BIS Rolls Out New Export Controls on Cybersecurity Items Used in Surveillance of Private Citizens and Other Malicious Cyber Activities

On October 21, 2021, the Bureau of Industry and Security (BIS) published an Interim Final Rule with a Request for Public Comments establishing new export controls on cybersecurity items under the Export Administration Regulations (EAR), as well as new License Exception Authorized Cybersecurity Exports (ACE). BIS is also seeking comments about the impact of the rule on U.S. industry. Items that are subject to the new rule are said to warrant such controls as they may be used for surveillance, espionage, or other actions that disrupt, deny or degrade networks or devices on them. Public comments may be submitted for consideration no later than December 6, 2021, and the Interim Final Rule is slated to take effect on January 19, 2022. See 86 Federal Register 58205.

Background

In 2013, the Wassenaar Arrangement, a multilateral export control regime to which the United States belongs, added cybersecurity items to the Wassenaar Arrangement List (WA List). BIS previously published a proposed rule describing how these new controls would be implemented in the EAR, and received almost 300 public comments that raised concerns about the proposed rule’s scope and impact on legitimate research and incident response activities. As a result, the United States returned to the Wassenaar Arrangement and successfully negotiated changes to the WA List, which were adopted at the international level in 2017.

Summary of the BIS Interim Final Rule

The Interim Final Rule published by BIS on October 21st implements the Wassenaar Arrangement’s 2017 decisions and creates new License Exception Authorized Cybersecurity Exports (ACE), as summarized in greater detail below:

• New ECCNs 4A005 and 4D004 were added to the Commerce Control List (CCL), as well as a new paragraph to ECCN 4E001.c. The existing definition for “intrusion software” found in 15 C.F.R. Section 772.1 of the EAR was made applicable to the new ECCNs.
• BIS added paragraph 5A001.j (“IP network communications surveillance systems or equipment”) to ECCN 5A001. ECCN 5A001.j is eligible for new License Exception ACE, but not for License Exceptions GBS and LVS. License Exception STA was revised to remove eligibility for such items destined to countries in Country Groups A:5 and A:6.
• Where there is overlap in classification with Category 5/Part 2 Information Security items (i.e., a cybersecurity item also incorporates information security functionality specified in ECCNs 5A002.a, 5A004.a, 5A004.b, 5D002.c.1, or 5D002.c.3), the Category 5/Part 2 ECCNs will prevail provided that the controlled information security functionality remains present and usable within the cybersecurity end item or executable software.
• All items subject to the EAR that are already controlled for Surreptitious Listening (SL) reasons will continue to be classified under the SL ECCNs.
• New License Exception ACE in Section 740.22 of the EAR was added to avoid impeding legitimate cybersecurity research and incident response activities. License Exception ACE provides definitions for cybersecurity items, digital artifacts, favorable treatment cybersecurity end user, and government end user for the purpose of Section 740.22 only. License Exception ACE allows the export, reexport and in-country transfer of cybersecurity items to most destinations without a BIS license with certain exceptions and exclusions. Specifically, License Exception ACE cannot be used for exports, reexports or in-country transfers:

1. (a) to destinations listed in Country Groups E:1 and E:2;
2. (b) to government end users (as that term is defined in Section 740.22) in countries listed in Country Group D:1 – D:5 (with certain exceptions);
3. (c) to non-government end users in countries listed in Country Group D:1 or D:5 (with certain exceptions); or,
4. (d) where the exporter, reexporter or transferor knows or has reason to know that the cybersecurity item will be used to affect the confidentiality, integrity or availability of information or information systems without authorization by the owner, operator or administrator of the information system.

In a press release published on October 20th, the Department of Commerce noted that the U.S. Government opposes the misuse of technology to abuse human rights or conduct other malicious cyber activities, and that the new EAR rules are intended to ensure that U.S. companies are not contributing to authoritarian practices in other countries. The Department of Commerce also urged U.S. exporters to consult the State Department’s Guidance on Implementing the “UN Guiding Principles” for Transactions Linked to Foreign Government End Users for Products or Services with Surveillance Capabilities, which was published in 2020 and is available on the State Department’s website.


Please contact Melissa Proctor (melissa@millerproctorlaw.com) should you have any questions about BIS’ Interim Final Rule, U.S. export controls, or other international trade issues.