The U.S. Department of Commerce, Bureau of Industry and Security (BIS) has issued a proposed rule to impose licensing and other requirements on exports and reexports of certain technologies related to cybersecurity. BIS is seeking comments through July 20, 2015 on the proposed rule. Companies that develop, produce, market or are major offshore users of such technologies may want to consider submitting comments.
On May 20, 2015, BIS proposed to amend the Export Administration Regulations (EAR) by adding several new Export Control Classification Numbers (ECCNs) to the Commerce Control List (CCL), as well as licensing and other requirements, that would apply to exports and reexports of cybersecurity technologies (see 80 Fed Reg. 28853). These amendments will implement U.S. obligations under certain agreements by the Wassenaar Arrangement (WA) made at the Plenary meeting in December 2013.
When final, these amendments to the EAR will impose a license requirement for the export, reexport or transfer (in-country) of the following cybersecurity items to all destinations except Canada:
- Systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software (including network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices).
- Software specially designed or modified for the development or production of such systems, equipment or components.
- Software specially designed for the generation, operation or delivery of, or communication with, intrusion software.
- Technology required for the development of intrusion software (including proprietary research on the vulnerabilities and exploitation of computers and network-capable devices).
- Internet protocol network communications surveillance systems or equipment; test, inspection, production equipment; specially designed components therefor; and development and production software and technology therefor.
The proposed rule seeks to add ECCN 4A005 (systems, equipment or components therefor specially designed for the generation, operation or delivery of, or communication with, intrusion software) and ECCN 4D004 (software specially designed for the generation, operation or delivery of, or communication with, intrusion software) to the CCL. These ECCNs would be controlled for national security, regional stability and anti-terrorism reasons to all destinations except Canada. No license exceptions would be available except certain provisions of license exception GOV (exports to or on behalf of the U.S. government). BIS has informally indicated that these ECCN controls will focus on systems that are offensive in nature and used to generate or be used with intrusion software, but will not control the intrusion software itself. The rulemaking also proposed a formal definition of the term “intrusion software.”
BIS further indicated in its notice that networkcommunication trafficanalysis systems are becoming anincreasingly sensitive issue, which iswhy the WA signatories agreed to add the control ofthese items to the WA dual-use list.These systems intercept and analyze messages toproduce personal, human and socialinformation from the communicationstraffic. BIS proposes to add these systems into ECCN 5A001.j and group themwith cybersecurity items for control for national security, regional stability, and anti-terrorism reasons to all destinations except Canada. BIS has informally indicated that this ECCN is intended for very narrow control of only very large systems that meet other requirements of the ECCN 5A category.
New Licensing Review Requirements
BIS states that although the cybersecurity capabilities provided by the products above were not previously designated for export control, many are controlled for their “information security” functionality, including encryption and cryptanalysis. The proposed rule therefore would continue applicable Encryption Items registration and review requirements. It also proposes additional license review policies and special submission requirements to address the new cybersecurity controls, including submission of a letter of explanation regarding the cybersecurity items’ technical capabilities.