- Commerce Department releases interim final rule tightening export controls on cybersecurity items
- Controls aim to prevent American exports from being misused and contributing to authoritarian practices
- Comments being accepted through Dec. 6, with the final rule set to go into effect on Jan. 19
Summary by Dirk Langeveld
The Commerce Department is proposing tighter export controls on cybersecurity items in a bid to prevent the materials from being used for human rights abuses or malicious cyber activities.
The department’s Bureau of Industry and Security has issued an interim final rule to establish controls on the export, reexport, or transfer in country of certain items. It is accepting public comments on the rule until Dec. 6, with the anticipation that it will make further revisions before the changes become effective on Jan. 19.
“The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights,” said Commerce Secretary Gina Raimondo. “The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities.”
The rule states that the items warrant controls because they “could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it.” In particular, they are meant to prevent governments from misusing products or services with surveillance capabilities and ensure that U.S. exporters are not inadvertently contributing to authoritarian practices.
The United States is part of the Wassenaar Arrangement, a multilateral export control regime, and most other participants have already established cybersecurity controls. The Commerce Department first proposed cybersecurity export controls in 2015 and received nearly 300 comments from private businesses, academia, and other entities. The proposed controls were narrowed after several commenters raised concerns that the rules were too broad and would negatively impact legitimate cybersecurity research and incident response activities.
The new controls exclude certain software which is specially designed and limited to providing basic updates and upgrades. They also exclude some technologies, such as those used to identify and analyze cyber vulnerabilities or respond to cyber incidents.
The rule establishes a new License Exception Authorized Cybersecurity Exports (ACE) which would allow the export, re-export, or transfer in-country of cybersecurity items to most destinations. It retains a license requirement for exports to countries with national security or weapons of mass destruction concerns, as well as those subject to a U.S. arms embargo.
The Commerce Department encouraged exporters to consult with State Department resources to minimize the risk that their products and services aren’t misused by foreign governments.