On October 22, the European Commission amended its List of Dual Use Items to include controls on “intrusion software” which the Wassenaar Plenary adopted in December 2013 and which we reported here. The new list, and the export controls on intrusion software, will go into effect after 60 days from October 22 unless the E.U. Council or Parliament interpose objections.
That, of course, raises the question about where the United States is on adopting these controls. Initially spokespersons for the Bureau of Industry and Security indicated that the rules on intrusion detection hardware and software would be out in September. Well, September and October have both come and gone and there is no sign of new rules on this issue.
Of course, at least part of what Wassenaar defined as intrusion software is already controlled in the United States under ECCN 5D980, which was adopted in December 2007 and which controls surreptitious listening software. But 5D980 does not control, as the new controls on intrusion detection software would, software performing “the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.” The scope of the definition of intrusion software is undeniably broad and susceptible of covering some unobjectionable types of software, so it seems clear the BIS must be struggling with how to handle the breadth of the definition and limited unintended consequences.