On October 21, 2021, the Department of Commerce's Bureau of Industry and Security (BIS) published its long-awaited Interim Final Rule establishing export controls for tools and related technology that can be used for hacking and other malicious activities. The Interim Final Rule effectively requires licenses for the export, reexport, and in-country transfer of certain "cybersecurity items" to more than 40 countries, including China and Russia, depending on the specific items, recipients, and anticipated uses.
The rule prohibits all export, reexport, and in-country transfer of cybersecurity items to any parties in Cuba, Iran, North Korea, and Syria, and in any circumstance where there is knowledge or reason to know that the cybersecurity item "will be used to affect the confidentiality, integrity or availability of information or information systems" without authorization from the owner, operator, or administrator of the information system.
This past Friday, November 12, 2021, BIS released a Frequently Asked Questions document to provide guidance on the Interim Final Rule, including various examples of scenarios subject to and excluded from the new controls.
The Interim Final Rule defines "cybersecurity items" to include:
- Systems, equipment, software, and other technology specially designed or modified to develop, generate, command and control, or deliver "intrusion software";
- "IP [Internet Protocol] network communications surveillance systems or equipment" that meet specified criteria, including the ability to capture and analyze application data (e.g., email messages, attachments, video files, and the contents of web traffic, rather than simply metadata); and
- Other related items, software, and technology, as specified in new and revised Export Control Classification Numbers (ECCNs).
The rule provides several carve-outs for certain legitimate cybersecurity technologies and activities, including those related to "vulnerability disclosure," "cyber incident response," and "software specially designed and limited to providing basic updates and upgrades," as defined in the new rule, and for certain legitimate network monitoring tools.
The new controls come amidst a multi-agency effort by the U.S. government to combat ransomware, state-sponsored hacking, and other cybersecurity threats that frequently originate overseas. However, the Interim Final Rule has been a long time in the making.
The rule implements restrictions on "intrusion software" in the multilateral Wassenaar Arrangement (WA), an arms control agreement with 42 countries. Those restrictions initially were added to the WA in 2013, and BIS published a proposed rule to implement those restrictions in 2015.
However, after BIS received significant negative feedback on the proposed rule, including that the proposed rule could significantly hamper legitimate cybersecurity transactions and research, the United States renegotiated the WA controls in 2016 and 2017. The Interim Final Rule implements the WA as amended in 2017 and purports to be narrower, less burdensome, and more permissive of legitimate cybersecurity research than the original 2015 proposal.
BIS is soliciting input on the Interim Final Rule until December 6, 2021, and the Rule will be effective January 19, 2022. If BIS determines that revisions to the Interim Final Rule are necessary upon review of comments received, BIS may issue corrections to the Rule prior to the effective date.
Businesses and individuals affected by these new export controls should review the Interim Final Rule and related FAQs carefully. The new controls are especially likely to affect those in the cybersecurity industry, including developers of cybersecurity software and hardware, forensic investigators, penetration testers, and security researchers, and may lead to significant increases in compliance costs and enforcement risks.
Changes to the Export Administration Regulations
The Interim Final Rule adds new terms, control categories, and a new license exception to the Export Administration Regulations (EAR), all of which pertain to "cybersecurity items."1 While the export restrictions imposed by the Interim Final Rule broadly apply to export, reexport, and in-country transfer for all countries except Canada, the rule's new license exception, Authorized Cybersecurity Exports (License Exception ACE), exempts numerous destinations and end users from export license requirements.
As a result of License Exception ACE, export license requirements for cybersecurity items have increased only moderately. Even so, the exception is complex, and companies should not assume it applies to all their activities simply because it is broadly applicable. The Interim Final Rule likely will require additional analysis and recordkeeping for covered activities compared to past business practices.
New and Amended ECCNs
The Interim Final Rule adds two completely new ECCNs to Category 4 ("Computers") of the Commerce Control List (CCL) and adds new sections to existing ECCNs within Category 4 and Category 5 ("Telecommunications and Information Security"). "Cybersecurity items" controlled by these ECCNs for National Security (Column 1) reasons will require a license for export anywhere other than to Canada, unless License Exception ACE or another license exception applies to the export.
- New ECCN 4A005 controls "'Systems,' 'equipment,' and 'components' therefor, 'specially designed' or modified for the generation, command and control, or delivery of 'intrusion software.'"2 Items captured by 4A005 are controlled for National Security (Column 1) and Anti-Terrorism (Column 1) reasons.3
- New ECCN 4D004 controls software "'specially designed' or modified for the generation, command and control, or delivery of 'intrusion software.'" This software is controlled for National Security (Column 1) and Anti-Terrorism (Column 1) reasons.
