Proposed Rule to Subject Certain Cybersecurity Items to Greater Export Restrictions

The U.S. Department of Commerce Bureau of Industry and Security (BIS) recently published a proposed rule enhancing controls on certain cybersecurity items under the Export Administration Regulations (EAR). Specifically, the proposed rule would impose tighter controls on systems, software, and technology for the delivery and development of intrusion software, but would not change the controls on intrusion software itself. While BIS has stated that the rule is primarily intended to capture offensive items, due to similarities in the capabilities of offensive and defensive systems, defensive cybersecurity products may be covered under the rule. Should the proposed rule go into effect as written, the covered cybersecurity items would require a license for export to every country except Canada, and use of license exceptions would not be available. Public comments to the proposed rule must be submitted to BIS no later than July 20, 2015.

Coverage: Hardware, Software, and Technology for the Delivery and Development of "Intrusion Software"

As stated above, the proposed rule does not cover "intrusion software" itself, but rather hardware and software for the delivery of intrusion software, as well as technology for its development. The proposed rule creates two new ECCNs—ECCN 4A005 and ECCN 4D004—to control the following covered cybersecurity items:

  • Systems, equipment, or components specially designed for the generation, operation, delivery, or communication with intrusion software
  • Software specially designed or modified for the development or production of the items listed above
  • Software specially designed for the generation, operation, delivery, or communication with intrusion software
  • Technology required for the development of intrusion software (including proprietary research on the vulnerabilities and exploitation of network-capable devices)

The proposed rule defines "intrusion software" as software that is:

"'Specially designed' or modified to avoid detection by 'monitoring tools,' or to defeat 'protective countermeasures,' of a computer or network-capable devices," which also performs either of the following: "the extraction of data or information, from a computer or network-capable device, or the modification of system or user data" or "the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions."1

The proposed definition does not include: hypervisors, debuggers, or software reverse engineering (SRE) tools, digital rights management (DRM) software, or software designed to be installed for asset tracking or recovery. The proposed rule would also modify ECCN 4D001 to cover software specially designed or modified for the development or production of items covered by new ECCNs 4A005 and 4D004, and modify ECCN 4E001 to cover technology required for the development of intrusion software. BIS has indicated that the rule would cover the following technology for the development and production of intrusion software, command, and delivery platforms:

  • Information on testing, refining, and evaluating intrusion software
  • Information on how to prepare or integrate the intrusion software for deployment
  • Technology for the development and production of the intrusion software command or delivery platform

Technology covered by the proposed rule would not include: information on how to discover vulnerabilities in a system or network, information about any network vulnerabilities and their respective causes, or information on the testing of vulnerabilities. Additionally, only technology that is responsible for meeting or exceeding the controlled characteristics or functions would be controlled. However, the controlled characteristics may cover both offensive and defensive items. This is because both offensive and defensive items often avoid detection or defeat protective countermeasures and extract or modify data or alter execution paths.

Items covered by the new ECCNs, many of which were previously controlled under Category 5 Part 2 for their encryption capabilities, would no longer be eligible for License Exception ENC, and would require a license for every country except Canada. BIS has also stated that there would be a policy of presumptive denial for license applications covering items that have or support rootkit or zero-day exploit capabilities because they are presumed to be "offensive by design." If your defensive product supports rootkit or zero-day exploit capabilities, BIS may consider licensing that product for export. License applications for covered cybersecurity items would also need to include additional information regarding the encryption capabilities of the items upon request. The exporter may also be required to provide source code and/or other software that implements the controlled cybersecurity functionality.

IP Network Communications Surveillance Items

In a related move, the BIS proposed rule also amends ECCN 5A001 to add paragraph j, covering certain IP network communications surveillance systems or equipment, as well as their specially designed components that intercept and analyze network communication traffic to produce personal, human, and social information. The cybersecurity items covered by ECCN 5A001.j would also require a license to every country except Canada.

Comment Period

Comments to the proposed rule must be submitted on or before July 20, 2015. In the Federal Register notice, BIS specifically solicited comments from companies regarding:

  1. How many additional license applications would be required per year under the requirements of this proposed rule? If any, of those applications:
    1. How many additional applications would be for products currently eligible for license exceptions?
    2. How many additional applications would be for products currently classified EAR99?
  2. How many deemed export, reexport, or transfer (in-country) license applications would be required per year under the requirements of this rule?
  3. How would the rule negatively affect legitimate vulnerability research, audits, testing or screening, and the ability to protect your own or other's networks?
  4. How long would it take to answer the additional information required for license applications for cybersecurity items? Is this information already available?

Additionally, as a part of the FAQs, BIS indicated that it is interested in receiving comments and questions on: any potential capture of defensive cybersecurity products under the proposed rule, the technology covered by the proposed rule, and the relationship between the proposed rule and "publically available" information under Section 734.7 of the EAR. We also believe that it would be useful to provide BIS with examples of defensive products with zero-day exploit and rootkit capabilities. Finally, information on internal transfers of intrusion software and related items by U.S. companies with operations abroad would be helpful.

1 90 Fed. Reg. 28858.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wilson Sonsini Goodrich & Rosati | Attorney Advertising

Written by:

Wilson Sonsini Goodrich & Rosati
Contact
more
less

Wilson Sonsini Goodrich & Rosati on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide