U.S. Department of Commerce Implements New Export Controls to Combat Malicious Cyber Activities
Key Points
- On March 7, 2022, new U.S. export controls applicable to “cybersecurity items” took effect based on an interim final rule published by BIS on October 21, 2021 (the “Cyber Rule”). The controls under the Cyber Rule are complex because they restrict exports intended for malicious cyber activities and to certain countries and governments, but broadly authorize exports involving legitimate cybersecurity activities, such as vulnerability disclosures, network testing and cyber incident response and investigation. As a result of the complexity of the new controls, BIS has published extensive FAQs.
- The Cyber Rule applies to items specially designed or modified for the generation, command and control, or delivery of “intrusion software,” as well as technology for the development of “intrusion software.” However, “intrusion software” itself is not controlled, and technology for the development of “intrusion software” is also not controlled when exported for “vulnerability disclosure” or “cyber incident response,” two newly defined terms in the EAR.
- The Cyber Rule builds on a prior BIS effort to control cybersecurity items, which generated significant pushback from industry based on the impact that such measures could have had on legitimate cybersecurity activities. In response to these concerns, and to limit the impact of the Cyber Rule on legitimate cybersecurity work, BIS created License Exception ACE, which broadly authorizes, among other things, exports related to “vulnerability disclosure” and “cyber incident response” to most destinations.
- The Cyber Rule also applies controls on equipment, software and technology that is intended for large-scale surveillance of national- or regional-level IP carrier networks. These surveillance items are highly specialized and must have specific capabilities to be controlled under the Cyber Rule. The availability of License Exception ACE is more limited for these surveillance items.
- License Exception ACE cannot be used if the exporter knows, or has reason to know, that the item will be used for malicious activity—specifically, that the item will be used to affect the confidentiality, integrity or availability of information or information systems without authorization by the owner, operator or administrator of the information system.
I. Background
In 2013, the Wassenaar Arrangement, a multilateral export control organization, added cybersecurity-related technologies and items to its control list. Normally, the Commerce Department’s Bureau of Industry and Security (BIS) implements controls agreed to at Wassenaar in the Export Administration Regulations (EAR) during the following year. In this case, however, BIS was concerned about the possible unintended impacts the new controls might have on legitimate cyber-defense-related work. Thus, in 2015, BIS broke with tradition, published a proposed rule on cybersecurity, and asked for industry comments on the potential impact of the rule.
In more than 300 public comments, companies, associations, academic institutions and other stakeholders argued that the new rule was too broad and would inadvertently undermine legitimate cybersecurity measures and activities. As a result, BIS returned to Wassenaar to renegotiate the controls in 2016 and 2017. The new Cyber Rule reflects BIS’s implementation of the results of Wassenaar’s 2017 decisions related to cybersecurity items and establishes new export controls on specific cybersecurity hardware, software and technology. To address concerns related to the potential impact on legitimate cybersecurity work, BIS has also created License Exception ACE (Authorized Cybersecurity Exports), a complex set of rules intended to authorize the export, reexport and transfer of most cybersecurity products to most end users.
II. Cybersecurity Items Caught by the New Controls
BIS defines “cybersecurity items” as the newly controlled equipment, software and technology described in Export Control Classification Numbers (ECCNs) in Category 4 and Category 5 of the Commerce Control List (CCL), specifically: ECCNs 4A005, 4D001.a, 4D004, 4E001.a, 4E001.c, 5A001.j, 5B001.a, 5D001.a, 5D001.c and 5E001.a. These new or expanded “Cybersecurity ECCNs” capture specific cybersecurity items described in the revised 2017 agreement amongst Wassenaar members.
Importantly, items classified under Category 5, Part 2 encryption items are not subject to the new controls. However, in transactions involving source code or other software or technology that may have both encryption capabilities and cybersecurity capabilities, a Cybersecurity ECCN may apply (e.g., intrusion-related source code that is unrelated to, or not yet integrated with, encryption-related source code).
Below is a summary of the items caught under these new and revised ECCNs. For the specific text of these ECCNs, see the reference chart here.
Category 4: Items Related to Intrusion Software (4A005, 4D001, 4D004 and 4E001)
The first group of Cybersecurity ECCNs relates to “intrusion software,” which is a term the EAR define as software “specially designed or modified to avoid detection by ‘monitoring tools’ [e.g., antivirus, intrusion detection/protection systems, and firewalls], or to defeat ‘protective countermeasures’ of a computer or network-capable device” while performing data extraction or modification.
