Being a White-Hat Hacker Just Got Tougher: U.S…


On October 21, 2021, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS), published new export controls on certain cybersecurity items that ban the export or resale of hacking tools to authoritarian regimes, and it created a new license exception for those items. The new regulations aim at tightening export controls on cybersecurity tools, including intrusion software, Internet Protocol (IP) network communications surveillance, and related technology that could be used by threat actors to conduct malicious cyber activities and surveillance. BIS is requesting public comments until December 6, 2021, for potential revision before the interim final rule takes effect on January 19, 2022.

BIS contends that these controls are narrowly drawn, focusing on specific cyber-intrusion and network surveillance equipment, software and technology, and, when combined with the new license exception, that they should have limited impact. The rule adopts cybersecurity controls previously agreed to at the multilateral Wassenaar Arrangement, bringing U.S. controls into alignment with those already adopted by the EU and other jurisdictions. However, network infrastructure manufacturers, cybersecurity software and service providers, IT forensics firms, bug bounty programs, and those engaged in vulnerability testing and research may feel the impact of the rule. Further, exports to national security concern countries such as China and Russia will be highly restricted, and companies dealing with Cypress, Israel and Taiwan will have to navigate new restrictions, notwithstanding those countries’ stronger relationships with the U.S.

This rulemaking provides an opportunity for companies engaged in cybersecurity activities to evaluate whether the controls are indeed narrow enough to exclude their legitimate routine business activities, and to provide comments to BIS on any unintended consequences of these controls.

Background

These new cybersecurity export controls close the loop on a proposed rule, issued by BIS in 2015, to implement multilateral controls agreed to by the Wassenaar Arrangement in 2013. After issuing the proposed rule, BIS received overwhelming feedback from…

Source…