revise their compliance program, including revising existing manuals, policies and procedures, to reflect the EAR amendments. Being diligent and making a good faith effort to comply with applicable export controls can help companies avoid potential costly penalties for non-compliance, including civil fines up to $250,000 per violation or twice the value of the transaction, the loss of export privileges, criminal fines up to $1,000,000 per violation, and imprisonment. Innocent mistakes or mere negligence, however, will not result in criminal penalties under the International Emergency Economic Powers Act (“IEEPA”), which requires “willfulness” for criminal liability, as reflected in the recent seventh circuit opinion in United States v. Dobek, ___ F.3d ___ (7th Cir. May 19, 2015).
Public comments to the proposed rule are due to BIS by July 20, 2015. We will continue to monitor developments.