The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) appears to be increasing the rate at which it imposes new export controls on various technologies, software and commodities (items). In October alone, BIS published four separate notices that either impose new export controls or propose to do so. We believe BIS is likely to continue to impose export controls on new items, including emerging technologies, at an increased rate. This alert summarizes the export classification changes, final and proposed, that BIS published in October.

To ensure compliance with the U.S. export control laws, companies should verify the export control classification numbers (ECCNs) of the items that they export, including technologies and source code transferred to foreign persons in the United States. Items that may have been eligible for export without a license from BIS may now or soon require an export license.

New Controls on Cybersecurity Items

In a move intended to crack down on the export of computer software that can be used to further malicious monitoring and hacking attempts, BIS recently released an interim final rule that imposes new export controls on intrusion and surveillance tools. The new controls, which will take effect on January 19, 2022, are implemented in part through the introduction of two new ECCNs to the Commerce Control List (CCL): ECCNs 4A005 and 4D004. Both ECCNs relate to “intrusion software.” ECCN 4A005 will control ‘“systems,’ ‘equipment,’ and ‘components’ therefor, ‘specially designed’ or modified for the generation, command and control, or delivery of ‘intrusion software.’” ECCN 4D004 will control ‘“software’ ‘specially designed’ or modified for the generation, command and control, or delivery of ‘intrusion software.’” The interim final rule will also add paragraph “.c” to ECCN 4E001 to control ‘“technology’ for the ‘development’ of ‘intrusion software.’”

The EAR defines “intrusion software” as follows:

“‘Software” specially designed or modified to avoid detection by ‘monitoring tools,’ or to defeat ‘protective countermeasures,’ of a computer or network-capable device, and performing any of the following:

1. The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or
2. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.[1]

In addition, the interim final rule will add paragraph “.j” to ECCN 5A001 to control certain “IP network communications surveillance systems or equipment” that perform particular functions on carrier class IP networks.

The interim final rule has been under development since 2013. A previous version of the rule was criticized by the software development community in 2015 as overly broad and likely to stymie technological research and development. To address those concerns, BIS revised the language to be more specific, including by adding “command and control” as a control criterion. These revisions were intended to narrow the scope to control only malicious hardware and software tools. “Vulnerability disclosure” and “cyber incident response” software, as well as products designed and limited to provide basic software updates and upgrades, are not covered by the new controls.

Further, the interim final rule will create a new license exception – Authorized Cybersecurity Exports (ACE). This License Exception is intended to ensure that “legitimate cybersecurity research and incident response activities” are authorized. Certain items to be controlled under new ECCNs 4A005 and 4D004, and new paragraphs 4E001.c and 5A001.j, in addition to certain items controlled under preexisting ECCNs in Category 5—Part 2 (“Information Security”), may be eligible for export under License Exception ACE. While License Exception ACE will apply broadly, it may not be used if the exporter, reexporter, or transferor “knows or has reason to know at the time of export, reexport, or transfer (in-country) ... that the ‘cybersecurity item’ will be used to affect the confidentiality, integrity or availability of information or information systems without authorization by the owner, operator, or administrator of the information system (including the information and processes within such systems).” Further, the use of License Exception ACE for exports to government end-users is limited.

The interim final rule remains open for public comment from now through December 6, 2021. Companies that design, produce or develop intrusion software or other items subject to these new controls should analyze how these new controls may impact their business, including whether items will be subject to stricter license requirements and, if so, whether License Exception ACE will be available. If appropriate, companies should prepare comments for submission before the December 6 deadline.

Expanded Controls on Software and Technology Related to Nucleic Acid Assemblers and Synthesizers and Addition of Controls on Deuterium

On October 5, BIS issued a final rule imposing controls on software and technology related to nucleic acid assemblers and synthesizers. The rule became effective October 5 and added ECCN 2D532 to the CCL to control ‘“software’ designed for nuclear acid assemblers and synthesizers controlled by ECCN 2B352.j that is capable of designing and building functional genetic elements from digital sequence data.” In addition, technology for the “development” of software capable of designing and building functional genetic elements from digital sequence data is now controlled under ECCN 2E001. According to BIS, the new controls, which are part of BIS’s effort to control emerging technologies, were necessary because “the prior absence of controls on this ‘software’ could be exploited for biological weapons purposes.”

The following day, on October 6, BIS issued a final rule to add ECCN 1C298 to the CCL to control deuterium “intended for use other than in a nuclear reactor.” Prior to this amendment, all deuterium, regardless of whether it was for non-nuclear end-use, was regulated by the Nuclear Regulatory Commission (“NRC”). Effective December 6, BIS will have export licensing control authority over deuterium that is not for nuclear end use; deuterium for nuclear end-uses will continue to be controlled by the NRC. Also, on October 6, the NRC issued a companion final rule that will become effective December 6.

Proposed Controls on Brain-Computer Interface Emerging Technology

On October 26, as part of its continued initiative to identify emerging technologies that are not yet listed on the CCL, BIS issued an advanced notice of proposed rulemaking (ANPRM) requesting public comment on the potential uses of Brain-Computer Interface (BCI) technology. The ANPRM stated that comments regarding BCI technology’s “impact on U.S. national security (e.g., whether such technology could provide the United States, or any of its adversaries, with a qualitative military or intelligence advantage),” and comments on whether effective export controls could be implemented on BCI technology are of particular interest. While the ANPRM does not specifically define BCI technology, it states that BCI technologies frequently involve a process in which brain signals are acquired, analyzed and then translated into commands that are: “(1) used to control machines; (2) potentially transferred to other humans; or (3) used for human assessment or enhancement.” BIS named “neural-controlled interfaces, mind machine interfaces, direct neural interfaces, and brain-machine interfaces” as examples of BCIs.

The ANPRM remains open for public comment through December 10. To help ensure that BCI export controls are properly tailored, companies that design, produce or develop BCI technologies or related technologies are encouraged to submit comments.