Bureau of Industry & Security Issues New Export Controls on “Cybersecurity Items”

On October 21, 2021, the Bureau of Industry & Security (BIS) of the US Department of Commerce issued a significant interim final rule (the Interim Rule).  The Interim Rule, reflecting an overall recent government emphasis on cybersecurity and ransomware issues, establishes new export controls for “cybersecurity items” such as intrusion software and network surveillance equipment and related technology that can be used for malicious cyber activities.  The Rule incorporates new Export Control Classification Numbers (ECCNs), new defined terms, and a new license exception for “Authorized Cybersecurity Exports” (the License Exception ACE).  It is scheduled to take effect within 90 days of publication on January 19, 2022, pending any changes that BIS may elect to make based upon public comments.  The deadline for the receipt of comments is December 6, 2021.

BIS first sought to introduce specific controls on intrusion software and related items with a Proposed Rule in May 2015.  Following extensive public comments and industry concerns that the proposed controls were overbroad and would negatively impact legitimate cybersecurity research and incident response efforts, BIS withdrew the Proposed Rule.  BIS went on to negotiate changes to the relevant control list under the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (Wassenaar Arrangement).  The Interim Rule represents the first revised framework BIS has presented since 2015.

Key takeaways from the Interim Rule include the following:

• US Secretary of Commerce Gina M. Raimondo noted that the Interim Rule is intended to be “appropriately tailored” so as to not impede “legitimate cybersecurity activities.” However, companies operating in the cybersecurity space that do business with persons in Country Group D countries (such as the People’s Republic of China) should be aware that the new framework proposed by BIS may require additional due diligence, since the availability of License Exception ACE will require a threshold assessment of whether the end user of a covered cybersecurity item in Group D is a “government end-user” or a “non-government end-user.”
• BIS has defined the term “government end-user” significantly more broadly for purposes of ACE than the existing definition applicable to encryption items in Section 772.1 of the EAR. As a result, any private company that is providing, directly or through an agent, a “governmental function or service,” could conceivably fall within the scope of the term “government end user,” regardless of whether the entity is engaged in the manufacture or distribution of items or services controlled on the Wassenaar Arrangement Munitions List.
• Finally, the Interim Rule provides that License Exception ACE will be unavailable if the exporter, reexporter, or transferor either “knows” or “has ‘reason to know’” that a “cybersecurity item” will be used to impact information or information systems without due authorization. (emphasis added).    Existing BIS guidance indicates that the “reason to know” standard requires, at a minimum, the exercise of “reasonable due diligence” based upon “all readily available information.”  Not all license exception under the EAR include a “reason to know” due diligence requirement.

We provide further detail on the key provisions of the Interim Rule below.

New Definitions Created by the Interim Rule

The Interim Rule adds several definitions that are valid solely for purposes of the ACE license:

“Government end user”

The definition of this term for purposes of License Exception ACE appears to be significantly broader than the definition of “government end users” otherwise applicable to encryption items under the EAR.  See 15 C.F.R. § 772.1.  The definition otherwise applicable under the EAR in the context of encryption items carves out entities in a number of economic sectors, as well as specifically excluding “retail or wholesale firms” that are not engaged in the manufacture or distribution of items or services controlled on the Wassenaar Munitions List.  By contrast, the new definition applicable to License Exception ACE contains no sectoral carve-outs and specifically encompasses, among other things, any entity providing a “governmental function or service” or any agents of such persons, including a range of “retail or wholesale” companies.

“Cybersecurity Items”

This term is defined solely for purposes of License Exception ACE to include the newly-added ECCNs and related items.  The newly added ECCNs generally cover “intrusion” items—systems, equipment, components, and technology that have been specially designed on modified for the generation, “command and control,” or delivery of “intrusion software”—as well as “surveillance” systems or equipment for IP network communications.  These are described more fully below.

“Digital artifacts”

This term is defined to include “software” or “technology” that show evidence of past or present activity relating to the use or compromise of, or other effects on, a system.

“Favorable treatment cybersecurity end user”

This term is defined to include any one of four categories of entity, i.e., (i) a “US subsidiary,” (ii) “[p]roviders of banking and other financial services,” (iii) “[i]nsurance companies,” and (iv) “[c]ivil health and medical institutions” that either “provid[e] medical treatment” or are otherwise engaged in “conducting the practice of medicine.”

“Cyber incident response”

This term is added to Section 772.1 as a defined term generally applicable under the EAR.  It refers to “the process of exchanging necessary information on a cybersecurity incident with individuals or organizations responsible for conducting or coordinating remediation to address the cybersecurity incident.”

“Vulnerability disclosure”

This term is added to Section 772.1 as a defined term generally applicable under the EAR.  It refers to “the process of identifying, reporting, or communicating a vulnerability to, or analyzing a vulnerability with, individuals or organizations responsible for conducting or coordinating remediation for the purpose of resolving the vulnerability.”

