BIS Proposes Broad New Licensing Requirements for Exports Involving Cybersecurity Technology

May 22, 2015

Reading Time : 5 min

BIS recognizes the potentially significant impact these new rules may have on some exporters and is specifically requesting information from those who will be most affected. If you know you will be affected by these rules, consider providing comments to BIS by the July 20, 2015, deadline and begin to plan around the new licensing requirements these proposed controls introduce. If you are unsure whether you might be impacted by these rules, take the time while the rules are pending to classify the information security and IT systems used by your organization.

New Definition = New Controls

BIS’s new cybersecurity controls add the Wassenaar Arrangement’s newly defined term “intrusion software” to the Export Administration Regulations (EAR).

Intrusion software is designed to avoid detection by monitoring tools, or to defeat the protective countermeasures of a computer or network-cable device such as a mobile device or smart meter, and which either extracts data or information from a computer or network-capable device, modifies system or user data, or modifies the standard execution path of a program or process in order to allow the execution of externally provided instructions.

BIS excludes from this definition several types of items, including hypervisors, debuggers or software reverse engineering tools; digital rights management software; and software designed to be installed by manufacturers, administrators or users for the purposes of asset tracking or recovery.

BIS uses the intrusion software and the related surveillance concepts to impose new licensing controls on each of the following types of items:

  • systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software (new ECCN 4A005)
  • software specially designed or modified for the development or production of such systems, equipment or components (amended ECCN 4D001)
  • software specially designed for the generation, operation or delivery of, or communication with, intrusion software (new ECCN 4D004)
  • technology required for the development of intrusion software (amended ECCN 4E001)
  • IP network communications surveillance systems or equipment and test, inspection, production equipment, and specially designed components therefor, and development and production software and technology therefor (amended ECCN 5A001).

BIS refers to these collectively as cybersecurity items.

Cybersecurity Items and Other Information Security Controls

In one respect BIS’ proposed controls on cybersecurity items are similar to its controls on information security items. Currently, BIS’ controls on items with cryptographic, cryptoanalytic and other information security capabilities (hereinafter encryption controls) are unique because they effectively trump the classification-based controls placed on other items subject to the EAR. For example, avionics equipment would normally be classified under a Category 7 – Navigation and Avionics entry on the Commerce Control List (CCL). However, if the same avionics system uses encryption, BIS directs exporters to classify it instead under a Category 5, Part 2 – Telecommunications and Information Security entry. Similar to BIS’s encryption controls classifications, BIS intends its cybersecurity classifications and licensing regime to trump other CCL-based controls.

Unlike BIS’ encryption controls, however, BIS does not plan to provide exporters with a powerful license exception like the ENC license exception, which effectively eases licensing burdens on many exporters. Moreover, BIS’s proposed cybersecurity rules foreclose the possibility of using several other, commonly available license exceptions. The upshot is that BIS will require its prior authorization for almost every export, transfer and reexport of cybersecurity items.

For exports of cybersecurity items that also have encryption functionality, BIS’ new cybersecurity controls will impose a new burden. Although BIS intends its cybersecurity classification to trump the CCL’s encryption classification, BIS will still require exporters to complete encryption-related registration and review requirements for their products before they apply for a license to export. Even with BIS’s relatively quick license processing times, this added step will mean that exporters of previously unexported cybersecurity products with encryption functionality will need to build longer license preparation and BIS review times into their business plans.

Licensing Policy

BIS’s proposed licensing policy for cybersecurity items will evaluate license requests under its regional security (RS) policy, in addition to existing licensing policies. Without the availability of license exceptions, the RS policy controls will require BIS’s prior review and approval of almost every export, transfer and reexport transaction.

BIS’s case-by-case review will focus on whether a proposed export is contrary to U.S. national security or foreign policy interests. BIS specifically notes that these policy interests include the international promotion of human rights observance.

In its proposed rule, BIS announces its plan to review a subset of proposed cybersecurity exports more favorably. This subset includes exports to U.S. companies or subsidiaries, provided they are not located in either one of two sets of countries; exports destined to a newly defined group of nongovernment end users – “foreign commercial partners” when they are located in another subset of countries; and exports to government end users in Australia, Canada, New Zealand and the United Kingdom.

BIS also notes its policy of presumptive denial for any transactions involving rootkit or zero-day exploit capabilities. Rootkit technologies enable users to place processes and programs into software without detection. Zero-day exploits involve technology that targets unknown vulnerabilities in software.

