Being a White-Hat Hacker Just Got Tougher: U.S Commerce Department Issues New Cybersecurity Export Controls on Intrusion and Surveillance Tools

By: Melissa Duffy , Tyler G. Newby , David Feder

On October 21, 2021, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS), published new export controls on certain cybersecurity items that ban the export or resale of hacking tools to authoritarian regimes, and it created a new license exception for those items. The new regulations aim at tightening export controls on cybersecurity tools, including intrusion software, Internet Protocol (IP) network communications surveillance, and related technology that could be used by threat actors to conduct malicious cyber activities and surveillance. BIS is requesting public comments until December 6, 2021, for potential revision before the interim final rule takes effect on January 19, 2022.

BIS contends that these controls are narrowly drawn, focusing on specific cyber-intrusion and network surveillance equipment, software and technology, and, when combined with the new license exception, that they should have limited impact. The rule adopts cybersecurity controls previously agreed to at the multilateral Wassenaar Arrangement, bringing U.S. controls into alignment with those already adopted by the EU and other jurisdictions. However, network infrastructure manufacturers, cybersecurity software and service providers, IT forensics firms, bug bounty programs, and those engaged in vulnerability testing and research may feel the impact of the rule. Further, exports to national security concern countries such as China and Russia will be highly restricted, and companies dealing with Cypress, Israel and Taiwan will have to navigate new restrictions, notwithstanding those countries’ stronger relationships with the U.S.

This rulemaking provides an opportunity for companies engaged in cybersecurity activities to evaluate whether the controls are indeed narrow enough to exclude their legitimate routine business activities, and to provide comments to BIS on any unintended consequences of these controls.

Background

These new cybersecurity export controls close the loop on a proposed rule, issued by BIS in 2015, to implement multilateral controls agreed to by the Wassenaar Arrangement in 2013. After issuing the proposed rule, BIS received overwhelming feedback from industry, including hundreds of public comments on the record, criticizing the effort as having severe negative unintended consequences on legitimate cross-border cybersecurity work. General themes from the criticism included that the controls were overly broad in the defined scope of tools and technologies, that they imposed a cumbersome export licensing requirement that would impede the work of white-hat hackers and bug bounty program participants, and that the restrictions on the development of intrusion software would inhibit international cybersecurity research.

BIS renegotiated the controls at Wassenaar to address these concerns, leading to the multilateral adoption of revised controls in 2017. This new interim final rule from BIS implements that most recent version.

Overview of New Cybersecurity Controls

BIS is establishing new controls on certain cybersecurity items for National Security (NS) and Anti-ter­rorism (AT) reasons, through the creation of new export control classification numbers (ECCNs) on the Commerce Control List (CCL) and definitions in the Export Administration Regulations (EAR). Additionally, BIS is creating a new license exception for Authorized Cybersecurity Exports (ACE), authorizing export transactions involving these newly controlled items to most destinations while restricting exports to a national security concern group of countries.

A high-level summary of the new controls is provided below. We are happy to speak with companies in more detail about nuances that might impact their businesses:

