On May 26, 2022, the US Department of Commerce’s Bureau of Industry and Security (“BIS”) published a final rule revising the restrictions on the export, reexport and transfer (in-country) of certain “cybersecurity items” used for malicious cyber activities (“final rule”). Effective immediately upon publication, the final rule amends the October 21, 2021, interim final rule (“interim rule”) that went into effect on March 7, 2022, which we addressed in a previous Legal Update.
More specifically, the final rule:
- Adds a new end use restriction1 to License Exception Encryption Commodities, Software, and Technology (“ENC”) to mirror the restrictions applicable to License Exception Authorized Cybersecurity Exports (“ACE”) and close a potential loophole for certain items;
- Limits the scope of carve-outs available under License Exception ACE for certain government end users to only account for “digital artifacts” for purposes of criminal or civil investigations or prosecutions of cybersecurity incidents;
- Further defines “government end user” under License Exception ACE by providing an illustrative list of seven types of users who meet the definition and adds a definition for “partially operated or owned by a government or governmental authority”; and
- Makes a number of structural clarifications and restores 5D001.e to Export Control Classification Number (“ECCN”) 5D001. BIS states that 5D001.e was “inadvertently removed” from the interim rule.
As discussed in our prior Legal Update, the interim rule implemented new controls on “intrusion software”2 that balanced US foreign policy and national security concerns with the need for legitimate cybersecurity transactions. It reflected several years of negotiations codified in the multilateral Wassenaar Arrangement and incorporated significant US stakeholder input.
BIS published the interim rule on October 20, 2021, with a delayed effective date of January 19, 2022. On January 12, 2022, BIS published a rule that further delayed the effective date of the interim rule until March 7, 2022, at which point it went into effect.
Response to Public Comments
The interim rule’s comment period ended December 12, 2021, with 12 total comments. In addition to the regulatory changes outlined above, BIS addressed a number of public comments:
- Several commenters raised concerns that the complexity of ECCN 5A001.j (which covers certain “IP network communications surveillance systems or equipment, and ‘specially designed’ components therefor”) presents compliance difficulties. In response, BIS committed to provide additional FAQ guidance on 5A001.j.
- BIS also noted that it is working on providing additional guidance broadly related to License Exception ACE and the cybersecurity community.
- Commenters expressed concerns that the definitions of “vulnerability disclosure” and “cyber incident response” are too narrow. BIS responded that it believes many of the specific activities mentioned in the comments, such as tactics and techniques of malicious actors, are not subject to a license requirement. While BIS declined to broaden these terms, it committed to clarify the scope of license requirements through FAQs.
Additionally, BIS acknowledged other comments but declined to take further action:
- Several commenters asked for clarification of BIS's “reason to know” standard; however, BIS declined to provide additional sector-specific guidance. BIS stated that it believes the current guidance3 is sufficient to address the public’s questions.
- One commenter requested BIS remove the licensing requirement for people acting on behalf of a “government end user” because it would “chill cross-border collaboration with cybersecurity researchers and bug bounty hunters” since exporters would be required to check whether an individual has a government affiliation before beginning communication. BIS disagreed with this recommendation, noting that the license requirement is necessary to prevent people who are acting on behalf of a Country Group D government from obtaining “cybersecurity items” for activities contrary to US national security and foreign policy interests. BIS noted that because of the limited scope and applicability of the license requirement, it believes the requirement will protect US interests without unduly affecting legitimate cybersecurity activities.
New End-Use Restriction for License Exception ENC
In the final rule, BIS added a new end-use restriction to 15 C.F.R. § 740.17 (“License Exception ENC”) to prohibit the use of ENC for certain cybersecurity items4 if there is either knowledge or “‘reason to know’ at the time of export, reexport, or transfer (in-country) . . . that the item will be used to affect the confidentiality, integrity, or availability of information or information systems, without authorization by the owner, operator, or administrator of the information system.” This language, which adds cryptographic or cryptanalytic functionality to the “cybersecurity item,” mirrors that of License Exception ACE and is intended to close a loophole and prevent the evasion of ACE restrictions by use of ENC.
Clarifications to License Exception ACE
In response to public comments regarding the lack of clarity on the definition of “government end user” in License Exception ACE, codified at 15 C.F.R. § 740.22(b)(4), and potential overlap with the definition of “favorable treatment cybersecurity end users” for purposes of License Exception ACE, BIS made a number of revisions and clarifications in the final rule:
- The final rule adds an illustrative list of end users that meet the definition of a “government end user” under License Exception ACE, differentiating between “more-sensitive government end users” and “less-sensitive government end users,” which are terms already defined in the Export Administration Regulations (“EAR”).5 The final rule also amends these definitions to clarify that they apply to cybersecurity items and are now referenced in License Exception ACE.6
- BIS included the expression “partially operated or owned by a government or governmental authority” in three categories of listed “government end users”—utilities, transportation hubs and services, and retail or wholesale firms—and added a note to define the expression.7
- The final rule amends § 740.22(c)(2)(i) to correct the text, which “inadvertently increased the scope of the exception.” As previously written, that paragraph allowed:
(a) Exports of “digital artifacts”8 to anyone in a Country Group D country that is also listed in Country Group A:6 (currently, Cyprus, Israel, or Taiwan); and
(b) Exports of any “cybersecurity item”9 to police or judicial bodies to Country Group D countries that are also listed in Country Group A:6.
However, BIS stated that the final rule clarifies its intention to only allow exports of “digital artifacts” to police or judicial bodies in Country Group D countries that are also listed in Country Group A:6 for purposes of criminal or civil investigations or prosecutions.
The final rule also included structural changes in response to public comments on clarity.10
Any party relying on License Exceptions ENC or ACE should carefully consider and apply appropriate risk-based due diligence to evaluate potential prohibited end-user and end-use considerations in order to mitigate potential exposure in connection with these controls.
2 “Intrusion software” is defined as “‘software’ specially designed or modified to avoid detection by ‘monitoring tools’, or to defeat ‘protective countermeasures’, of a computer or network-capable device, and performing any of the following: (1) The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or (2) The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.” § 772.
3 BIS noted the terms “know” and “reason to know” under License Exception ACE use the same definition found in 15 C.F.R. § 772.1 for the term “knowledge.” BIS also cited the “Know Your Customer” guidance located in Supplement No. 3 to Part 732 of the EAR and on its website provides additional information applicable to ACE.
• “cryptanalytic items,” classified in ECCN 5A004.a, 5D002.a.3.a or c.3.a, or 5E002;
• network penetration tools described in § 740.17(b)(2)(i)(F), and ECCN 5E002 “technology”; or
• automated network vulnerability analysis and response tools described in § 740.17(b)(3)(iii)(A), and ECCN 5E002 “technology.”
8 “Digital Artifacts” are defined within License Exception ACE as “items (e.g., ‘software’ or ‘technology’) found or discovered on an information system that show past or present activity pertaining to the use or compromise of, or other effects on, that information system.” 15 C.F.R. § 740.22(b)(2).
9 “Cybersecurity Items” are defined within License Exception ACE as “ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004), 4E001.c, 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)), and 5E001.a (for 5A001.j or 5D001.a (for 5A001.j)).” 15 C.F.R. § 740.22 (b)(1).
The authors would like to thank Emily M. King for her help writing this Legal Update.