On May 20, 2015, the Department of Commerce’s Bureau of Industry and Security (BIS) published a proposed rule imposing strict controls on exports of certain intrusion and surveillance (or “cybersecurity”) items. The proposed amendments to the Export Administration Regulations (EAR) are intended to implement agreements made in December 2013 by the Wassenaar Arrangement, a group of countries committed to promoting transparency and responsibility in transfers of arms and dual-use goods and technologies.
BIS proposes adding new controls in Category 4 of the EAR’s Commerce Control List (CCL) to cover hardware and software (along with related technology) specially designed or modified for the generation, operation, or delivery of, or communication with, intrusion software. These controls would cover, for example, network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable products (e.g., mobile devices and smart meters). BIS also plans to add new controls in Category 5, Part 1 of the CCL to cover Internet Protocol (IP) network communications surveillance items that meet certain specified criteria. This move is designed to address the heightened sensitivity surrounding network communication traffic analysis systems that intercept and analyze messages.
A license will be required for exports, reexports, and in-country transfers of cybersecurity items to all destinations except Canada. Further, no license exceptions will be available except for exports to or on behalf of the U.S. government (License Exception GOV). As such, this proposed rule marks a stark departure from several recent export controls amendments loosening existing restrictions on U.S. exports.
Industry members are encouraged to submit comments on the proposed rule, which are due by July 20, 2015. BIS has expressed particular interest in comments addressing the number of additional license applications companies will be required to submit, including for products that are currently eligible for license exceptions and products that are currently classified as EAR99. BIS also wants to hear about any negative effects that this rule may have on legitimate vulnerability research, audits, testing, or screening, as well as any potential threats posed by the proposed rule to industry’s ability to protect networks.
Additional analysis of the proposed changes to the EAR is available here.