The new Cybersecurity ECCNs capture:
- systems, equipment and components specially designed or modified for the generation, command and control, or delivery of intrusion software (4A005);
- software specially designed or modified for the generation, command and control, or delivery of intrusion software (4D004), or specially designed or modified for the development or production of hardware or software controlled by 4A005 and 4D004 (4D001.a); and
- technology for the development of intrusion software (4E001.c), or the development, production or use of the hardware or software described above (4E001.a).
These new or expanded ECCNs are controlled for National Security (NS) reasons under NS Column 1 and require a license to export to all destinations except Canada, unless a license exception is available.
Importantly, the new controls do not capture intrusion software itself, even if that intrusion software is also designed to generate, command and control, or deliver other intrusion software (as described in BIS FAQ #9). In addition, based on a note to ECCN 4E001, any technology for the development of intrusion software exported for the purposes of a “vulnerability disclosure” or “cyber incident response” (terms that are discussed in more detail below) is not controlled under 4E001.a or 4E001.c. Such items are EAR99 (see FAQ #10).
Category 5 Part 1: Items Related to IP Network Surveillance (5A001.j)
The Cyber Rule also amends CCL Category 5 to control certain IP network communications surveillance systems and equipment specified in new Cybersecurity ECCN 5A001.j. ECCN 5A001.j captures equipment that is specially designed to analyze, extract and index data on a carrier class IP network and to execute searches on the basis of hard selectors and map the relational network of an individual or of a group of people. BIS recently updated its FAQs to provide more detail on the type of equipment controlled under 5A001.j. In sum, ECCN 5A001.j applies to highly specialized, government-level surveillance systems and will likely only be relevant to governments and companies that may buy or sell such equipment (see BIS FAQ #5).
The Cyber Rule also controls software with the same functionality as the hardware captured in 5A001.j (5D001.c); related test, inspection, and production equipment and components (5B001.a); and software and technology for the development of such hardware and software (5D001.a; 5E001.a).
These ECCNs are also controlled for National Security reasons, but under NS Column 2, and will require an export license to all destinations except most Wassenaar members.
III. New Defined Terms: “Vulnerability Disclosure” and “Cyber Incident Response”
Both the Cybersecurity ECCNs themselves and License Exception ACE allow certain exports of cybersecurity items without a license if those exports are for “vulnerability disclosure” or “cyber incident response.” Both of these terms are now defined in the EAR.
Vulnerability Disclosure
The vulnerability disclosure process is essential to maintaining network security, and the new rule does not place license requirements on most vulnerability disclosure activities. “Vulnerability disclosure” is now defined as the “process of identifying, reporting, or communicating a vulnerability to, or analyzing a vulnerability with, individuals or organizations responsible for conducting or coordinating remediation for the purpose of resolving the vulnerability.” Technology that is exported to certain end users for vulnerability disclosure purposes is excluded from the scope of ECCN 4E001. License Exception ACE allows for additional exports for vulnerability disclosure purposes.
Third-party standards provide a useful parallel for understanding this new defined term. For example, under ISO/IEC standard 29147:2018, a “vulnerability disclosure” is a process that helps users perform technical vulnerability management. In this process, a vendor (i.e., an individual or organization that creates or provides software products) establishes procedures to (i) receive reports about vulnerabilities and acknowledge receipt; (ii) develop remediations (e.g., patches); and (iii) publish advisories including notice of a vulnerability to users and, if developed, a remediation. Similarly, we understand BIS’s definition of the vulnerability disclosure “process” to be broad enough to include all aspects of vulnerability disclosure, including, e.g., searching for, identifying, collaborating on, testing, analyzing, reporting, managing and remediating vulnerabilities.
Cyber Incident Response
Cyber Incident Response is also newly defined, and means the “process of exchanging necessary information on a cybersecurity incident with individuals or organizations responsible for conducting or coordinating remediation to address the cybersecurity incident.” As with vulnerability disclosures, exports for cybersecurity incident response purposes are excluded from the scope of ECCN 4E001, and License Exception ACE authorizes additional exports.