- Existing ECCN 4E001.a captures technology for the "'development', 'production', or 'use' of equipment or 'software'" controlled by the new 4A005 and 4D004, while the new ECCN 4E001.c is specific to technology "for the 'development' of 'intrusion software.'" Technology meeting the definitions of "vulnerability disclosure"4 or "cyber incident response"5 are excluded from these two controls by Note 1 to ECCN 4E001. Like the new ECCNs 4A005 and 4D004, 4E001.c technology is controlled for National Security (Column 1) and Anti-Terrorism (Column 1) reasons.
- The new ECCN subsection 5A001.j captures "IP network communications surveillance systems or equipment, and 'specially designed' components therefor" if they meet all of a list of specifications and do so "on a carrier class IP network (e.g., national grade IP backbone)." The captured specifications include conducting "[a]nalysis at the application layer…," extracting "selected metadata and application content (e.g., voice, video, messages, attachments)," "indexing of extracted data," plus being "specially designed" to "execut[e] searches on the basis of 'hard selectors'" and map "the relational network of an individual or of a group of people."
Excluded from the new control are systems and equipment that otherwise meet these qualifications but that are "specially designed" for marketing purposes, Network Quality of Service, or Quality of Experience. ECCN 5A001.j items are controlled for National Security (Column 2) and Anti-Terrorism (Column 1) reasons.
License Exception ACE
BIS established a new license exception, License Exception ACE, "to avoid impeding legitimate cybersecurity research and incident response activities." This License Exception allows the export, reexport, and transfer (in-country) of controlled cybersecurity items to most destinations (not including Cuba, Iran, North Korea, and Syria), depending on the nature of the specific item, the identity of the end user, and the anticipated end use.
Key components of this License Exception include the following:
- Government vs Non-Government End Users
Similar to the existing License Exception ENC (pertaining to encryption commodities, software, and technology), License Exception ACE distinguishes between government and non-government end users.
- The License Exception ACE definition of government end users is expansive, including national, regional, and local government agencies, as well as "retail or wholesale firms engaged in the manufacture, distribution, or provision of items or services, controlled on the Wassenaar Arrangement Munitions List." Government end users in the 48 countries included in the EAR's Country Group D (subgroups D:1, D:2, D:3, D:4, and D:5)6—which include countries such as Bahrain, China, Egypt, Georgia, Qatar, Russia, Saudi Arabia, and Vietnam—remain subject to licensing requirements, subject to narrow carve-outs.
- Non-government end users in countries within a subset of Country Group D also remain subject to licensing requirements, but the pool of restricted countries for such end users is 11 countries smaller. License Exception ACE allows exports of "cybersecurity items" to non-government end users (but not to government end users) in Bahrain, Egypt, Israel, Jordan, Kuwait, Oman, Pakistan, Qatar, Saudi Arabia, Taiwan, and the United Arab Emirates (i.e., subgroups D:2, D:3, and/or D:4 only). Unless they qualify as "favorable treatment cybersecurity end users" (see below), non-government end users in the remaining 37 Country Group D countries (subgroups D:1 and/or D:5) are presumptively subject to license requirements for transfers of many "cybersecurity items."
- Cyprus, Israel, and Taiwan are all covered under Country Group D, but exports to both government and non-government end users in these countries qualify for different treatment than the rest of Country Group D in defined scenarios. For example, exports to "national computer security incident response teams" in Cyprus, Israel, and Taiwan are allowed under License Exception ACE when the export is conducted "for purposes of responding to cybersecurity incidents." (The term "national security incident response teams" is not defined in the EAR, the Interim Final Rule, or the FAQs.)
- "Favorable Treatment" End Users
Certain types of end users, such as financial service providers, insurance companies, and civil health and medical institutions, along with qualifying foreign subsidiaries of U.S. companies, are considered "favorable treatment cybersecurity end users" under the new exception. Exporters may be able to use License Exception ACE for some exports to "favorable treatment" end users even when the end users are located in otherwise restricted countries.
- Deemed Exports
Of particular interest for U.S. companies that employ non-U.S. persons as part of their cybersecurity teams, License Exception ACE extends to deemed exports.7 The deemed export allowance excludes Cuban, Iranian, North Korean, and Syrian nationals, and also excludes government end users and a subset of end uses.
- Knowledge of Malicious End Uses
Regardless of the end user, License Exception ACE is unavailable when the exporter knows or has reason to know that the controlled cybersecurity items "will be used to affect the confidentiality, integrity, or availability of information or information systems" without authorization.8
- Recordkeeping Requirements
Those availing themselves of License Exception ACE must comply with the EAR's general recordkeeping procedures, including by maintaining records sufficient to document that the items, end users and end uses qualify for the exception.9 Unlike some other EAR license exceptions, License Exception ACE does not provide for exception-specific recordkeeping requirements or requirements to notify and obtain acknowledgment from the prospective recipient regarding the parameters of the license exception.
