Init0

On October 21, 2021, the Department of Commerce’s Bureau of Industry and Security (BIS) published its long-awaited Interim Final Rule establishing export controls for tools and related technology that can be used for hacking and other malicious activities. The Interim Final Rule effectively requires licenses for the export, reexport, and in-country transfer of certain “cybersecurity items” to more than 40 countries, including China and Russia, depending on the specific items, recipients, and anticipated uses.

The rule prohibits all export, reexport, and in-country transfer of cybersecurity items to any parties in Cuba, Iran, North Korea, and Syria, and in any circumstance where there is knowledge or reason to know that the cybersecurity item “will be used to affect the confidentiality, integrity or availability of information or information systems” without authorization from the owner, operator, or administrator of the information system.

This past Friday, November 12, 2021, BIS released a Frequently Asked Questions document to provide guidance on the Interim Final Rule, including various examples of scenarios subject to and excluded from the new controls.

The Interim Final Rule defines “cybersecurity items” to include:

• Systems, equipment, software, and other technology specially designed or modified to develop, generate, command and control, or deliver “intrusion software”;
• “IP [Internet Protocol] network communications surveillance systems or equipment” that meet specified criteria, including the ability to capture and analyze application data (e.g., email messages, attachments, video files, and the contents of web traffic, rather than simply metadata); and
• Other related items, software, and technology, as specified in new and revised Export Control Classification Numbers (ECCNs).

The rule provides several carve-outs for certain legitimate cybersecurity technologies and activities, including those related to “vulnerability disclosure,” “cyber incident response,” and “software specially designed and limited to providing basic updates and upgrades,” as defined in the new rule, and for certain legitimate network monitoring tools.

The new controls come amidst a multi-agency effort by the U.S. government to combat ransomware, state-sponsored hacking, and other cybersecurity threats that frequently originate overseas. However, the Interim Final Rule has been a long time in the making.

The rule implements restrictions on “intrusion software” in the multilateral Wassenaar Arrangement (WA), an arms control agreement with 42 countries. Those restrictions initially were added to the WA in 2013, and BIS published a proposed rule to implement those restrictions in 2015.

However, after BIS received significant negative feedback on the proposed rule, including that the proposed rule could significantly hamper legitimate cybersecurity transactions and research, the United States renegotiated the WA controls in 2016 and 2017. The Interim Final Rule implements the WA as amended in 2017 and purports to be narrower, less …….

Source: https://www.jdsupra.com/legalnews/commerce-publishes-export-controls-for-1895620/