The Bureau of Industry and Security (“BIS”) published a new interim final rule on October 21, 2021. It takes effect in 90 days, or on January 19, 2022. In addition, there is a comment period that ends on December 6, 2021.
What the new rule changes
The new rule adds controls under the Export Administration Regulations (“EAR”) on a number of cybersecurity items, software, and technology pursuant to the Wassenaar Arrangement, a multilateral regime of which the United States is a member. It also adds a new license exception, Authorized Cybersecurity Exports (ACE), applicable to cybersecurity and IP network surveillance items, and modifies the scope of other license exceptions with respect to the newly controlled items. Finally, it adds a number of definitions relevant to the new controls and license exception, including “cybersecurity items,” “cyber incident response,” “digital artifacts,” “favorable treatment cybersecurity end-user,” “vulnerability disclosure,” and a License Exception ACE-specific definition of “government end user.”
As noted in the accompanying press release, the new rule is intended to preclude the malicious use of technology to threaten cybersecurity and human rights. The cybersecurity items subject to the new rule have legitimate uses, such as for law enforcement or identifying computer vulnerabilities without maliciously exploiting them (sometimes called “white hat” hacking). However, cybersecurity and surveillance technology is also the subject of widespread human rights concern, as reflected in the United Nations’ recent call for all member states to stop the sale and transfer of surveillance technology until they have in place robust mechanisms to guarantee its use does not violate human rights.
Why it matters
First and foremost, the new rule means certain items that were not export-controlled previously are now subject to export controls. Companies involved in developing, producing, selling, or using the types of cybersecurity items, software and technology subject to the new controls will need to review those items to determine whether they fall under the new controls.
Second, the rule establishes a new license exception that applies to the items newly subject to control. This license exception has a number of exclusions from its scope and exceptions to those exclusions. Some of these details relate to the availability of the license exception to allies such as Israel, Cyprus, Taiwan, Saudi Arabia, and the UAE. As such, careful attention is required as to whether the new license exception applies and all of its conditions (including end user and end use restrictions) are met with respect to transactions in which it is used.
Finally, while the rule will become effective on January 19, 2022, industry can provide comments on the rule until December 6, 2021. This affords companies impacted by the rule an opportunity to suggest modifications - for instance, to mitigate unintended impacts in a manner consistent with BIS's regulatory objectives.
Summary of new controls under CCL Categories 4 and 5
The new rule creates new ECCNs and modifies existing ECCNs in Categories 4 and 5 of the Commerce Control List (“CCL”), imposing new export controls on items meeting the descriptions in the new and modified ECCNs.
The new or modified ECCNs in Category 4 relate to “intrusion software,” defined as software specially designed or modified to avoid detection by monitoring tools (such as antivirus, endpoint or personal security products, and intrusion detection or prevention systems), or to defeat protective countermeasures (such as sandboxing or data execution prevention) of a computer or network capable device, and that can extract or modify data or modify executable code. Intrusion software does not include software that may contain similar capabilities but that is intended for non-malicious uses, such as hypervisors, digital rights management software, debuggers, reverse-engineering tools, or software designed to be used by administrators and manufacturers for asset tracking and recovery purposes.
New ECCNs 4A005 and 4D004 control systems, equipment, components, and software specially designed or modified to generate, command and control, or deliver intrusion software. In addition, ECCN 4D001 has been amended to include software specially designed or modified for the development or production of software controlled under 4A005 or 4D004. 4E001.c has been added to control technology for the development of intrusion software. In addition, technology for the development, production, or use of newly-controlled equipment and software under Category 4 will now be controlled under existing ECCN 4E001.a. However, the new technology controls under ECCNs 4E001 do not apply to “vulnerability disclosure” – newly defined as the process of identifying, reporting, or communicating a vulnerability to, or analyzing a vulnerability with, individuals or organizations responsible for conducting or coordinating remediation for the purpose of resolving the vulnerability, or “cyber incident response” – newly defined as the process of exchanging necessary information on a cybersecurity incident with individuals or organizations responsible for conducting or coordinating remediation to address the cybersecurity incident.
Controlled items in Category 4 will now be subject to national security based controls that will require a license or license exception to all countries other than Canada.
New ECCN 5A001.j now controls IP network communications surveillance systems and equipment, and specially designed components for such systems and equipment, meeting specified criteria. To fall within the new controls, an item must perform all of the following functions on a carrier-class IP network (such as a national IP backbone): analysis at the application layer, extraction of selected metadata and application content, and indexing of extracted. In addition, the item must be specially designed to carry out execution of searches on the basis of “hard selectors” (identifying information about an individual) and mapping of the relational network of an individual or group of people. Equipment designed for marketing, quality of service, or quality of experience uses are excluded from ECCN 5A001.j.
