Proposed Rule to Control Exports of Cybersecurity Technologies
International Trade & Customs Update
Date: May 26, 2015
The U.S. Department of Commerce, Bureau of Industry and Security (BIS) has issued a proposed rule to impose licensing and other requirements on exports and reexports of certain technologies related to cybersecurity. BIS is seeking comments through July 20, 2015 on the proposed rule. Companies that develop, produce, market or are major offshore users of such technologies may want to consider submitting comments.
On May 20, 2015, BIS proposed to amend the Export Administration Regulations (EAR) by adding several new Export Control Classification Numbers (ECCNs) to the Commerce Control List (CCL), as well as licensing and other requirements, that would apply to exports and reexports of cybersecurity technologies (see 80 Fed Reg. 28853). These amendments will implement U.S. obligations under certain agreements by the Wassenaar Arrangement (WA) made at the Plenary meeting in December 2013.
When final, these amendments to the EAR will impose a license requirement for the export, reexport or transfer (in-country) of the following cybersecurity items to all destinations except Canada:
- Systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software (including network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices).
- Software specially designed or modified for the development or production of such systems, equipment or components.
- Software specially designed for the generation, operation or delivery of, or communication with, intrusion software.
- Technology required for the development of intrusion software (including proprietary research on the vulnerabilities and exploitation of computers and network-capable devices).
- Internet protocol network communications surveillance systems or equipment; test, inspection, production equipment; specially designed components therefor; and development and production software and technology therefor.
The proposed rule seeks to add ECCN 4A005 (systems, equipment or components therefor specially designed for the generation, operation or delivery of, or communication with, intrusion software) and ECCN 4D004 (software specially designed for the generation, operation or delivery of, or communication with, intrusion software) to the CCL. These ECCNs would be controlled for national security, regional stability and anti-terrorism reasons to all destinations except Canada. No license exceptions would be available except certain provisions of license exception GOV (exports to or on behalf of the U.S. government). BIS has informally indicated that these ECCN controls will focus on systems that are offensive in nature and used to generate or be used with intrusion software, but will not control the intrusion software itself. The rulemaking also proposed a formal definition of the term “intrusion software.”
BIS further indicated in its notice that network communication traffic analysis systems are becoming an increasingly sensitive issue, which is why the WA signatories agreed to add the control of these items to the WA dual-use list. These systems intercept and analyze messages to produce personal, human and social information from the communications traffic. BIS proposes to add these systems into ECCN 5A001.j and group them with cybersecurity items for control for national security, regional stability, and anti-terrorism reasons to all destinations except Canada. BIS has informally indicated that this ECCN is intended for very narrow control of only very large systems that meet other requirements of the ECCN 5A category.
New Licensing Review Requirements
BIS states that although the cybersecurity capabilities provided by the products above were not previously designated for export control, many are controlled for their “information security” functionality, including encryption and cryptanalysis. The proposed rule therefore would continue applicable Encryption Items registration and review requirements. It also proposes additional license review policies and special submission requirements to address the new cybersecurity controls, including submission of a letter of explanation regarding the cybersecurity items’ technical capabilities.
FOR MORE INFORMATION
For further information on this rulemaking, or on exports and reexports of cybersecurity technologies generally, please contact:
James A. Losey
Samir D. Varma
Scott E. Diamond
For further information on cybersecurity generally, including strategic consulting, regulatory compliance and litigation services, please contact:
Roy E. Hadley, Jr.
Thomas F. Zych
This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.
This document may be considered attorney advertising in some jurisdictions.
© 2015 THOMPSON HINE LLP. ALL RIGHTS RESERVED.