On October 21, 2021, the Department of Commerce’s Bureau of Industry and Security (BIS) issued an interim final rule (the rule) implementing expanded export controls on cybersecurity items based on the belief that these items “could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it.” The new controls on cybersecurity items stem from the 2013 addition by the Wassenaar Arrangement¹ (WA) of cybersecurity items, including intrusion software to Wassenaar’s list of controlled items. Public comments in 2015 indicating significant concerns over BIS’s implementation and scope of the proposed controls resulted in renegotiation of these controls at the WA’s 2017 meeting. Last week’s rule implements the WA 2017 controls. The rule is intended to prevent malicious “intrusion software” from being exported to certain countries of concern without a BIS license and not to hinder responses to cybersecurity flaws and incidents.

New Cybersecurity Related ECCNs

The rule creates new controls on hardware and software (ECCNs 4A005 and 4D004, respectively) specially designed or modified for the generation, command and control, or delivery of intrusion software. The EAR defines intrusion software as software specially designed or modified to avoid detection by monitoring tools² or to defeat protective countermeasures,³ of a computer or network capable device (such as a mobile device or smart meter). Intrusion software either 1) extracts data or information (from the computer or network-capable device) or modifies system or user data or 2) modifies the standard execution path of a program or process in order to allow the execution of externally provided instructions. According to the proposed rule, it does not include any of the following: Hypervisors, debuggers or Software Reverse Engineering (SRE) tools; Digital Rights Management (DRM) software; or software designed to be installed by manufacturers, administrators, or users, for the purposes of asset tracking or recovery.

The rule also adds paragraph 5A001.j “IP network communications surveillance systems or equipment” to ECCN 5A001 which is similar to controls on…