After several years of foreign and domestic negotiations surrounding controls on intrusion software, the U.S. Department of Commerce’s Bureau of Industry & Security (BIS) published an interim final rule on October 21, 2021, amending the Export Administration Regulations (EAR) and creating new licensing requirements for the export or transfer of cybersecurity items to non‑U.S. persons. Although intended to target and restrict malicious cyber activities, the new rule has significant implications for and adds considerable complexity to the broader cybersecurity community.
The rule is the Biden administration’s latest effort to curb the dissemination and use of cyber intrusion tools in a manner contrary to U.S. national security. The comment period on the interim final rule ends December 6, 2021, and the rule is scheduled to become final on January 19, 2022.
- The interim final rule creates new Export Control Classification Numbers (ECCNs) on the Commerce Control List (CCL) and licensing requirements for “cybersecurity items” and “IP network communications surveillance systems or equipment.”
- A new license exception called Authorized Cybersecurity Exports (ACE) permits exports of certain covered items to many destinations, but is subject to important carve-outs and does not apply to end-users in certain countries, including China and Russia.
- Notwithstanding the license exception, the rule will require companies in the cybersecurity space to undertake additional diligence and augment existing compliance policies.
The interim final rule is a result of years of evolving cybersecurity foreign policy. The United States is a member of the Wassenaar Arrangement (WA)—a multinational regime that seeks to establish common control policies on dual-use goods and technologies to be adopted by member countries.
In 2013, after more than a decade of rising concerns surrounding the malicious use of cyber technologies, WA added cybersecurity items to its list of controlled items. When BIS issued a proposed rule in 2015 to implement the new controls, it received widespread public criticism regarding the proposed rule’s scope and potential to hamper legitimate cybersecurity research and development. These concerns prompted BIS to abandon the proposed rule and renegotiate the controls within the WA, which resulted in changes to the WA decision, published in 2017. The new rule seeks to implement the revised WA controls, as well as address certain human rights concerns, which the United States has prioritized in recent guidance, statutory mandates, and notable enforcement actions from the Biden administration.
Defining Cybersecurity Items
The interim final rule is focused on hardware, software, and technology (collectively referred to in the EAR as “items”) with cybersecurity functionality. Cybersecurity items are broadly defined, and thus impose compliance obligations on a wide range of legitimate cybersecurity activities. Parties transferring to a non-U.S. person a cybersecurity item that meets the definition would need a license for many destinations, absent a license exception. Under the EAR’s “deemed export” rule, the disclosure of controlled cybersecurity technology to a foreign national, including those in the United States, is an export to that person’s country of nationality.
“Cybersecurity items” under the new rule include:
- Systems, equipment, components (new ECCN 4A005), software (new ECCN 4D004, 4D001.a), and technology (new ECCN 4E001.a & c) that are specially designed or modified for the generation, command and control, or delivery of “intrusion software.”
- Certain IP network communications surveillance systems or equipment (new ECCN 5A001.j).
- Related telecommunications systems (ECCN 5B001).
“Intrusion software” refers to software that can avoid or defeat network-device monitoring tools and protective countermeasures, and can either extract or modify data or modify a program to allow for externally provided instructions.
There are, however, notable limits on the scope of covered cybersecurity items. The license requirements for cybersecurity items do not apply to software specially designed and limited to providing basic updates and upgrades. Nor do the requirements apply to “vulnerability disclosure” or “cyber incident response” technology controlled by or for the development of intrusion software. Additionally, IP network communications surveillance systems or equipment do not include those that are specially designed for marketing purposes, quality of service (QoS), or quality of experience (QoE).
Existing principles and rules under the EAR also limit the scope of the new rule’s controls. Notably, controlled cybersecurity items do not include:
- Published information under 15 C.F.R. § 734.7, unless the published information is incorporated into a proprietary product;
- Information security capabilities that are incorporated in the cybersecurity item and that fall under the controls specified in Category 5—Part 2 of the CCL (ECCN 5A002.a, 5A004.b, 5D002.c.1 & 3); and,
- Items controlled for Surreptitious Listing (SL) reasons under a different ECCN, which will continue to be classified under the SL ECCN.
New License Exception ACE
License exceptions are authorizations that allow the export or reexport of EAR items under the stated conditions of the exception. License exception ACE would authorize the transfer, including deemed exports and reexports, of cybersecurity items without a license to most destinations. The exception does not apply to certain transfers, including those to: (1) prohibited countries, (2) government and non-government end-users, and (3) known malicious end-users. The policy behind license exception ACE is to avoid impeding legitimate cybersecurity research and incident response activities while still preventing cybersecurity items from falling into the wrong hands.
1. Prohibited Countries
Like other license exceptions under the EAR, license exception ACE is unavailable to parties in Country Group E: Cuba, Iran, North Korea, and Syria. Exports, reexports, and transfers to sanctioned countries are prohibited regardless of the end-user.
2. Government and Non-Government End-User Restrictions
The license exception ACE distinguishes between government and non-government end users.
Government end-users: Subject to certain specific exceptions, license exception ACE is generally unavailable to “government end-users”—as the EAR defines that term—in Country Group D, which includes nearly 50 countries (including China and Russia).
Non-government end-users: License exception ACE is also not generally available to non‑government end-users located in the countries listed in Country Groups D:1 or D:5 (Restricted Countries), such as China, Iraq, Lebanon, and Russia. Note that for non-government end-users in Country Group D, but not listed under D:1 or D:5—which currently includes Bahrain, Egypt, Israel, Jordan, Kuwait, Oman, Pakistan, Qatar, Saudi Arabia, Taiwan, and the UAE—the license exception may still apply to non-government end-user.
3. Known Malicious End-Use
License exception ACE does not apply where the exporter, reexporter, or transferor knows or has reason to know that the cybersecurity item will be used in a malicious manner. This includes the use of a cybersecurity item in a way that affects the confidentiality, integrity, or availability of information or information systems, without authorization by the owner, operator, or administrator of the information system. For these reasons, parties must prudently assess cybersecurity item recipients before relying on license exception ACE. For covered items, this will include integrating this rule into companies’ existing Know-Your-Customer and end-use checks.
The interim final rule reflects the U.S. government’s concern over the export of cybersecurity technology and continued efforts to halt malicious cyber activities. At the same time, the U.S. government recognizes the need for companies to continue to trade and develop in this space, as reflected in the exceptions to the rule and the scope of license exception ACE.
The Biden administration has been particularly focused on use and proliferation of intrusion software. In September 2021, the DOJ announced the resolution of criminal charges against former U.S. military and intelligence professionals who used their cyber training and experience to assist a foreign government’s intelligence collection operations. Principal Associate Deputy Attorney General John Carlin also recently highlighted the DOJ’s heightened focus on sanctions and export control-related actions.
Given the complexity of the rule, parties engaged in the export or transfer of software and technology must carefully review its scope. Companies active in this space should consider submitting comments on the rule before the December 6, 2021, deadline and undertake a review of their products and technologies against the functionality of the new cybersecurity ECCNs to determine the extent to which their items may be covered.