U.S. manufacturers, developers and exporters of cybersecurity hardware and software should take note of new export controls on “intrusion detection software” and “IP network communications surveillance” systems and equipment that the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) recently proposed.
Under the proposed rule, the export of the following cybersecurity items to any country in the world, except Canada, will require an export license from BIS: (1) systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, “intrusion software”; (2) software specially designed or modified for the development or production of such systems, equipment or components; (3) software specially designed for the generation, operation or delivery of, or communication with, intrusion software; technology required for the development of intrusion software; and (4) Internet Protocol (IP) network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor. If you are finding yourself reading this scope a few times and wondering how broad the rule is intended to be, you are not alone. Industry was hoping that BIS would clearly define the affected cybersecurity items in its proposed rule and put boundaries around product groups so that companies could quickly ascertain whether or not their products are subject to these new licensing requirements. But the proposed rule does not provide much specificity. Instead, exporters have to go through and analyze myriad terms and defined terms within definitions. To be fair, the rule proposes to implement the agreements on cybersecurity technology that the member states of the Wassenaar Arrangement, including the United States, reached in December 2013. The terms used in this multilateral export control regime are also overly broad.
A key term in the proposed rule is “intrusion software.” The proposed rule offers a two-pronged test. It defines intrusion software as (1) software specially designed or modified to avoid detection by “monitoring tools” or to defeat “protective countermeasures” of a computer or network-capable device, (2) which performs any of the following: (a) the extraction of data or information from a computer or network-capable device, or the modification of system or user data; or (b) the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions. Some of the terms used in the definitions follow their own definitions, and as such the review becomes increasingly complicated. Also, companies should note that “network-capable devices” include cell phones and other mobile devices and smart meters. “Monitoring tools” include antivirus (AV) products, end point security products, personal security products (PSP), intrusion detection systems (IDS), intrusion prevention systems (IPS) and firewalls. The rule defines “protective countermeasures” as techniques designed to ensure the safe execution of code, such as data execution prevention (DEP), address space layout randomization (ASLR) or sandboxing. It also clarifies that intrusion software would not include hypervisors, debuggers or software reverse engineering (SRE) tools; digital rights management (DRM) software; or software designed to be installed by manufacturers, administrators or users, for the purposes of asset tracking or recovery.
No license exceptions will be available, except for some exports to or on behalf of the U.S. government (GOV). This is significant. Exporters accustomed to using license exception ENC won’t be able to use ENC for the cybersecurity technology with encryption that would be subject to the proposed licensing requirements. Moreover, exports of cybersecurity items that fall under the proposed rule and include encryption will also be subject to the requirements, but not the benefits of, license exception ENC. As a result, under the proposed rule exporters of these items have to comply (1) with the new world-wide licensing requirements (except for Canada) of the revised ECCNs that these items are proposed to fall under (e.g., ECCN 4A005) and (2) the registration, review and reporting requirements of license exception ENC (without being able to use license exception ENC to export these items out of the U.S., or to re-export them to a third country).
Developers and manufacturers of cyber security technology should carefully review the proposed rule to determine whether and how it will affect them. The proposed requirement of a license for all exports, reexports, and transfers (in-country) of these cybersecurity items to all destinations, except Canada, is onerous compared to the existing controls on, for example, encryption items that BIS relaxed a few years ago. Companies that would be affected by the proposed rule should consider informing BIS of shortcomings they perceive in the proposed rule, given that BIS welcomes industry to provide written comments. BIS generally reviews all comments received by industry and addresses them in the final rule. Some companies have been able to sway BIS in the past if the proposed wording of the rule brought an item into its scope, but BIS did not intend to impose new controls on that specific item. Comments can be submitted via e-mail to email@example.com (refer to RIN 0694–AG49) by July 20, 2015.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.