Commerce tightens export controls on items used in surveillance of private citizens and other malicious cyber activities

The Commerce Department’s Bureau of Industry and Security (BIS) has released an interim final rule, establishing controls on the export, reexport, or transfer (in-country) of certain items that can be used for malicious cyber activities.  The rule also creates a new License Exception Authorized Cybersecurity Exports (ACE) and requests public comments on the projected impact of the proposed controls on U.S. industry and the cybersecurity community. 

License Exception ACE would allow the export, reexport and transfer (in-country) of ‘cybersecurity items’ to most destinations, while retaining a license requirement for exports to countries of national security or weapons of mass destruction concern.  In addition, countries subject to a U.S. arms embargo will require a license.

While allowing certain exclusions, restricted end users targeted by this interim final rule would include a ‘government end user,’ as defined in § 740.22 of the EAR, of countries of concern for national security reasons or those subject to an arms embargo.  Furthermore, the License Exception ACE would impose an end-use restriction in circumstances where the exporter, reexporter, or transferor knows or has reason to know at the time of export, reexport, or transfer (in-country), including a deemed export or reexport, that the ‘cybersecurity item’ will be used to affect the confidentiality, integrity or availability of information or information systems, without authorization by the owner, operator or administrator of the information system (including the information and processes within such systems).

The United States Government opposes the misuse of technology to abuse human rights or conduct other malicious cyber activities, and these new rules will help ensure that U.S. companies are not fueling authoritarian practices.  U.S. exporters are likewise encouraged to consult the State Department’s Guidance on Implementing the “Guiding Principles” for Transactions Linked to Foreign Government End Users for Products or Services with Surveillance Capabilities to minimize the risk that their products or services are misused by governments to violate or abuse human rights.

Today’s rule is consistent with the result of BIS’s negotiations in the Wassenaar Arrangement (WA) multilateral export control regime and with a review of comments from Congress, the private sector, academia, civil society, and other stakeholders on previously proposed BIS rulemaking in this area. Comments to the rule must be received in no later than 45 days from today, and the rule will become effective 90 days from today.

U.S. Secretary of Commerce Gina M. Raimondo released the following statement: “The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights. The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities.”