Companies legitimately employing tools to test how vulnerable their computers and networks may be to cyber-attacks should take note of strict new export controls that may be on the horizon. Specifically, on May 20, 2015, the Commerce Department Bureau of Industry and Security (BIS) proposed to establish controls on the export of cybersecurity items, which would require a license for all countries except Canada and generally make license exceptions unavailable. Currently, certain of these items are controlled as encryption items because of their information security functionality, but exporters who believe their items are subject to the encryption controls should exercise caution, to avoid a situation in which they export and then learn after the fact that BIS actually believes the items are subject to the new cybersecurity controls. Comments to the proposed rule are due by July 2015, but it may prove difficult to strike the right balance between preventing cybersecurity items from falling into the wrong hands to conduct cyberattacks and allowing companies legitimate access to them so they can test their cyber defenses.
For more details on the proposed rule and its potential impacts, please see our recent cybersecurity client alert.