The Department of Commerce’s Bureau of Industry and Security (BIS) recently issued policy guidance on its broad (and somewhat controversial) new proposed rule, which would impose strict controls on exports of certain intrusion and surveillance (or “cybersecurity”) items. The proposed amendments to the Export Administration Regulations (EAR) will add new controls covering hardware and software (along with related technology) specially designed or modified for the generation, operation, or delivery of, or communication with, intrusion software, along with Internet Protocol (IP) network communications surveillance items that meet certain specified criteria.
BIS’s policy guidance clarifies several key issues. For example, while the proposed rule is intended to control items related to intrusion software, otherwise known as “malware” or “exploits”, it will not actually control any intrusion software itself. Nor does the rule purport to control “hacking.” In addition, apart from certain penetration testing items marketed as defensive products, BIS is unaware of other defensive products that would be subject to the proposed rule. However, BIS has urged exporters to comment on this issue, particularly if they believe the new rule will inadvertently capture other legitimate, defensive network security products.
Among other topics, BIS’s guidance also clarifies that auto-updaters and anti-virus software will not be controlled by the proposed cybersecurity rule. While auto-updaters and anti-virus software may take steps to defeat protective countermeasures, these items are not generating, operating, delivering, or communicating with intrusion software, as required by the proposed rule. Further, although the proposed rule will control technology for the development of intrusion software and the development or production of command and delivery platforms, it will not control information regarding how to discover vulnerabilities in systems, the causes of vulnerabilities, or testing vulnerabilities.
Industry members are encouraged to submit comments to BIS on the proposed rule, including clarifications or changes that should be made to avoid inadvertently controlling items that do not pose national security or foreign policy concerns. Comments are due by July 20, 2015.