To support its case-by-case analysis, BIS will require cybersecurity exporters to provide a letter of explanation with every license request, and applicants must agree to make available to BIS a copy of sections of source code and other software that implement or invoke the controlled cybersecurity functionality. For transactions involving foreign commercial partners, BIS will require applicants to explain how the proposed recipients meet its definition of a foreign-based nongovernmental end user that has a business need to share the applicant’s proprietary information and who have an established pattern of continuing or recurring contractual relations with the exporter. Applicants will also need to provide BIS with answers to several technical questions regarding the cybersecurity functionality of the item to be exported.

In addition to the longer time it will take to meet these license application requirements, exporters can reasonably expect longer review times and more follow-up from BIS licensing officers once their applications are filed.

BIS Request for Comments

Given the significant impact its proposed licensing regime would have on exporters of cybersecurity items, BIS has opened a comment period on the proposed rules. BIS is specifically interested in the following information from those who would be affected by the new regulations:

Specifically, BIS is asking those affected to answer the following questions:

1. How many additional license applications would your company be required to submit per year under the requirements of this Proposed Rule? If any, of those applications:

    1. How many additional applications would be for products that are currently eligible for license exceptions?
    2. How many additional applications would be for products that currently are classified EAR99?

2. How many deemed export, reexport or transfer (in-country) license applications would your company be required to submit per year under the requirements of this rule?

3. Would the rule have negative effects on your legitimate vulnerability research, audits, testing or screening and your company’s ability to protect your own or your client’s networks? If so, explain how.

4. How long would it take you to answer the questions in proposed paragraph (z) to Supplement No. 2 to part 748? Is this information you already have for your products?

Responses and other comments on the proposed rule will be accepted through July 20, 2015.

More details can be found in the Federal Register notice here.

Share This Insight

Previous Entries

Akin Trade Law

February 9, 2023

Read More

Akin Trade Law

2023-01-26

At the end of last year, World Trade Organization (WTO) members agreed that the 13th Ministerial Conference (MC13) of the WTO will take place in Abu Dhabi, the capital of the United Arab Emirates (UAE), in February 2024. There is no doubt that the WTO is facing headwinds and is in need of a vigorous push forward. The UAE’s success in transforming itself into a global trade and digital hub and a leader in services trade could serve to drive a successful outcome at MC13.

...

Read More

Akin Trade Law

2023-01-17

On December 21, 2022, the appeal arbitrators in the Colombia – Frozen Fries (DS591) World Trade Organization (WTO) dispute circulated their award (the “Award”). This was the second appeal conducted under Article 25 of the WTO’s Dispute Settlement Understanding (DSU) and the first appeal under the Multi-Party Interim Appeal Arbitration Arrangement (MPIA), a framework created by a group of WTO members to overcome the challenges posed by the non-operational Appellate Body.

...

Read More

Akin Trade Law

2022-02-10

The United Kingdom just issued a new statutory instrument, effective immediately, which extends the authority to designate persons and entities under the U.K. sanctions against Russia.

...

Read More

Akin Trade Law

2020-06-10

We are pleased to share a recording of Akin Gump’s webinar, “Protecting the Crown Jewels - New U.K. National Security Rules for Foreign Investment in a Post-COVID-19, Post-Brexit World.

...

Read More

Akin Trade Law

2020-05-07

The clock is ticking down to the entry into force of the United States-Mexico-Canada Agreement (USMCA) on July 1, 2020.  Leading up to that date, businesses have a unique advocacy opportunity to influence the implementing regulations and associated processes, such as legislative changes to Mexico’s domestic laws. Additionally, the Office of the U.S. Trade Representative (USTR) and U.S. Customs and Border Protection (CBP), along with their Mexican and Canadian counterparts, have begun issuing guidance for the trade community seeking to obtain the benefits of the agreement. At this time, these guidance documents include a petition process for automakers to request alternative staging for the automotive rules of origin as well as general interim implementation instructions for USMCA entries. Still to come are regulations regarding the automotive labor value content requirements and Uniform Regulations regarding the customs provisions. Akin Gump and our partners at Dorantes Advisors in Mexico City have jointly developed brief summaries of these guidance documents and a timeline of key actions still to take place prior to entry into force. The materials are available here in both English and Spanish.

...

Read More

Akin Trade Law

2020-03-02

Last week, in a highly anticipated decision, the U.S. Court of Appeals for the Federal Circuit (Federal Circuit) concluded that Section 232 of the Trade Expansion Act of 1962 does not offend the non-delegation doctrine. To most observers, the ruling does not come as a surprise, but the story on Section 232 and the non-delegation doctrine is not yet over.

...

Read More

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.