Tech Industry Objects to Potential BIS Rule Change to Cybersecurity Items

On May 20, 2015 the Bureau of Industry and Security (BIS) within the Department of Commerce (Commerce) published a proposed rule that will affect exports of products dubbed “cybersecurity items”: intrusion software and network communications surveillance systems, and related systems, equipment, software, components and technology.

Although some of these “cybersecurity items” are currently controlled for their “information security” functionality, the proposed rules:

  1. substantially increase the items controlled;
  2. require a license for the export, reexport, or transfer (in-country) of these items to all destinations except Canada;
  3. increase the information that must be supplied to support a license application;
  4. impose relatively stringent licensing policy on license applications; and
  5. substantially narrow the license exceptions available.

The purpose of these proposed rules is to implement the Wassenaar Arrangement (WA) 2013 Plenary Agreements, which require Participating States such as the United States to control for all items on the WA control lists.
 
Specifically, the BIS proposed rule includes the following changes related to intrusion software and network communication surveillance systems:

  • Creating a new definition of “intrusion software”:
    • "Software" specially designed or modified to avoid detection by “monitoring tools,” or to defeat “protective countermeasures,” of a computer or network capable device, and performing any of the following:
      • (a) The extraction of data or information, from a computer or network capable device, or the modification of system or user data; or
      • (b) The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.
    • “Monitoring tools” are software and hardware devices that monitor system behaviors, such as antivirus products, end point security products, Personal Security Products (PSP) Intrusion Detection Products (IDS), Intrusion Prevention Systems (IPS) or firewalls.  Thus, any software that is specially designed or modified to avoid detection by antivirus products or firewalls would be captured provided it also performed either the extraction of data/information or modification of program requirements.
    • “Protective countermeasures” are techniques to ensure the safe execution of code, such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) or sandboxing. 
    • However, “intrusion software” does not include:
      • Hypervisors, debuggers, or Software Reverse Engineering (SRE) tools;
      • Digital Rights Management software; or
      • Software designed to be installed by manufacturers, administrators, or users, for the purposes of asset tracking and recovery.
    • “Network-capable devices” include mobile devices and smart meters.
  • Adding two new export control classification numbers (ECCNs) for software (ECCN 4D004) and related systems, equipment, software, and components (ECCN 4A005) related to “intrusion software” to the Commerce Control List (CCL). Because these new ECCNs would be controlled for national security (NS), regional stability (RS), and anti-terrorism (AT), an export license would be required for all destinations, except Canada. There are no license exceptions available for these items, except for certain portions of License Exception GOV (e.g., exports to or on behalf of the United States Government pursuant to § 740.11(b) of the Export Administration Regulations (EAR)).
    • 4A005:  “systems,” “equipment,” or “components” for intrusion software, “specially designed” for the generation, operation or delivery of, or communication with “intrusion software.”
    • 4D004:  “software” “specially designed” for the generation, operation or delivery of, or communication with, “intrusion software.”

It is noteworthy that these two ECCNs are both far broader than the intrusion software itself but encompass systems, equipment, components and software specially designed for the “generation, operation or delivery of, or communication with, ‘intrusion software.’”

  • Amending two existing ECCNs affected by “intrusion software.” No license exceptions are available for these items, including Strategic Trade Authorization (STA) or Technology and Software Under Restriction (TSR).
    • 4D001: would additionally control “software” “specially designed” or modified for the “development” or “production” of equipment controlled by new ECCN 4A005.
    • 4E001: would additionally control “technology” “required” for the “development” of intrusion software. 
  • Amending ECCN 4E001 so that it covers technology for the newly added 4A005 and 4D004, as well as technology “required” for the development of “intrusion software.”
  • Adding 5A001.j to control IP network communications surveillance systems, equipment and components that meet all of a number of criteria.

Exports of these newly cybersecurity controlled items would require a license to all countries except Canada, and be subject to a relatively strict licensing policy with a favorable policy of review only for:

  1. Exports to subsidiaries of US companies, but not those located in D:1 or E:1 countries such as China, Russia or Ukraine;
  2. Exports to “foreign commercial partners” in A:5 – that is, foreign-based non-governmental end-users that have a business need to share the proprietary information of U.S. company and are contractually bound to the US company; and
  3. Exports to government end-users in Australia, Canada, New Zealand and the United Kingdom.

All other license applications will receive a case by case review to determine if the transaction is contrary to the national security or foreign policy interests of the United States, including promoting the observance of human rights around the world.
 
Cybersecurity items that have encryption functionality are controlled under the new cybersecurity ECCNs but still have to undergo all the encryption review requirements.
 
In response to BIS’ request for public comments to be submitted by July 20, software and technology companies have uniformly objected to this regulation. For example, Google posted an article on its public policy blog stating that “these proposed rules, as currently written, would have a significant negative impact on the open security research community. They would also hamper our ability to defend ourselves, our users, and make the web safer. It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure.” Industry groups and nonprofits, such as the Electronic Frontier Foundation (EFF) and the Internet Association (whose members include major industry players), have submitted similar comments.

Contacts

Continue Reading