After several years of foreign and domestic negotiations surrounding controls on intrusion software, the U.S. Department of Commerce’s Bureau of Industry & Security (BIS) published an interim final rule on October 21, 2021, amending the Export Administration Regulations (EAR) and creating new licensing requirements for the export or transfer of cybersecurity items to non‑U.S. persons. Although intended to target and restrict malicious cyber activities, the new rule has significant implications for and adds considerable complexity to the broader cybersecurity community.
The rule is the Biden administration’s latest effort to curb the dissemination and use of cyber intrusion tools in a manner contrary to U.S. national security. The comment period on the interim final rule ends December 6, 2021, and the rule is scheduled to become final on January 19, 2022.
The interim final rule is a result of years of evolving cybersecurity foreign policy. The United States is a member of the Wassenaar Arrangement (WA)—a multinational regime that seeks to establish common control policies on dual-use goods and technologies to be adopted by member countries.
In 2013, after more than a decade of rising concerns surrounding the malicious use of cyber technologies, WA added cybersecurity items to its list of controlled items. When BIS issued a proposed rule in 2015 to implement the new controls, it received widespread public criticism regarding the proposed rule’s scope and potential to hamper legitimate cybersecurity research and development. These concerns prompted BIS to abandon the proposed rule and renegotiate the controls within the WA, which resulted in changes to the WA decision, published in 2017. The new rule seeks to implement the revised WA controls, as well as address certain human rights concerns, which the United States has prioritized in recent guidance, statutory mandates, and notable enforcement actions from the Biden administration.
The interim final rule is focused on hardware, software, and technology (collectively referred to in the EAR as “items”) with cybersecurity functionality. Cybersecurity items are broadly defined, and thus impose compliance obligations on a wide range of legitimate cybersecurity activities. Parties transferring to a non-U.S. person a cybersecurity item that meets the definition would need a license for many destinations, absent a license exception. Under the EAR’s “deemed export” rule, the disclosure of controlled cybersecurity technology to a foreign national, including those in the United States, is an export to that person’s country of nationality.
“Cybersecurity items” under the new rule include:
“Intrusion software” refers to software that can avoid or defeat network-device monitoring tools and protective countermeasures, and can either extract or modify data or modify a program to allow for externally provided instructions.
There are, however, notable limits on the scope of covered cybersecurity items. The license requirements for cybersecurity items do not apply to software specially designed and limited to providing basic updates and upgrades. Nor do the requirements apply to “vulnerability disclosure” or “cyber incident response” technology controlled by or for the development of intrusion software. Additionally, IP network communications surveillance systems or equipment do not include those that are specially designed for marketing purposes, quality of service (QoS), or quality of experience (QoE).
Existing principles and rules under the EAR also limit the scope of the new rule’s controls. Notably, controlled cybersecurity items do not include:
License exceptions are authorizations that allow the export or reexport of EAR items under the stated conditions of the exception. License exception ACE would authorize the transfer, including deemed exports and reexports, of cybersecurity items without a license to most destinations. The exception does not apply to certain transfers, including those to: (1) prohibited countries, (2) certain government and non-government end-users, and (3) known malicious end-users. The policy behind license exception ACE is to avoid impeding legitimate cybersecurity research and incident response activities while still preventing cybersecurity items from falling into the wrong hands.
Like other license exceptions under the EAR, license exception ACE is unavailable to parties in Country Group E: Cuba, Iran, North Korea, and Syria. Exports, reexports, and transfers to sanctioned countries are prohibited regardless of the end-user.
The license exception ACE distinguishes between government and non-government end users.
Government end-users: Subject to certain specific exceptions, license exception ACE is generally unavailable to “government end-users”—as the EAR defines that term—in Country Group D, which includes nearly 50 countries (including China and Russia).
Non-government end-users: License exception ACE is also not generally available to non‑government end-users located in the countries listed in Country Groups D:1 or D:5 (Restricted Countries), such as China, Iraq, Lebanon, and Russia. Note that for non-government end-users in Country Group D, but not listed under D:1 or D:5—which currently includes Bahrain, Egypt, Israel, Jordan, Kuwait, Oman, Pakistan, Qatar, Saudi Arabia, Taiwan, and the UAE—the license exception may still apply to non-government end-user.
License exception ACE does not apply where the exporter, reexporter, or transferor knows or has reason to know that the cybersecurity item will be used in a malicious manner. This includes the use of a cybersecurity item in a way that affects the confidentiality, integrity, or availability of information or information systems, without authorization by the owner, operator, or administrator of the information system. For these reasons, parties must prudently assess cybersecurity item recipients before relying on license exception ACE. For covered items, this will include integrating this rule into companies’ existing Know-Your-Customer and end-use checks.
The interim final rule reflects the U.S. government’s concern over the export of cybersecurity technology and continued efforts to halt malicious cyber activities. At the same time, the U.S. government recognizes the need for companies to continue to trade and develop in this space, as reflected in the exceptions to the rule and the scope of license exception ACE.
The Biden administration has been particularly focused on use and proliferation of intrusion software. In September 2021, the DOJ announced the resolution of criminal charges against former U.S. military and intelligence professionals who used their cyber training and experience to assist a foreign government’s intelligence collection operations. Principal Associate Deputy Attorney General John Carlin also recently highlighted the DOJ’s heightened focus on sanctions and export control-related actions.
Given the complexity of the rule, parties engaged in the export or transfer of software and technology must carefully review its scope. Companies active in this space should consider submitting comments on the rule before the December 6, 2021, deadline and undertake a review of their products and technologies against the functionality of the new cybersecurity ECCNs to determine the extent to which their items may be covered.
Mitchell Feldman, a law clerk in Morrison & Foerster LLP’s Litigation group, and Julia Searby, a paralegal in Morrison & Foerster LLP’s National Security group, contributed to this alert.