By Samuel Rubenfeld
Wednesday, October 20, 2021
The U.S. Department of Commerce on Wednesday announced an interim rule that would place restrictions on exports of items that can be used for malicious cyber activity, such as surveillance or espionage.
The rule, which takes effect 90 days after it is entered in the Federal Register, is technical and imposes controls on specific tools, such as “network communications surveillance systems” or components used for “intrusion software,” according to a draft released ahead of publication.
It comes months after the leak of documents revealing the targets of Pegasus, a military-grade software developed by an Israeli firm and sold to governments for tracking terrorists but was instead used to track journalists, human rights activists, business leaders and others.
The rule implements a license requirement for exports of cyber tools to countries of concern relating to national security or weapons of mass destruction, as well as to nations under a U.S. arms embargo, the Commerce Department said in a statement. However, it would also create an exemption to avoid impeding legitimate cybersecurity research and incident response work.
“The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights,” said U.S. Secretary of Commerce Gina M. Raimondo.
The Commerce Department had proposed restrictions on exports of certain cyber-related items in 2015, two years after the Wassenaar Arrangement, an international agreement on export controls for dual use-goods and technology, had added them to its list, according to the draft.
But the department received nearly 300 comments that had “raised substantial concerns” about the proposal’s scope, saying it was overly broad and imposed a heavy burden on legitimate cybersecurity work, the draft said. So the department shelved the plan and went back to the Wassenaar Arrangement to negotiate changes. The Wassenaar Arrangement published its changes in December 2017 and the interim rule implements them in the U.S., the draft said. Among them: adding language to more specifically control tools that can be used maliciously.
The Commerce Department still wants more feedback on the interim rule’s projected effects on U.S. industry and the cybersecurity community, it said in the statement.
The U.S. rule also follows a European Union overhaul of its export control regime on dual-use goods, including certain cyber surveillance equipment. The EU regulation didn’t provide an initial list of items subject to the controls, Kharon reported when it went into effect.
Under the U.S. rule, items and categories are spelled out, along with the applicable license requirements, including which jurisdictions fall under each mandate. The U.S. already restricts exports of products with encryption, so the new rule applies to items without it, officials told The Washington Post. Because of its limited scope, the department “believes the impact would be minimal,” according to the rule.
“The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities,” Raimondo said.