The U.S. Commerce Department wants tighter controls on companies selling hacking tools that could be used for malicious purposes to certain foreign governments without a license from the agency’s Bureau of Industry and Security (BIS).
A new, interim rule, which will become effective in 90 days, would establish Commerce’s export governance over cybersecurity items used for national security and anti-terrorism and includes a licensing requirement for sales to certain countries of concern, including China and Russia. In the wrong hands, “these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it,” the interim rule reads. The control also applies to un-encrypted products. BIS will vet all end users before granting a license.
The rule’s wording, which has been repeatedly refined since 2015, is still a bit complicated. It will require U.S. companies selling hacking software and equipment to obtain a license from BIS to sell such technologies to countries that raise eyebrows over “national security or weapons of mass destruction” as well as those that could use them for espionage or other malicious purposes. It would also extend to countries under U.S. arms embargo.
For the most part, license exceptions would allow the export, reexport and intra-country transfer of cybersecurity items other than to countries of concern. Restricted end users subject to the interim rule include those working for governments for countries of concern. Licensing would also be required for those exporting, re-exporting or conducting intra-country transfers who are aware the technology will be used for nefarious purposes.
The new rules will help ensure that U.S. companies are not inadvertently fueling authoritarian practices, said Commerce Secretary Gina Raimondo. “The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights,” she said. “The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities.”
Earlier proposals were criticized for being overly broad, capturing more than was intended, and not accurately describing the items intended for control. The rule as previously written placed a license burden on legitimate transactions that contribute to cybersecurity and could impair cybersecurity research, according to prior public comments.
The interim rule brings the U.S. in line with 42 other member countries operating under the Wassenaar Arrangement, in which most nations have voluntarily adhered to export controls on the sale of cybersecurity tools. Russia is a Wassenaar member but China is not.
Commerce said that the revised rule maps to a review from Congressional members, the private sector, academia, civil society and other stakeholders. BIS said it has received some 300 comments on the proposed rule.
“The rationale is these are items that can be misused to abuse human rights, to track and identify dissidents or disrupt networks or communications, but they also have very legitimate cybersecurity uses,” a senior Commerce official told the Washington Post. “So what the rule does is restrict these exports to the problematic countries.”