On October 20, 2021, the US Department of Commerce Bureau of Industry & Security (“BIS”) published a long-awaited interim final rule announcing new restrictions on the export, reexport or in-country transfer of certain cybersecurity items used for malicious cyber activities.
In particular, it establishes:
- new controls and licensing requirements on a range of “cybersecurity items” that can be used for malicious cyber activities (including software, hardware and technology specially designed to generate, command and control or deliver “intrusion software” as well as certain IP network communications surveillance tools);
- a new License Exception Authorized Cybersecurity Exports (“ACE”) to allow for certain exports, reexports, or in-country transfers of these cybersecurity items to most destinations, while imposing restrictions for exports to government and non-governmental end-users in several countries under various circumstances;
- certain permissive carve-outs from those restrictions for “software specially designed and limited to providing basic updates and upgrades” and “vulnerability disclosure” or transactions involving “cyber incident response”; and
- a new catch-all restriction for exports, reexports and transfers where there is knowledge or reason to know that the cybersecurity item will be used for certain malicious activities without authorization of the owner, operator or administrator of the information system.
Interested parties can provide input to the interim final rule on or before December 6, 2021. The rule will become final on January 19, 2022.
This long-anticipated rule codifies several years of negotiations surrounding controls on “intrusion software”1 codified in the multilateral Wassenaar Arrangement (“WA”). It reflects multiple attempts by BIS to reflect and implement significant US stakeholder input and concerns in the multilateral regime, including an attempted proposed rule from BIS in 2015 that ultimately led to a revision in the WA provisions in 2017. The interim final rule seeks to implement the 2017 cybersecurity updates to the WA in order to balance US foreign policy and national security concerns with the need to allow for legitimate cybersecurity transactions.
SCOPE OF LICENSE EXCEPTION ACE
What Does the New Rule Establish?
In the context of WA, the interim final rule establishes a number of standards intended to reflect or target those “cybersecurity items” that can be used for malicious cybersecurity activities. This includes:
- Software, hardware and technology specially designed to generate, command and control or deliver intrusion software; and
- Certain IP network communications surveillance tools.
The new controls on “cybersecurity items” (whether goods, software or technology) would mean that either a specific license or license exception is required for export, reexport or transfer (in-country) of such items to most destinations except Canada.
New License Exception ACE would provide authorization for the export, reexport and in-country transfer of most US-origin “cybersecurity items” to most destinations, subject to both territorial and end-use restrictions:
These rules do not extend to cybersecurity items controlled under the International Traffic in Arms Regulations (“ITAR”) governing defense articles and services. Moreover, the interim final rule includes provisions to prioritize certain existing encryption controls for cybersecurity items that incorporate particular “information security” encryption functionality specified under Category 5 (specifically, 5A002.a, 5A004 a – b, 5D002.c.1, or 5D002.c.3), as long as “the controlled ‘information security’ functionality remains present and usable within the cybersecurity end item or executable ‘software,’” but not where such “functionality is absent, removed or otherwise non-existent.”
Items that continue to be controlled under the Export Administration Regulations (“EAR”) for “Surreptitious Listening” (SL) reasons will continue to be regulated under those controls, which are the strictest licensing regime. The interim final rule further does not impact the EAR’s treatment of communications intercepting devices, software or technology. Finally, if items meet the threshold for “national security” (NS) controls, SL would apply.
What Are the Countries for Which ACE is Unavailable?
For Cuba, Iran, North Korea and Syria, ACE is not available.
What Are the Countries for Which ACE is Restricted?
For nearly 40 other countries (including China and Russia), License Exception ACE contains a complex series of limitations and conditions extending to both “government end-users” and “non-government end-users.” Parties involved in transactions involving the export, reexport or transfer (in-country) of a cybersecurity item must be careful to ensure that the contemplated activity is consistent with these limitations and is eligible for license-free export under this License Exception. The relevant restrictions apply to:
- Restricted Category 1 (Government End-Users of Group D). The first category of restriction applies to “government end-users” of Country Group D2 (a list of nearly 40 countries for which the United States maintains export control restrictions based on certain national security and foreign policy concerns). A list of Country Group D countries is available at 15 CFR Part 740 Supp. No. 1.3
- Restricted Category 2 (Non-Government End-Users of Group D:1 or D:5). The second category of restriction applies to “non-government end-users” located in countries listed on Country Groups D:1 or D:5 for US national security or arms embargo concerns, including Russia, Sudan, Syria, Venezuela and Vietnam.
As discussed further below, in both cases, there are certain limited carve-outs under which exports, reexports and transfers may still satisfy eligibility criteria for License Exception ACE. Otherwise, transactions subject to these restrictions are ineligible for License Exception ACE.
What Limitations Apply for Government End-Users?
For “government end-users”4 in Group D countries, License Exception ACE is generally unavailable subject to certain limited carve-outs:
- Exceptions for Cyprus, Israel and Taiwan. The interim final rule includes certain limited carve-outs for three countries otherwise covered by the restrictions: Cyprus, Israel and Taiwan. In particular, the “government end-user” restriction would not apply to exports, reexports, or transfers in-country of “digital artifacts” involving information systems that are owned or operated by a “favorable treatment cybersecurity end-user” or to police or judicial bodies in these three countries, which are evidence of software or technology that indicates a data breach, that implicate the information systems owned or operated by a “favorable treatment cybersecurity end-user” in the above mentioned countries. The interim final rule defines “favorable treatment cybersecurity end-users” to cover the following: US subsidiary, banking institutions, insurance companies or civil health and medical institutions.
