On October 21, 2021, the U.S. Department of Commerce, Bureau of Industry and Security (BIS) announced an interim final rule (Interim Rule), which will amend the Export Administration Regulations (EAR) to add controls for the export, reexport and transfer of certain cybersecurity exploitation, intrusion and monitoring tools. The Interim Rule also creates a new License Exception “Authorized Cybersecurity Exports (ACE)” that authorizes certain exports, reexports and transfers of cybersecurity items, as described in more detail below. The Interim Rule will be made effective 90 days after publication, on January 19, 2022.
This Interim Rule implements multilateral controls over cybersecurity hardware and software originally added by the Wassenaar Arrangement in 2013 and subsequently modified. BIS originally proposed to implement controls over these types of items in 2015 but then held back after receiving hundreds of comments expressing concern that the control parameters—including the definition of “intrusion software”—were overly broad.
The Interim Rule adds several new export control classification numbers (ECCNs) to the Commerce Control List (CCL) that incorporate national security (NS) and antiterrorism (AT) controls for “cybersecurity items.” Effectively this means that an EAR license or license exception would be required for exports and reexports of such items to most jurisdictions.
- In particular, the Interim Rule adds ECCNs 4A005 and 4D004, and a new paragraph 4E001.c, commodities, software and technology relating to the “generation, command and control or delivery of ‘intrusion software.’” The EAR already define “intrusion software” as the following:
Software specially designed or modified to avoid detection by “monitoring tools,” or to defeat “protective countermeasures,” of a computer or network-capable device, and performing any of the following:
(1) The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or
(2) The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.
The new ECCNs would contain certain exclusions from controls for software specially designed and limited to providing basic updates and upgrades, as well as vulnerability disclosures or cyber incident responses.
- The Interim Rule also adds “IP network communications surveillance systems or equipment” to the CCL under ECCN 5A001.j.
The items above and related software for the development, production and use of such items would be defined as “cybersecurity items,” and potentially eligible for export to most destinations under License Exception ACE.
Note that items that are already subject to EAR surreptitious listening (SL) controls will continue to be controlled under that ECCN. Similarly, if an item is controlled due to “information security” encryption functionality specified in Category 5, Part 2 of the CCL, it would remain controlled under those ECCNs. These items would not be eligible for the new License Exception ACE.
License Exception Authorized Cybersecurity Exports (ACE)
The Interim Rule also creates a new License Exception ACE, which authorizes certain exports, reexports, and transfers of cybersecurity items. Similar to the existing License Exception ENC for encryption items, License Exception ACE is complex and generally should be reviewed on a context-specific basis.
Destinations and End Users. License Exception ACE would generally authorize the export, reexport and transfer of cybersecurity items to most destinations, except for:
- Antiterrorism Destinations. Destinations listed in Country Groups E:1 and E:2 (i.e., Cuba, Iran, North Korea and Syria).
- Group D Government End Users. Government end users in Country Groups D:1, D:2, D:3, D:4 or D:5. This restriction does not apply to the following exports, reexports and transfers to Country Group D countries that are also listed in Country Group A:6 (i.e., Cyprus, Israel and Taiwan):
- exports, reexports, and transfers of “digital artifacts” related to a cybersecurity incident that (i) involve information systems owned or operated by a “favorable treatment cybersecurity end user” or (ii) are for police or judicial bodies; or
- exports, reexports, and transfers to national computer security incident response teams for purposes of responding to cybersecurity incidents, vulnerability disclosure, or criminal investigations and prosecutions.
- Group D1 and D5 Non-Government End Users. Non-government end users in Country Groups D:1 or D:5, with exclusions for “favorable treatment cybersecurity end users,” vulnerability disclosures, cyber incident responses, or deemed exports to nationals of Country Groups D:1 or D:5.
The Interim Rule defines “favorable treatment cybersecurity end users” as U.S. subsidiaries (i.e., a foreign branch or most foreign subsidiaries of U.S. companies), financial services providers, insurance companies, and civil health and medical institutions providing medical treatment or research.
Accordingly, License Exception ACE could authorize exports to government end users in Cyprus, Israel and Taiwan only for the limited purposes discussed above, and would not authorize exports to government end users in other Group D countries (such as China, Russia, Saudi Arabia and the UAE), full stop. Additionally, non-government end users in China and Russia will not generally be eligible for License Exception ACE, subject to the carve-outs discussed above. License Exception ACE may be used for deemed exports to non-governmental nationals of any country other than antiterrorism destinations.
End Use Restrictions. License Exception ACE is not authorized if the exporter, reexporter or transferor has knowledge or reason to know that the cybersecurity item will be used to affect the confidentiality, integrity, or availability of information or information systems without authorization by the owner, operator or administrator of the information system.
BIS seeks comments to understand the impact of the Interim Rule, particularly the cost of compliance with the Interim Rule and the impact it has on legitimate cybersecurity items. Comments are due 45 days after publication, by December 6, 2021.