  • Intrusion Items. BIS is adding new ECCNs 4A005 (equipment) and 4D004 (software), as well as an updated paragraph 4E001.a and a new paragraph .c (technology) to Category 4 of the CCL, where computing and processing items are regulated. These new controls cover equipment, software and technology used in cyber intrusion activities. However, the new controls carve out the provision of basic software updates and upgrades, and activities relating to vulnerability disclosure and cyber incident responses. BIS also is amending 5A004 for systems, equipment and components for defeating, weakening or bypassing information security, to link to items in the new 4A005.
  • Surveillance Items. BIS is amending ECCN 5A001, which regulates sensitive telecommunications infrastructure, with a new paragraph 5A001.j covering internet IP (internet protocol) network communications surveillance systems or equipment. Corresponding updates are being made to ECCNs 5B001 (test, inspection and production equipment), 5D001 (software) and 5E001 (technology) for items relating to the new 5A001.j.
  • Definitions. The terms “cyber incident response” and “vulnerability disclosure” are being added to the definitions section of the EAR at Part 772.
    • Cyber incident response means the process of exchanging necessary information on a cybersecurity incident with individuals or organizations responsible for conducting or coordinating remediation to address the cybersecurity incident.
    • Vulnerability disclosure means the process of identifying, reporting or communicating a vulnerability to, or analyzing a vulnerability with, individuals or organizations responsible for conducting or coordinating remediation for the purpose of resolving the vulnerability.
  • Exclusions from the New Controls:
    • Published Information. Software and technology that are in the public domain and that meet the requirements to be considered “published” information under 15 C.F.R. § 734.7 will remain not subject to the EAR and, thus, are excluded from these controls.
    • Encryption Controlled Items. When a cybersecurity item also incorporates information security functionality such that it is subject to the encryption controls in Category 5, Part 2 of the EAR, those encryption controls will prevail, provided the information security functionality remains present and usable within the cybersecurity end item or executable software. However, encryption controls do not take precedence for software source code or technology that implement functionality controlled elsewhere on the CCL, or for any item where the information security functionality is absent, removed or otherwise non-existent.
    • Surreptitious Listening Controls. Items already controlled for Surreptitious Listening (SL) reasons under another ECCN will continue to be classified under the relevant SL controlled ECCN.

New License Exception ACE

BIS is also establishing a new License Exception Authorized Cybersecurity Exports at § 740.22 of the EAR. This is an evident response to the industry criticism in 2015, as BIS stated its intention behind ACE is to “avoid impeding legitimate cybersecurity research and incident response activities.” The exception begins with definitions of the following terms, for specific use within the context of the ACE exception: “cybersecurity items,” “digital artifacts,” “favorable treatment cybersecurity end user” and “government end user.”

Note that similar terms are used elsewhere with different meaning in the EAR. For example, License Exception GOV at § 740.11 of the EAR for exports to government end users and License Exception ENC at § 740.17 of the EAR for encryption exports both define the concept of a government end user differently. License Exception ACE takes a broader view of that term, covering traditional governmental functions, as well as government operated research institutions, entities and individuals who are acting on behalf of a government, and private sector entities such as retail or wholesale firms engaged in the manufacture, distribution or provision of defense articles or services.

As explained by BIS, License Exception ACE allows the export, reexport and transfer (in country) of cybersecurity items to most destinations, except to regions subject to trade embargoes. The exception also takes a restrictive approach to national security concern countries such as China and Russia. In particular, ACE does not authorize exports for government end-users in Country Groups D:1, D:2, D:3, D:4 or D:5, as well as to nongovernment end-user in Country Group D:1 or D:5. However, BIS did include relief for certain exports to Country Group D countries that are also listed in the close ally Country Group A:6 – specifically Cyprus, Israel and Taiwan. In addition, License Exception ACE will not permit end uses where the exporter has reason to know the cybersecurity item “will be used to affect the confidentiality, integrity or availability of infor­mation or information systems.”

Comments Welcome Until December 6, 2021

Although BIS asserts that it has appropriately tailored the new controls for narrow impact, it is delaying the effective date to hear from industry. Specifically, BIS seeks comments to “ensure full consideration of the potential impact of this rule, including comments on the potential cost of complying … and any impacts this rule has on legitimate cybersecurity activities.”

As companies consider whether to submit comments, they should evaluate the impact of these controls to their business operations, whether there are more effective ways to draw lines around controlled products and whether they can propose more accurate definitions that reflect industry understanding of the terminology used in the rule.

Questions? Please contact Melissa Duffy, Jim Koenig, Tyler Newby, David Feder, Jean Chang or any member of Fenwick’s Trade Regulatory Group and/or Privacy & Cybersecurity Practice.