On October 21, 2021, the Department of Commerce’s Bureau of Industry and Security (BIS) issued an interim final rule (the rule) implementing expanded export controls on cybersecurity items based on the belief that these items “could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it.” The new controls on cybersecurity items stem from the 2013 addition by the Wassenaar Arrangement1 (WA) of cybersecurity items, including intrusion software to Wassenaar’s list of controlled items. Public comments in 2015 indicating significant concerns over BIS’s implementation and scope of the proposed controls resulted in renegotiation of these controls at the WA’s 2017 meeting. Last week’s rule implements the WA 2017 controls. The rule is intended to prevent malicious “intrusion software” from being exported to certain countries of concern without a BIS license and not to hinder responses to cybersecurity flaws and incidents.
New Cybersecurity Related ECCNs
The rule creates new controls on hardware and software (ECCNs 4A005 and 4D004, respectively) specially designed or modified for the generation, command and control, or delivery of intrusion software. The EAR defines intrusion software as software specially designed or modified to avoid detection by monitoring tools2 or to defeat protective countermeasures,3 of a computer or network capable device (such as a mobile device or smart meter). Intrusion software either 1) extracts data or information (from the computer or network-capable device) or modifies system or user data or 2) modifies the standard execution path of a program or process in order to allow the execution of externally provided instructions. According to the proposed rule, it does not include any of the following: Hypervisors, debuggers or Software Reverse Engineering (SRE) tools; Digital Rights Management (DRM) software; or software designed to be installed by manufacturers, administrators, or users, for the purposes of asset tracking or recovery.
The rule also adds paragraph 5A001.j “IP network communications surveillance systems or equipment” to ECCN 5A001 which is similar to controls on software that currently exist in ECCN 5D001.e.
Finally, the rule adds new controls (subcategories to ECCN 4E001) on technology related to these newly added items and technology for the development of intrusion software. The controls generally exclude information needed to respond to, rather than cause, a cybersecurity incident4 or disclose a vulnerability.5
New License Exception
The newly added ECCNs are controlled for national security (NS) reasons, which means that a license or license exception would be required to export the items to most destinations. The new rule establishes a new License Exception, Authorized Cybersecurity Exports (License Exception ACE or ACE), which according to BIS will “avoid impeding legitimate cybersecurity research and incident response activities.” License Exception ACE will allow the export of cybersecurity items to many destinations. For a detailed description of ACE eligibility, please see our detailed table. In addition to the country based controls, License Exception ACE cannot be used when the exporter has reason to know that the item “will be used to affect the confidentiality, integrity or availability of information or information systems.”
Next Steps
Again, the rule is intended to prevent disruptive “intrusion software” from being exported to certain countries of concern without a BIS license, rather than to hinder responses to cybersecurity flaws and incidents. However, to the extent that the new controls are overly broad, the rule specifies that there is a 45-day comment period (ending December 6, 2021). Please contact us if you would like assistance determining how this rule could impact your business or with preparing or submitting comments. The rule will become effective 90 days from its publication in the Federal Register (January 19, 2022).
Wilson Sonsini will continue to monitor this matter and report on developments most applicable to our clients. For questions, please contact Josephine Aiello LeBeau, Anne Seymour, Jahna Hartwig, Kara McDonough, or other attorneys in Wilson Sonsini’s national security practice.
Country Group | ACE Restrictions | Exception to restrictions |
B | None – May use ACE to these countries. | |
D:1 | No government end-users; no non-government end-users | EXCEPTION: (1) Exports, reexports or transfers (in-country)of ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004) to ‘favorable treatment cybersecurity end users” - U.S. subsidiaries (i.e., a foreign branch or most foreign subsidiaries of U.S. companies), financial services providers, insurance companies, and civil health and medical institutions providing medical treatment or research); (2) “vulnerability disclosure” or “cyber incident response”; (3) Deemed exports |
D:2 | No government end-users | EXCEPTION: Can use ACE for some exports to Israel* |
D:3 | No government end-users | EXCEPTION: Can use ACE for some exports to Israel and Taiwan* |
D:4 | No government end-users | EXCEPTION: Can use ACE for some exports to Israel* |
D:5 | No government end-users; no non-government end-users | EXCEPTION: (1) Can use ACE for some exports to Cyprus*; (2) Exports, reexports or transfers (in-country) of ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004) to ‘favorable treatment cybersecurity end users” - U.S. subsidiaries (i.e., a foreign branch or most foreign subsidiaries of U.S. companies), financial services providers, insurance companies, and civil health and medical institutions providing medical treatment or research); (3) “vulnerability disclosure” or “cyber incident response”; (4) Deemed exports |
E:1 | Cannot use ACE | |
E:2 | Cannot use ACE |
* May use ACE for: (1) ‘digital artifacts’ that are related to a cybersecurity incident involving information systems owned or operated by a ‘favorable treatment cybersecurity end user’ or to; (2) police or judicial bodies in Israel, Taiwan, and Cyprus for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents; (3) exports to national computer security incident response teams in Israel, Taiwan, and Cyprus of ‘cybersecurity items’ for purposes of responding to cybersecurity incidents, for purposes of ‘vulnerability disclosure,’ or for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents.
[1] The Wassenaar Arrangement is voluntary export control regime whose 42 member states exchange information on transfers of and maintain a multilateral control list of conventional weapons and dual-use goods and technologies.
[2] Monitoring tools are defined as software or hardware that monitors system behaviors or processes running on a device. This includes antivirus (AV) products, end point security products, Personal Security Products (PSP), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or firewalls.
[3] Protective countermeasures are defined as techniques designed to ensure the safe execution of code, such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), or sandboxing.
[4] Cyber incident response means the process of exchanging necessary information on a cybersecurity incident with individuals or organizations responsible for conducting or coordinating remediation to address the cybersecurity incident.
[5] Vulnerability disclosures include the process of identifying, reporting, or communicating a vulnerability to, or analyzing a vulnerability with, individuals or organizations responsible for conducting or coordinating remediation for the purpose of resolving the vulnerability.