Cybersecurity and export controls? Not for now in the U.S.!
Designers of weapons systems, infrared technology, high-end radar, and intelligence, surveillance, and reconnaissance (ISR) systems all know that they need to ensure they've thoroughly checked every box regarding export compliance. But what about cybertechnology? How does the U.S. government manage and enforce export compliance for this area?
The regulations surrounding cybertechnology are complicated and new rule changes have been proposed that some in the tech industry find objectionable.
In spring of 2015, the Bureau of Industry and Security (BIS) within the Department of Commerce (DoC) published a proposed rule that will affect exports of products dubbed “cybersecurity items.” These items include intrusion software and network communications surveillance systems, along with related systems, equipment, software, components, and technology.
Although some of these “cybersecurity items” are currently controlled for their “information security” functionality, the proposed rules:
- Substantially increase the items controlled;
- Require a license for the export, re-export, or transfer (in-country) of these items to all destinations except Canada;
- Increase the information that must be supplied to support a license application;
- Impose relatively stringent licensing policy on license applications; and
- Substantially narrow the license exceptions available.
The purpose of these proposed rules is to implement the Wassenaar Arrangement (WA) 2013 Plenary Agreements, which require so-called Participating States such as the United States to control for all items on the WA control lists.
In response to the BIS request for public comments to be submitted by July 20 2015, software and technology companies have uniformly objected to this regulation. For example, Google posted an article on its public policy blog stating that “these proposed rules, as currently written, would have a significant negative impact on the open security research community. They would also hamper our ability to defend ourselves, our users, and make the web safer. It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure.” Industry groups and nonprofits, such as the Electronic Frontier Foundation (EFF) and the Internet Association (whose members include major industry players), have submitted similar comments.
In response to the comments, BIS has backed off and is not implementing the Wassenaar changes for now. BIS officials have publicly stated that the U.S. government has taken the proposed cybersecurity controls back to Wassenaar in Austria to see whether they can be adjusted to make them more acceptable to industry. This delay means that the other countries, such as the European Union (EU) member states, now control items that are not subject to export controls in the United States. This situation could well lead unsuspecting U.S. exporters to forget that their products are in fact export-controlled in the EU.
Although the proposed rule will not go forward as written, it is useful to see what it would have covered had it been implemented. Specifically, the BIS proposed rule would have included changes related to intrusion software and network communication surveillance systems:
- Creating a new definition of “intrusion software”:
1. “Software” specially designed or modified to avoid detection by “monitoring tools,” or to defeat “protective countermeasures,” of a computer or network-capable device, and performing any of the following:
a: The extraction of data or information, from a computer or network-capable device, or the modification of system or user data;
b: The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions;
2. “Monitoring tools” are software and hardware devices that monitor system behaviors, such as antivirus products, endpoint security products, personal security products (PSP), intrusion detection products (IDS), intrusion prevention systems (IPS), or firewalls. Thus, any software that is specially designed or modified to avoid detection by antivirus products or firewalls would be captured, provided it also performed either the extraction of data/information or modification of program requirements;
3. Protective countermeasures” are defined as techniques to ensure the safe execution of code, such as data execution prevention (DEP), address space layout randomization (ASLR), or sandboxing;
4. However, “intrusion software” does not include:
a: Hypervisors, debuggers, or software reverse engineering (SRE) tools;
b: Digital Rights Management software;
c: Software designed to be installed by manufacturers, administrators, or users for the purposes of asset tracking and recovery;
5. “Network-capable devices” would include mobile devices and smart meters;
- Adding two new export control classification numbers (ECCNs) for software (ECCN 4D004) and related systems, equipment, software, and components (ECCN 4A005) related to “intrusion software” to the Commerce Control List (CCL). Because these new ECCNs would be controlled for national security (NS), regional stability (RS), and anti-terrorism (AT), an export license would be required for all destinations, except Canada. There are no license exceptions available for these items, except for certain portions of License Exception GOV [e.g., exports to or on behalf of the United States government pursuant to § 740.11(b) of the Export Administration Regulations (EAR)];
1. ECCN 4A005 covers “systems,” “equipment,” or “components” for intrusion software, “specially designed” for the generation, operation or delivery of, or communication with, “intrusion software”;
2. ECCN 4D004 covers “software” “specially designed” for the generation, operation or delivery of, or communication with, “intrusion software.”
It is noteworthy that ECCNs 4A005 and 4D004 are both far broader than the intrusion software itself but encompass systems, equipment, components, and software specially designed for the “generation, operation or delivery of, or communication with, ‘intrusion software.’”
- Amending two existing ECCNs affected by “intrusion software.” No license exceptions are available for these items, including Strategic Trade Authorization (STA) or Technology and Software Under Restriction (TSR):
1. 4D001 would additionally control “software” “specially designed” or modified for the “development” or “production” of equipment controlled by new ECCN 4A005;
2. 4E001 would additionally control “technology” “required” for the “development” of intrusion software;
- Amending ECCN 4E001 so that it covers technology for the newly added 4A005 and 4D004, as well as technology “required” for the development of “intrusion software”;
- Adding 5A001.j to control IP network communications surveillance systems, equipment, and components that meet all of a number of criteria.
Exports of these newly cybersecurity-controlled items would require a license to all countries except Canada, and be subject to a relatively strict licensing policy with a favorable policy of review only for:
- Exports to subsidiaries of U.S. companies, but not those located in D:1 or E:1 countries such as China, Russia, or Ukraine;
- Exports to “foreign commercial partners” in A:5 – that is, foreign-based nongovernmental end users that have a business need to share the proprietary information of a U.S. company and are contractually bound to the U.S. company;
- Exports to government end users in Australia, Canada, New Zealand, and the United Kingdom.
All other license applications will receive a case-by-case review to determine if the transaction is contrary to the national security or foreign policy interests of the United States, including promoting the observance of human rights around the world.
Cybersecurity items that have encryption functionality are controlled under the new cybersecurity ECCNs but still have to undergo all the encryption review requirements.