The definitions of both “cyber incident response” and “vulnerability disclosure” require that the response or disclosure be made to an individual or organization “responsible for conducting or coordinating remediation.” Per BIS FAQ #19, these individuals or organizations include but are not limited to:
- IT network systems administrators and chief information officer (CIO) / chief information security officer (CISO) staff;
- “bug bounty” organizations and organizers;
- Computer Security Incident Response Teams (CSIRTs) / Computer Emergency Readiness teams (CERTs) / enterprise Security Operations Centers (SOCs);
- enterprise “Blue Teams” and “Purple Teams;”
- Commercial Product Development groups, such as software developers and hardware engineers;
- Information System Security Officers (ISSOs) / Information System Security Managers (ISSMs); and
- cybersecurity standards organizations.
IV. New License Exception ACE (§740.22)
Cybersecurity items are subject to control for National Security (NS) reasons and, in some cases, Surreptitious Listening (SL) reasons. Items controlled for SL reasons require a license to export to all destinations, including Canada. However, in parallel with these new restrictions, the Cyber Rule creates License Exception ACE. ACE broadly authorizes the export, reexport and transfer of most cybersecurity items, subject to several specific restrictions. The intended purpose of License Exception ACE is to minimize the impact of the new controls on legitimate cybersecurity activities, such as incident response and cybersecurity research.
The provisions of License Exception ACE are different for the Category 4 and Category 5, Part 1 items. For Category 4 items, the structure of controls and license exceptions for encryption items and cybersecurity items is somewhat similar. A comparison is attached here.
The parameters of License Exception ACE are complex and should be reviewed carefully with trade compliance personnel or legal counsel. At a high level, for Category 4 “cybersecurity items,” License Exception ACE authorizes:
- all exports and deemed exports to countries other than those in Country Groups E and D; and
- the following for Country Group D countries:
- certain exports and deemed exports to Government End Users in Country Group D countries that are also in Country Group A:6 (i.e., Cyprus, Israel and Taiwan);
- deemed exports to individual non-government end users in D:1 or D:5 countries;
- certain exports, including vulnerability disclosures and cyber incident responses, for non-government end users in country groups D:1 or D:5; and
- exports and deemed exports to non-government end users in Country Groups D:2-D:4
For such items License Exception ACE does not authorize exports or deemed exports to Country Group E or Country Group E nationals.
License Exception ACE has its own local definition of the term “government end user” that exporters should review when determining the applicability of License Exception ACE to their transactions. Unlike the definition of “‘Government end user’ (as applied to encryption items)” in 15 CFR 772.1, the License Exception ACE definition of “government end user” includes individuals working on behalf of government agencies and entities, which may be relevant in assessing deemed export risks. This means that deemed export issues may be triggered if, for example, personnel employed by a Chinese state-owned entity have access to controlled cybersecurity source code or technology under the new classifications. BIS FAQ #25 illustrates this point by describing a corporate cybersecurity training attended by Country Group D:1 government officials.
If License Exception ACE does not apply to a particular transaction, other license exceptions may apply, such as License Exception GOV for exports to U.S. government agencies and personnel. BIS has decided, however, to make License Exception STA (Strategic Trade Authorization), and in some cases GBS (Group B Shipment), inapplicable to cybersecurity items.
The scope of License Exception ACE is narrower for the surveillance items newly controlled under Category 5, Part 1. For these cybersecurity items, License Exception ACE authorizes:
- all exports and deemed exports to countries other than those in Country Groups E and D;
- deemed exports to individual non-government end users in D:1 or D:5 countries; and
- exports and deemed exports to non-government end users in Country Groups D:2-D:4.
For these cybersecurity items, License Exception ACE does not authorize exports or deemed exports to:
- Country Group E countries; or
- government end users in Country Group D.
License Exception ACE does not apply to any cybersecurity item if the exporter knows or has reason to know that the cybersecurity item will be used to affect the confidentiality, integrity or availability of information or information systems, without authorization by the owner, operator or administrator of the information system.
Implications of Recent Actions
This new rule is the culmination of years of analysis and negotiation and introduces new, narrowly tailored restrictions. BIS designed the new controls to minimize disruptions to legitimate cybersecurity activities in response to prior concerns voiced by the public and private sector during the 2015 request for comments. Companies affected by these new rules should carefully study whether their cybersecurity operations involve newly restricted items and the applicability of License Exception ACE to their activities. They are among the most complicated provisions in the EAR. This is the natural result of the effort to both control software and technology used in malicious cyber activities but not to control—for most end users—software and technology necessary to identify and defend against such activities. The software and technology for each activity, malign and beneficial, is often the same.