In addition, License Exception ACE is also available for exports, reexports and transfers (in-country) to “national computer security incident response teams” of these countries for purposes of responding to cybersecurity incidents, engaging in “vulnerability disclosure” or to assist police or judicial bodies in these countries for the purposes of cybersecurity investigations or prosecutions.
- Technology Provided for “Vulnerability Disclosure” and “Cyber Incident Response.” The interim final rule includes definitions for both “vulnerability disclosure” and “cyber incident response,”5 and as described further below, broadly affords favorable treatment under License Exception ACE for such activities with respect to “non-government end-users” through an exclusion. For Group D “government end-users,” the License Exception does not contain a similar general exclusion for these activities. However, the interim final rule includes a limited exclusion for such activities from the scope of control under one technology classification (4E001.c) “technology” for the “development” of “intrusion software.” Because that exclusion is at the controlled item level, rather than the License Exception level, it does not depend on whether the end-user is a government or non-government end-user. To the extent the only technology to be transferred in the course of “vulnerability disclosure” and “cyber incident response” would otherwise be controlled as “technology” for the “development” of “intrusion software,” the note to 4E001.c provides limited relief. This carve-out does not otherwise exempt or exclude such activities more generally.
Apart from these limited carve-outs, License Exception ACE would not be available for government end-users in Country Group D. Moreover, in both cases, the availability of ACE is subject to the other conditions and requirements of the EAR, including that there be “no reason to know” of a malicious cyber end-use under the end-use restriction described below.
What Limitations Apply for Non-Government End-Users?
Under the interim final rule, License Exception ACE imposes restrictions for "non-governmental end-users," users that do not fall into the definition of “government end-user,” who are in Country Groups D:1 or D:5 but not countries in Groups D:2, D:3, or D:4.6 For non-government end-users in these countries, License Exception ACE is not available, subject to certain limited carve-outs:
- Carve-outs for Certain Cybersecurity Items to “Favorable Treatment Cybersecurity End-Users.” Controlled Cybersecurity Items covered by the following export control classifications to “favorable treatment cybersecurity end-users” who are not government end-users remain eligible for ACE: 4A005, 4D001.a, 4D004, 4E001.a and 4E001.c. Exports, reexports or transfers (in-country) of Cybersecurity Items covered by other export control classifications are outside the scope of this carve-out, even if the end-user is a Favorable Treatment Cybersecurity End-User.
- Cybersecurity Items (Goods, Software, Technology) Provided for “Vulnerability Disclosure” and “Cyber Incident Response.” Under the interim final rule, the restriction on License Exception ACE for non-Government end-users in Group D:1 or D:5 would not apply to “vulnerability disclosure” and “cyber incident response.”
Apart from these limited carve-outs, License Exception ACE would not be available for "non-government end-users" in Country Groups D:1 or D:5. Moreover, in both cases, the availability of ACE is subject to the other conditions and requirements of the EAR, including that there be “no reason to know” of a malicious cyber end-use under the end-use restriction described below.
What if There is Reason to Know the Items Will Be Used for Malicious Cyber Activities?
In addition to the end-user restrictions, the interim final rule notes that License Exception ACE does not apply where there is either knowledge or “reason to know at the time of export, reexport , or transfer (in-country)… that the ‘cybersecurity item’ will be used to affect the confidentiality, integrity, or availability of information or information systems, without the authorization by the owner, operator, or administrator of the information system.” Notably, BIS interprets knowledge or reason to know broadly in a manner that does not require a showing of positive knowledge or awareness of the existence of a fact and regularly evaluates whether there was knowledge or reason to know based on the facts and circumstances surrounding the transaction. Any party relying on License Exception ACE should carefully consider and apply appropriate risk-based due diligence to evaluate potential prohibited end-user and end-use considerations in order to mitigate potential exposure in connection with these controls.
The interim final rule could have significant implications, particularly for companies involved in the export, reexport or transfer of the relevant software or technology. US and non-US companies who deal with “cybersecurity items” and potential foreign investors in US businesses whose activities involve such technologies should assess the potential impact on their businesses and consider submitting comments to BIS before the comment period closes.
1 The Wassenaar Arrangement Defines “intrusion software" as software “specially designed or modified to avoid detection by ‘monitoring tools’, or to defeat ‘protective countermeasures’, of a computer or network capable device, and performing any of the following:
a. The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or
b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.”
3 The interim final rule specifies that in the case of deemed exports to foreign nationals in the United States, the restrictions on “cybersecurity items” only apply to Cuba, Iran, Syria, North Korea or a Country Group D “government end-user.”
4 The interim final rule broadly defines “government end user” is to not just include “national, regional or local department, agency or entity that provides any governmental function or service, including international governmental organizations, government operated research institutions,” but also “entities and individuals who are acting on behalf of such an entity.”
5 The interim final rule adds new definitions for “vulnerability disclosure” and “cyber incident response” to 15 CFR 722.1. “Vulnerability disclosure” is defined as “the process of identifying, reporting, or communicating a vulnerability to, or analyzing a vulnerability with, individuals or organizations responsible for conducting or coordinating remediation for the purpose of resolving the vulnerability.” “Cyber incident response” is defined as “the process of exchanging necessary information on a cybersecurity incident with individuals or organizations responsible for conducting or coordinating remediation to address the cybersecurity incident.”
6 Thus, non-government end-users in Group D countries not falling under D:1 or D:5, such as Bahrain, Israel, Jordan, Oman, Pakistan, Qatar, Saudi Arabia and the UAE, would not be covered by the non-government end-user restrictions on License Exception ACE.