On October 21, 2021, the BIS published an Interim Final Rulethat is set to amend the Export Administration Regulations (EAR) through the imposition of new export controls aimed at “cybersecurity items,” including “intrusion software,” products, and technology. According to the BIS, it is seeking to control these items due to their potential use in malicious cyber activities, including surveillance, espionage, and other actions that can disrupt, deny, or degrade networks or network devices. The interim final rule is set to become effective January 19, 2022, with industry comments due by December 6, 2021.
With this rule the BIS is seeking to add several new Export Control Classification Numbers (ECCNs) to the Commerce Control List (CCL), specifically 4A005, 4D004, 4E001.c, and 5A001.j., assigning them with National Security (NS) and Anti-terrorism (AT) reasons for control. Cybersecurity items covered under the above mentioned ECCNs are those that are broadly designed or modified as systems, equipment, or components for the command and control, delivery, or generation of “intrusion software,” or as IP network communications surveillance systems or equipment. It should be noted that the term “intrusion software” itself is set to be a new addition to the EAR, with the term encompassing software that is specially designed or modified to avoid detection by “monitoring equipment,” such as antivirus software and firewalls.
Adding a layer of complexity to the situation is the fact that many “cyber security” items have a natural overlap with items found elsewhere in the CCL, notably Category 5 – Part 2 of the CCL. The BIS quickly clarified this situation, stating that when a cybersecurity item incorporates particular ‘‘information security’’ functionality specified in ECCNs 5A002.a, 5A004.a, 5A004.b, 5D002.c.1, or 5D002.c.3, these ECCNs, and the export controls associated with them, prevail.
While the there is no doubt that the interim rule is set to increase BIS scrutiny on a variety of cybersecurity items, the rule simultaneously seeks to authorize legitimate uses of such items by the cybersecurity community. The interim rule creates a new export license exception titled “Authorized Cybersecurity Exports” or “ACE”, which authorizes many exports of otherwise covered cybersecurity items when destined for legitimate cybersecurity research and incident response activities. It should be noted that ACE does not authorize exports to “black-hat hackers,” government end users in Group D countries, non-government end users in Group D countries, or deemed exports to government end users in Group D countries. ACE will also not authorize exports (including deemed exports) to Cuba, Iran, North Korea, or Syria.
Once effective these amendments to the EAR are likely to have wide-reaching impacts on the cybersecurity world. While the rule will undoubtedly impact the developers of cybersecurity software, the effects won’t stop there and are sure to be felt by cybersecurity service providers, research organizations, law enforcement agencies, IT administrators, and beyond. If you have questions relating to this Interim Final Rule or export controls in general do not hesitate to contact an attorney at Barnes, Richardson & Colburn LLP.