Companies operating internationally face an increasing variety of national cybersecurity and trade-related requirements. They may be required to deploy technical and legal measures to protect certain types of data, or report potential data access or other incidents when the data at risk is regulated by one or more countries. International trade and cybersecurity regimes often intersect. The appropriate protection of data governed by export control restrictions, such as the U.S. International Traffic in Arms Regulations (ITAR), is a specific example.

Two developments in the past year highlight the increasing convergence of international trade regulation and cybersecurity: the proposal of export control rules governing a range of cybersecurity commodities and the legal authorization for economic sanctions in response to certain significant malicious cyber activities.

Cybersecurity Export Controls  

Redefining “Exports”

In June 2015, the Bureau of Industry and Security (BIS) in the U.S. Commerce Department proposed revisions to the Export Administration Regulations (EAR) that could potentially subject more international data transfers, including intra-company transfers, to export licensing requirements. The proposed rules would expand the definition of “export” to include releasing or otherwise transferring decryption keys, network access codes, passwords, software, or other information knowing that such actions would permit the transfer of other technology in clear text or software to a foreign national. This proposed definition parallels proposed rules to amend the ITAR, issued by the State Department’s Directorate of Defense Trade Controls (DDTC). However, the new proposed rules carved out an exception for transfers that meet certain criteria. Specifically, the technology or software transferred must be:

In June 2015, the Bureau of Industry and Security (BIS) in the U.S. Commerce Department proposed revisions to the Export Administration Regulations (EAR) that could potentially subject more international data transfers, including intra-company transfers, to export licensing requirements. The proposed rules would expand the definition of “export” to include releasing or otherwise transferring decryption keys, network access codes, passwords, software, or other information knowing that such actions would permit the transfer of other technology in clear text or software to a foreign national. This proposed definition parallels proposed rules to amend the ITAR, issued by the State Department’s Directorate of Defense Trade Controls (DDTC). However, the new proposed rules carved out an exception for transfers that meet certain criteria. Specifically, the technology or software transferred must be:

  1. Unclassified;
  2. Secured using end-to-end encryption;
  3. Secured using cryptographic modules compliant with Federal Information Processing Standards Publication 140-2 (FIPS 140-2); and
  4. Not stored in a country subject to a U.S. arms embargo or in the Russian Federation.

By potentially requiring U.S. companies to obtain an export license to transfer EAR-controlled data over an unencrypted or less-securely encrypted connection, the proposed rules put a heavy hand on the scale in favor of end-to-end encryption.

While the comments period for these proposed rules has closed, BIS has not yet issued a final definitions rule.

Intrusion Software

In May 2015, the U.S. government caused a stir in the technology industry when it proposed new export control rules as part of the Wassenaar Arrangement, a multilateral regime that establishes controls over transfers of "dual-use" items—those that have both civilian and military applications. The rules pertained to intrusion software, which is designed or modified to avoid detection by monitoring tools or to defeat protective countermeasures of a computer or network-capable device. As a Wassenaar Arrangement participant, the United States voluntarily implements these controls through the EAR, as administered by BIS in the Commerce Department.

The proposed rules would have required companies to obtain an export license from BIS for virtually all transfers outside the U.S. of a range of cybersecurity commodities that are frequently used by companies in security auditing and testing activities. These include, at a minimum, exploit toolkits, penetrating testing tools, products that test for network vulnerabilities and extract data, and command and delivery platforms for intrusion software.

The reaction to the proposed new rules from industry and academia was swift and overwhelmingly negative. The technology industry, security researchers, privacy activists, academics, and others harshly criticized the rules, filing several formal comments in opposition to their implementation. Critics emphasized uncertainty over the scope and potential breadth of items to be covered, which under some interpretations could have included software vulnerabilities, exploits, vulnerability research, transfers of exploit samples, software auto-updaters, and other items. The lack of an exception for intra-company transfers worried some commenters, who feared that large companies could face a severe licensing burden to simply secure their networks.