License Exception ACE

Exception ACE provides a license exception for export, reexport, or transfer of Cybersecurity Items that would otherwise be restricted under the ECCNs defined in Interim Rule.  As a threshold matter, ACE is not available for persons from Country Group E, i.e., Cuba, Iran, North Korea, and Syria.  On the other hand, if a transaction involves a person from one of the 48 countries listed in Country Group D, additional due diligence may be required to assess whether the end user is a “government end user” within the meaning of the Interim Rule, since the new definition of that term may apply to a broad range of any “entit[ies] that provide[] any governmental function or service.”

The following are the three categories of Country Group D end users:

• “Government end users” in any Group D country. ACE is generally not available for government end users in any Country Group D country.  However, there are narrow exceptions for Cyprus, Israel, and Taiwan (the CIT exception), which are Country Group D countries that are cross-listed in Group A:6.  The CIT exception applies (i) where the transaction involves “digital artifacts” related to a cybersecurity incident involving information systems owed or operated by a “favorable treatment cybersecurity end user,” e., a subsidiary of a US company, or to “police or judicial bodies” for criminal or civil investigations; or (ii) where the end user is the “national computer security incident response team” in the relevant country for the purpose of responding to cybersecurity incidents, “vulnerability disclosure,” or criminal or civil investigations.
• “Non-government end users” in Group D:1 or D:5 countries. ACE is also not available for non-government end users in Country Groups D:1 or D:5, except for exports, reexports, or transfers (i) of Cybersecurity Items falling within certain ECCNs when the end user is a “favorable treatment cybersecurity end user; or (ii) transactions that fall within the scope of “vulnerability disclosure” or “cyber incident response.”  Group D:1 imposes controls for national security reasons, while Group D:5 consists of countries subject to US arms embargoes.
• “Non-government end users” in Group D:2, D:3, or D:4 countries. ACE is generally available for non-government end users in Country Group D:2 (nuclear controls), D:3 (chemical and biological controls), or D:4 (missile technology controls) countries.

Finally, License Exception ACE is not available if the exporter, reexporter, or transferor “knows” or has “reason to know” at the time of export, reexport, or transfer, that the cybersecurity item “will be used to affect the confidentiality, integrity or availability of information or information systems, without authorization by the owner, operator or administrator of the information system (including the information and processes within such systems).”  This exclusion applies to deemed exports and reexports.  BIS’s Guidance on Charging and Penalty Determinations in Settlement of Administrative Enforcement Cases, 15 C.F.R. § Pt. 766, Supp. 1, provides that “[i]n the case of a corporation, awareness will focus on supervisory or managerial level staff in the business unit at issue, as well as other senior officers and managers.”  Moreover, the Guidance suggests that the “reason to know” standard requires “the exercise of reasonable due diligence.”

In sum, parties that seek to export, reexport, or transfer Cybersecurity Items subject to the controls announced in the Interim Rule will have to make a threshold assessment of whether the end user constitutes a “government end user” in order to determine whether License Exception ACE will be available, which may require additional due diligence.

On the other hand, we note that ACE is not needed/applicable in the following three situations: (i) if the item is “published” within the meaning of 15 C.F.R. § 734.7, it is not subject to the EAR; (ii) if the item has “information security” functionality and is subject to certain controls under Category 5—Part 2 of the Commerce Control List (CCL), then the Category 5—Part 2 provisions control; and (iii) if the item is controlled for “surreptitious listening” (SL) under another ECCN, then the SL classification will control.

New ECCNs

• ECCNs covering “intrusion software” and related equipment and technology: 4A005, 4D004, and 4E001.c

ECCNs 4A005 (systems, equipment, and components) and 4D004 (software) control items that are specially designed or modified for the generation, “command and control,” or delivery of “intrusion software.”  ECCN 4E001.c applies to “technology” used for the development of “intrusion software.”   BIS specifically introduced the “command and control” language into the definition for hardware and software to address concerns from industry that the language in the Proposed Rule from 2015 would overly restrict companies engaged in legitimate cybersecurity activities.

The notes to these ECCNs carve out certain end uses from the scope of the controls.  For example, the note to 4D004 provides that this ECCN does not control software designed to provide updates or upgrades, provided, inter alia, that the software is not “intrusion software” (a defined term under the EAR.  Similarly, Note 1 to 4E001.a and 4E001.c states that these ECCNs do not apply to “vulnerability disclosure” or “cyber incident response,” both of which are defined terms in the Interim Rule (please see below).

• ECCN covering “surveillance” equipment: 5A001.j

ECCN 5A001.j applies to IP network communications surveillance systems or equipment, as well as components that have been specially designed for such systems or equipment, that meet the technical criteria enumerated, including that it be specially designed to execute searches on the basis of “hard selectors” and to map the relational network of an individual or group.  The Note to ECCN 5A001.j specifically excludes systems or equipment that has been specially designed for marketing purposes, network quality of service (QoS), or quality of experience (QoE).

* * *

We will continue to monitor developments in this area, and encourage you to subscribe to be kept informed of latest developments. Please contact the authors or your usual Herbert Smith Freehills contacts for more information.