Edits to Pre-existing ECCNs and Use of Pre-existing License Exceptions
In light of the new license exception, BIS made corresponding edits to several ECCNs and revised the applicability of pre-existing license exceptions. Many of these edits condition the use of License Exception ACE. Other changes render the license exceptions GOV (Governments, international organizations, international inspections under the Chemical Weapons Convention, and the International Space Station) and STA (Strategic Trade Authorization) unavailable for any cybersecurity items controlled in the applicable categories.
Changes to Pre-existing Controls
The Interim Final Rule and FAQs confirm that items previously subject to Category 5 ("Telecommunications and Information Security") but that now appear to fall under the new Category 4 ("Computers") remain controlled under Category 5 unless their encryption functionalities have been removed or securely disabled.10
However, in some scenarios an export could involve software controlled by both Categories, or, for instance, an export of Category 5 "information security" software could simultaneously involve an export of Category 4 "technology" for cybersecurity items, so exporters are advised to review all potentially applicable controls and license requirements with care.11 Similarly, items controlled for "Surreptitious Listening" (SL) reasons under pre-existing ECCNs remain subject to the SL controls rather than moving to any new cybersecurity ECCN that might appear to apply.
Inclusion of cybersecurity controls in the EAR provides the Departments of Justice and Commerce with new enforcement tools in contexts outside of or in addition to cybersecurity tools and activities that are subject to the International Traffic in Arms Regulations. Civil penalties for violations of the EAR currently may be up to $308,901 per violation or twice the value of the transaction.
Criminal penalties per violation may be up to nearly $1.2 million and/or 20 years imprisonment. Violations of the EAR can also result in denial of export privileges or other restrictions on future activities.
Businesses affected by the changes are well advised to analyze the Interim Final Rule with care and review relevant activities to confirm they understand the applicable export controls. To the extent the effect of the rule on operations is not clear, businesses are encouraged to submit comments to BIS by the December 6, 2021, deadline and consult with counsel.
DWT will continue to monitor U.S. government activities that impact companies' cybersecurity endeavors and export controls generally.
1 As set forth in the Interim Final Rule, "Cybersecurity Items are ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004), 4E001.c, 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)), and 5E001.a (for 5A001.j or 5D001.a (for 5A001.j))." (15 C.F.R. § 740.22(b)(1).)
2 "Intrusion software" is already a defined term in the EAR and covers "'Software' specially designed or modified to avoid detection by 'monitoring tools', or to defeat 'protective countermeasures', of a computer or network-capable device, and performing any of the following: (1) The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or (2) The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions." (15 C.F.R. § 772.1.) Quotation marks used to offset words or phrases within the EAR and ECCNs indicate defined terms; the corresponding definitions can be found within the EAR, sometimes in the same section or subsection, sometimes in the definition section at 15 CFR § 772.1. See 15 CFR § 774.1(d).
3 Exports to the Crimea Region of Ukraine are broadly restricted under 15 C.F.R. § 746.6 and related sanctions administered by the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC). Section 746.6(c) permits exports under specific EAR license exceptions, but License Exception ACE is not listed. As a result, exports of cybersecurity items to the Crimea Region of Ukraine require submission of a license applications to BIS.
4 "Vulnerability disclosure" means "the process of identifying, reporting, or communicating a vulnerability to, or analyzing a vulnerability with, individuals or organizations responsible for conducting or coordinating remediation for the purpose of resolving the vulnerability." (15 C.F.R. § 772.1.)
5 "Cyber incident response" means "the process of exchanging necessary information on a cybersecurity incident with individuals or organizations responsible for conducting or coordinating remediation to address the cybersecurity incident." (15 C.F.R. § 772.1)
6 See 15 CFR Supplement No. 1 to Part 740, https://www.bis.doc.gov/index.php/documents/regulation-docs/2255-supplement-no-1-to-part-740-country-groups-1/file.
7 A "deemed export" involves the release or other transfer of controlled "'technology' or source code (but not object code) to a foreign person in the United States." 15 CFR § 734.13(a)(2).
8 BIS's guidance on applying the EAR's knowledge standard is provided at 15 CFR Appendix Supplement No. 3 to Part 732.
9 The EAR's record retention requirements are detailed in 15 C.F.R. Part 762. Per section 762.6, records required to be kept by the EAR must be retained for five years.
10 See 15 C.F.R. Supplement No. 1 to Part 774, Note 3 to Category 4 (effective Jan. 19, 2022); FAQ 23.
11 See, e.g., FAQ 24 and FAQ 28.