BIS to Issue New Cybersecurity Export Controls
The Bureau of Industry and Security will issue new export controls on certain cybersecurity items and create a new license exception for those exports, BIS said in an interim final rule released Oct. 20. The rule, which will align U.S. cybersecurity restrictions with controls previously agreed to at the multilateral Wassenaar Arrangement, will establish more restrictions on certain items that can be used for “malicious cyber activities” by imposing a license requirement for shipments to certain countries, BIS said. The changes take effect Jan. 19, and BIS will accept public comments until Dec. 6.
The rule will establish new controls on cybersecurity items for National Security (NS) and Anti-terrorism (AT) reasons, BIS said, and create new License Exception Authorized Cybersecurity Exports (ACE), which authorizes the exports to “most destinations.” The exception will allow exports of certain “cybersecurity items” -- which BIS said includes goods controlled under more than 10 Export Control Classification Numbers -- except to destinations listed in Country Groups E:1 and E:2: Cuba, Iran, North Korea and Syria.
The exception also does not authorize exports for certain end-users, including government end-users in Country Groups D:1, D:2, D:3, D:4 or D:5 or a nongovernment end-user in Country Group D:1 or D:5. But the agency also listed certain exclusions, and will not impose a variety of end-user restrictions, including government-related controls, for certain exports to Country Group D countries that are also listed in country Group A:6: Cyprus, Israel and Taiwan. BIS also lists other exclusions and end-use restrictions for the license exception, including one that would impose an end-use restriction when the exporter “has reason to know” the cybersecurity item “will be used to affect the confidentiality, integrity or availability of information or information systems.”
The new controls will help ensure U.S. companies are “not fueling authoritarian practices” by exporting sensitive technologies to human rights abusers, the Commerce Department said. The controls apply to a range of items that can be used “for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it,” BIS said.
The agency said it created a new license exception to “avoid impeding legitimate cybersecurity research and incident response activities.” The exception begins with a “definition section” that defines “cybersecurity items, digital artifacts, favorable treatment cybersecurity end user, and government end user.”
The new controls stem from a proposed rule issued by BIS in 2015, which sought industry feedback on new cybersecurity restrictions agreed to at Wassenaar. But BIS didn’t follow through on the restrictions after receiving nearly 300 comments that “revealed serious issues concerning [the] scope and implementation” of the controls from industry, academia and Congress.
Commenters said the controls were overly broad and imposed a heavy and unnecessary licensing burden on “legitimate transactions that contribute to cybersecurity.” They also said a proposed rule on technology for the development of “intrusion software” could “cripple legitimate cybersecurity research.” BIS renegotiated the controls at Wassenaar in 2016 and 2017 and said it addressed the commenters’ concerns, partly through License Exception ACE.
The rule “is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities,” Commerce Secretary Gina Raimondo said. She also said the U.S. is “committed” to working multilaterally to stop the spread of technologies that can be used for “malicious” cybersecurity activities and human rights abuses.
Although BIS believes the rule has “limited scope” and its impact will be minimal, it is delaying the effective date to hear from industry, lawmakers and the public. It said it’s specifically seeking comments on the cost of complying with the new controls and “any impacts this rule has on legitimate cybersecurity activities.”