In the face of this opposition, including criticism from some in U.S. Congress, BIS stepped back and made clear that it is reviewing the feedback it has received, and will seek further public comment before issuing final rules. But several in Congress have continued to express concern. On February 10, 2016, a bipartisan group of lawmakers from the House Committee on Oversight and Government Reform sent a letter to Secretary of State John Kerry, stating that they “unambiguously expect that the U.S. Department of State will work to renegotiate the controls at the next Wassenaar plenary” session in 2016. Soon after, the Obama administration reportedly filed a proposal to eliminate controls on the development of intrusion software. Decisions will be made in December 2016 at the next plenary meeting of the Wassenaar Arrangement, but activists have already declared victory. While the ultimate outcome of the 2016 Wassenaar plenary is not yet known, we expect a high level of public interest and engagement from the tech industry, and interested companies will have an important opportunity to influence the renegotiation of these rules.

Cyber Sanctions Developments

On April 1, 2015, President Obama declared a state of national emergency with respect to the increasing threats posed by cyber attacks, and authorized international economic sanctions against the perpetrators of significant “malicious cyber-enabled activities.” Executive Order 13694 marked a significant policy change by authorizing sanctions against individuals or entities involved in certain significant cyber attacks originating from or directed by individuals abroad considered a significant threat to the national security, foreign policy, or economic health or financial stability of the United States. Under the executive order, such cyber attacks must also have the purpose or effect of harming or significantly compromising the provision of services by an entity in a critical infrastructure sector; causing significant disruption to the availability of a computer or network of computers; or causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.

The authorization of new economic sanctions represents a potentially important new policy tool to respond to destructive cyber activities; however, the effectiveness of this new tool remains unclear. The language of the executive order is broad enough to apply to a wide range of cyber attacks — including those against private sector entities. But, unlike past executive orders authorizing economic sanctions, this one did not contain an initial list of designated individuals or entities. And in nearly a year’s time, no such individuals or entities have been designated. As a result, it remains uncertain how the administration will use this authorization, which also limits the potential deterrence value of cyber sanctions.

Limited guidance has been provided concerning the “malicious cyber-enabled activities” targeted by the executive order. The Treasury Department’s Office of Foreign Assets Control (OFAC) has stated that such activities could include “unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain” in order to cause harms including the compromise of critical infrastructure, denial of service attacks, or significant loss of sensitive information (e.g., personal financial information or trade secrets).1 On December 31, 2015, OFAC issued abbreviated regulations to implement the executive order, noting that they would be supplemented in the future with more comprehensive regulations. These regulations mostly contain OFAC’s standard provisions for sanctions programs, and generally do not clarify what cyber activities might qualify under the executive order.

A prior executive order, issued January 2, 2015, imposed additional sanctions on North Korea, and perhaps provides an example of the types of cyber activities an administration may sanction pursuant to the April 2015 Executive Order 13694. Executive Order 13687 was issued partly in response to North Korea’s alleged involvement in destructive cyber attacks on Sony Pictures Entertainment in November 2014. One of the first entities designated under that executive order was the Reconnaissance General Bureau (RGB), one of North Korea’s primary intelligence organizations, which is also responsible for running many of North Korea’s cyber operations.

In addition, on February 18, 2016, President Obama signed the North Korea Sanctions and Policy Enhancement Act of 2016, which codifies sanctions with respect to destructive North Korean cybersecurity activities provided for in either Executive Order 13687 or Executive Order 13694. The act also requires the President to impose secondary sanctions on third-country actors who provide support to certain North Korean activities. For example, the act requires mandatory sanctions against individuals who “knowingly engage in significant activities undermining cybersecurity through the use of computer networks or systems against foreign persons, governments, or other entities on behalf of the government of North Korea.”2 This provision is not limited to North Korean persons or entities and could support the designation of actors in third countries, such as China. The act defines “significant activities undermining cybersecurity” to include significant efforts to deny access to or degrade, disrupt, or destroy an information and communications technology system or network or infiltrate information from such system or network; significant destructive malware attacks; and significant denial of service activities. Although the act only relates to North Korea, it may help clarify the types of cyber activities that may be targeted by sanctions pursuant to Executive Order 13694.

Although considerable uncertainty remains regarding the use of cyber sanctions, the issuance of Executive Order 13694 authorizing sanctions in response to significant cyber attacks, the issuance of sanctions against North Korea pursuant to Executive Order 13687 in part as a response to its destructive cyber attacks against a private sector entity, as well as legislation codifying such sanctions as they apply to North Korea, demonstrates that cyber sanctions are an emerging but likely important tool certain governments will attempt to use to protect against malicious cyber actors.