Controls have also been added under 5B001 for equipment and specially designed components for the development or production of 5A001.j items; under 5D001 for software specially designed or modified for the development, production or use of, or to provide characteristics, functions or features of, 5A001.j items; and under 5E001 for technology for the development, production or use of equipment, functions or features controlled under 5A001.j. or software controlled under 5D001. Such items will now be subject to national security controls, although with different destination-based controls for software and technology than for systems and equipment.
To determine whether an item, software, or technology is subject to the new controls, companies will in most instances need to apply a “specially designed” analysis. Based on such an analysis, items that have the capabilities enumerated in the new ECCNs may or may not be subject to these new controls.
The new ECCNs in Category 4 are not intended to supplant existing controls on items for information security or encryption reasons (generally, items that fall within Category 5, Part 2 of the CCL) or because they can be used for surreptitious listening (SL). Where such items are also described under Category 5 Part 2 or in an ECCN controlled for SL reasons, those items will be – or will continue to be – listed in Category 5 Part 2 or the SL ECCNs.
New license exception and limits on existing license exceptions
New and revised license exceptions are an important aspect of the new rule. The use of License Exception STA as to most of the newly controlled items has been significantly restricted or eliminated. License Exception GOV may not be used as to the newly controlled items.
But the most significant change with respect to license exceptions is the creation of License Exception Authorized Cybersecurity Exports (ACE). License Exception ACE authorizes exports (including deemed exports and reexports) of cybersecurity items, except as follows:
- License Exception ACE may not be used in connection with exports and reexports, including deemed exports, to embargoed countries, listed in Country Group E of the EAR.
- License Exception ACE may not be used to “government end users” in any Country Group D countries, except under specific circumstances. For purposes of License Exception ACE only, “government end users” is defined as a national, regional or local department or entity providing any governmental function or services. It includes international governmental organizations and government research institutions, and people acting on their behalf. It also includes foreign retail and wholesale firms that manufacture, distribute or provide items or services controlled under the Wassenaar Arrangement Munitions List.
- The specific circumstances under which ACE can be used to government end users are as follows:
- ACE can be used to export ‘digital artifacts’ related to a cybersecurity incident at certain types of companies, called “favorable treatment cybersecurity end users,” to government end users in Country Group D destinations that are also listed under Country Group A:6. This includes, among others, Cyprus, Israel, and Taiwan. “Digital artifacts” are software or technology found or discovered on an information system that show past or present activity pertaining to the use or compromise of, or other effects on, that information system. “Favorable treatment cybersecurity end users” include foreign subsidiaries of U.S. companies, providers of banking or other financial services, insurance companies, and civil health and medical institutions involved in the practice of medicine or medical research.
- In addition, exports under ACE are permitted to police or judicial bodies in Group D countries that are also listed in Group A:6, for the purpose of investigations or prosecutions of cybersecurity incidents.
- Finally, ACE can be used to export cybersecurity items to government end users in Group D countries also listed in Group A:6, where those government end users are national computer security incident response teams and the purpose of the export is responding to a cybersecurity incident, vulnerability disclosure, or investigations and prosecutions of cybersecurity incidents.
- Note, however, that 4E001.a. and 4E001.c. do not control technology in connection with cyber incident response or vulnerability disclosure and, therefore no license exception for such technology would be required, provided it is not also subject to control under another ECCN.
- ACE also may not be used to export cybersecurity items to non-government end-users in Group D:1 or D:5 countries, except under the following circumstances:
- The items are controlled under the new or newly-modified ECCNs in Category 4 and the recipient is a favorable treatment cybersecurity end-user
- The export is in connection with vulnerability disclosure or cyber incident response, or
- The export is a deemed export
- Finally, License Exception ACE may not be used in circumstances where the exporter knows or has reason to know that the cybersecurity items being exported will be used to affect the confidentiality, integrity, or availability of information or information systems without authorization by the owner of the system.
Companies that develop, produce or use products impacted by the new rule are well-positioned to provide constructive input on how that rule may be improved. Commenters should use the Federal rulemaking portal (www.regulations.gov ) under the ID Number BIS-2020-0038 and reference RIN 0694-AH56 in all comments. In addition, any business confidential information submitted should be clearly marked to prevent public release.
Dentons' Federal Regulatory and Compliance team will continue to monitor developments relating to this new rule.