With cybersecurity dominating the headlines, the U.S. government has taken several recent steps to target the national security threat posed by cybercriminals and hackers with new regulations aimed at curbing malicious actors online. With a series of proposed rules and an Executive Order, the U.S. government has begun a concerted effort (i) to rein in malicious cyber actors using export controls and sanctions regulations; and (ii) to better align U.S. export control regulations with the realities of cloud computing and encrypted export-controlled data.

Many of these regulations are proposed rules that have not yet become final, meaning that there is still time for companies potentially impacted by the new rules to submit comments.

Commerce Targets Items Related to “Intrusion Software”

On May 20, 2015, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) published proposed amendments to the Export Administration Regulations (EAR) to implement stricter controls on certain cyber-security related items.

The proposed rule would create new restrictions and requirements for the export of hardware, software, and technology related to “intrusion software” (but not “intrusion software” itself), requiring a license for export to all destinations except Canada. Certain network penetration testing products and IP network communications surveillance systems would be controlled similarly. To the extent such items incorporate cryptographic or cryptanalytic functionality, exporters of these items would also be required to comply with the encryption registration, review, and reporting requirements of the EAR. Some of these items are currently controlled under the EAR as encryption items but now will be controlled as cybersecurity items. In addition, export license applicants may be required to provide BIS with source code related to their products’ cybersecurity functionality.

BIS is seeking input from companies that would be affected by the proposed export controls, particularly regarding the burden these licensing requirements would impose, as well as any negative impacts on legitimate vulnerability research, audits, and testing. In public statements, BIS has also attempted to address the concerns of researchers, emphasizing that the intention behind the proposed rule is not to regulate research and analysis of software vulnerabilities.

BIS is accepting comments on the proposed rule until July 20, 2015.

Harmonized Definitions in Proposed Rules Address Longstanding Issues for Internet Transfers and Cloud Computing

On June 3, 2015, the State Department’s Directorate of Defense Trade Controls (DDTC) and BIS proposed revisions to U.S. export control regulations that would permit cross-border electronic transfers of export-controlled data and software without a specific export authorization, provided certain conditions are met, including securing the data or software with end-to-end encryption and ensuring that foreign persons are not given the means to decrypt such data or software. The proposal, if adopted, could have implications for companies that (i) use or provide cloud computing services; (ii) have an overseas presence; (iii) have employees who travel internationally; or (iv) have foreign person employees in the United States.

As part of the president’s Export Control Reform (ECR) initiative, DDTC and BIS published proposed rules to clarify and harmonize numerous definitions and provisions in the International Traffic in Arms Regulations (ITAR) and EAR, respectively. The BIS rule is here, and the DDTC rule is here. The agencies have also published a side-by-side comparison of the regulatory text in the two proposed rules, which can be viewed here.

The EAR and the ITAR already address to some extent electronic transfers of controlled technology, technical data, and software, but these proposed rules are part of the U.S. government’s effort to further adapt the regulations to the world of e-commerce and cloud computing. Two key sets of provisions in the proposed rules would substantially alter how the ITAR and EAR would apply in certain scenarios to electronically transmitted, accessed, or stored information and software. 

One set of provisions would explicitly define the sending, taking, or storing of technology, technical data, or software as an activity that is not an export, reexport, transfer, or retransfer, provided that:

  • The technical data or technology is not classified
  • It is secured using “end-to-end encryption”
  • It is secured using cryptographic modules compliant with Federal Information Processing Standards Publication 140-2 (FIPS 140-2)
  • It is not stored in countries subject to a U.S. arms embargo or the Russian Federation

Another set of complementary provisions would define the release or transfer of decryption keys (and other means of accessing controlled technology or software that is encrypted) as an export or reexport, if those keys are transferred with knowledge that they will cause or permit the transfer of technology in clear text or software to a foreign national. Thus, unless an export of the underlying controlled data or software to a foreign national has already been authorized, any transfer or release of the decryption keys that would grant a foreign national access to such data in clear text or software is itself an export that might trigger licensing requirements. These provisions deemphasize the physical location of controlled data and software in favor of a standard that focuses on foreign national access to the data and software, with implications for cloud computing and cross-border electronic transfers generally.

The filing deadline for comments on both agencies’ proposed rules is August 3, 2015.

Treasury Department Weighs Sanctions Against Malicious Hackers

On April 1, 2015, President Obama signed an Executive Order authorizing the imposition of sanctions on individuals and entities determined to be responsible for or complicit in malicious cyber-enabled activities constituting a significant threat to the national security, foreign policy, economic health, or financial stability of the United States. The Treasury Department’s Office of Foreign Assets Control simultaneously releasedFAQs related to the Order. The White House, in a statement by President Obama and in FAQs on the White House Blog, explained that the Order will be used to impose targeted sanctions against the “worst of the worst” malicious cyber actors, as well as companies that knowingly use stolen trade secrets.

While no entities or individuals have been designated as subject to the new sanctions, and the Order does not impose any immediate compliance obligations on U.S. companies, the addition of this new “tool” to the U.S. government’s cybersecurity capabilities is another sign of how seriously the threat of cyber attacks is being taken at the highest levels of government. In the wake of the recent breach of computer systems at the Office of Personnel Management, the White House is reportedly considering the imposition of sanctions under this Executive Order. Members of Congress have already called for the White House to do so.

For more details on the scope and potential impact of the Executive Order, see our client alert here.

Adam Berry, Steven Choi