In December 2013, members of the Wassenaar Arrangement, a group of 41 countries, which includes the United States, agreed to broaden its list of dual-use controls to include certain cybersecurity items. The new items added to the list include intrusion software and Internet Protocol (IP) network communications surveillance systems. The controls on these items are linked to a broad set of national and international policy interests that are shared by many, including economic and national security, data privacy and the promotion of international human rights. After lengthy interagency review involving the Department of Commerce Bureau of Industry and Security (BIS), the departments of Defense and State, and other unnamed agencies, the U.S. government, acting through BIS has now issued its proposed rules to implement these new dual-use controls.
If you are a company, organization, research center or other entity that develops cybersecurity technologies, or a company that might be using these technologies to safeguard your IP or international IT infrastructure, these proposed rules are likely to have a significant impact on your ability to export or otherwise share these technologies and related items to non-U.S. affiliates and clients, and with non-U.S. person employees and contractors.
BIS recognizes the potentially significant impact these new rules may have on some exporters and is specifically requesting information from those who will be most affected. If you know you will be affected by these rules, consider providing comments to BIS by the July 20, 2015, deadline and begin to plan around the new licensing requirements these proposed controls introduce. If you are unsure whether you might be impacted by these rules, take the time while the rules are pending to classify the information security and IT systems used by your organization.
New Definition = New Controls
BIS’s new cybersecurity controls add the Wassenaar Arrangement’s newly defined term “intrusion software” to the Export Administration Regulations (EAR).
Intrusion software is designed to avoid detection by monitoring tools, or to defeat the protective countermeasures of a computer or network-cable device such as a mobile device or smart meter, and which either extracts data or information from a computer or network-capable device, modifies system or user data, or modifies the standard execution path of a program or process in order to allow the execution of externally provided instructions.
BIS excludes from this definition several types of items, including hypervisors, debuggers or software reverse engineering tools; digital rights management software; and software designed to be installed by manufacturers, administrators or users for the purposes of asset tracking or recovery.
BIS uses the intrusion software and the related surveillance concepts to impose new licensing controls on each of the following types of items:
- systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software (new ECCN 4A005)
- software specially designed or modified for the development or production of such systems, equipment or components (amended ECCN 4D001)
- software specially designed for the generation, operation or delivery of, or communication with, intrusion software (new ECCN 4D004)
- technology required for the development of intrusion software (amended ECCN 4E001)
- IP network communications surveillance systems or equipment and test, inspection, production equipment, and specially designed components therefor, and development and production software and technology therefor (amended ECCN 5A001).
BIS refers to these collectively as cybersecurity items.
Cybersecurity Items and Other Information Security Controls
In one respect BIS’ proposed controls on cybersecurity items are similar to its controls on information security items. Currently, BIS’ controls on items with cryptographic, cryptoanalytic and other information security capabilities (hereinafter encryption controls) are unique because they effectively trump the classification-based controls placed on other items subject to the EAR. For example, avionics equipment would normally be classified under a Category 7 – Navigation and Avionics entry on the Commerce Control List (CCL). However, if the same avionics system uses encryption, BIS directs exporters to classify it instead under a Category 5, Part 2 – Telecommunications and Information Security entry. Similar to BIS’s encryption controls classifications, BIS intends its cybersecurity classifications and licensing regime to trump other CCL-based controls.
Unlike BIS’ encryption controls, however, BIS does not plan to provide exporters with a powerful license exception like the ENC license exception, which effectively eases licensing burdens on many exporters. Moreover, BIS’s proposed cybersecurity rules foreclose the possibility of using several other, commonly available license exceptions. The upshot is that BIS will require its prior authorization for almost every export, transfer and reexport of cybersecurity items.
For exports of cybersecurity items that also have encryption functionality, BIS’ new cybersecurity controls will impose a new burden. Although BIS intends its cybersecurity classification to trump the CCL’s encryption classification, BIS will still require exporters to complete encryption-related registration and review requirements for their products before they apply for a license to export. Even with BIS’s relatively quick license processing times, this added step will mean that exporters of previously unexported cybersecurity products with encryption functionality will need to build longer license preparation and BIS review times into their business plans.
BIS’s proposed licensing policy for cybersecurity items will evaluate license requests under its regional security (RS) policy, in addition to existing licensing policies. Without the availability of license exceptions, the RS policy controls will require BIS’s prior review and approval of almost every export, transfer and reexport transaction.
BIS’s case-by-case review will focus on whether a proposed export is contrary to U.S. national security or foreign policy interests. BIS specifically notes that these policy interests include the international promotion of human rights observance.
In its proposed rule, BIS announces its plan to review a subset of proposed cybersecurity exports more favorably. This subset includes exports to U.S. companies or subsidiaries, provided they are not located in either one of two sets of countries; exports destined to a newly defined group of nongovernment end users – “foreign commercial partners” when they are located in another subset of countries; and exports to government end users in Australia, Canada, New Zealand and the United Kingdom.
BIS also notes its policy of presumptive denial for any transactions involving rootkit or zero-day exploit capabilities. Rootkit technologies enable users to place processes and programs into software without detection. Zero-day exploits involve technology that targets unknown vulnerabilities in software.
To support its case-by-case analysis, BIS will require cybersecurity exporters to provide a letter of explanation with every license request, and applicants must agree to make available to BIS a copy of sections of source code and other software that implement or invoke the controlled cybersecurity functionality. For transactions involving foreign commercial partners, BIS will require applicants to explain how the proposed recipients meet its definition of a foreign-based nongovernmental end user that has a business need to share the applicant’s proprietary information and who have an established pattern of continuing or recurring contractual relations with the exporter. Applicants will also need to provide BIS with answers to several technical questions regarding the cybersecurity functionality of the item to be exported.
In addition to the longer time it will take to meet these license application requirements, exporters can reasonably expect longer review times and more follow-up from BIS licensing officers once their applications are filed.
BIS Request for Comments
Given the significant impact its proposed licensing regime would have on exporters of cybersecurity items, BIS has opened a comment period on the proposed rules. BIS is specifically interested in the following information from those who would be affected by the new regulations:
Specifically, BIS is asking those affected to answer the following questions:
1. How many additional license applications would your company be required to submit per year under the requirements of this Proposed Rule? If any, of those applications:
- How many additional applications would be for products that are currently eligible for license exceptions?
- How many additional applications would be for products that currently are classified EAR99?
2. How many deemed export, reexport or transfer (in-country) license applications would your company be required to submit per year under the requirements of this rule?
3. Would the rule have negative effects on your legitimate vulnerability research, audits, testing or screening and your company’s ability to protect your own or your client’s networks? If so, explain how.
4. How long would it take you to answer the questions in proposed paragraph (z) to Supplement No. 2 to part 748? Is this information you already have for your products?
Responses and other comments on the proposed rule will be accepted through July 20, 2015.
More details can be found in the Federal Register notice here.