Commerce Department Tightens Export Controls on Cybersecurity Items

WASHINGTON — The Department of Commerce’s Bureau of Industry and Security announced on Wednesday it would institute new export controls over cybersecurity items such as cyber intrusion software that can be used maliciously.

The department’s new policy also creates a new license exception for authorized cybersecurity exports to “most destinations” while keeping a licensing requirement for “exports to countries of national security or weapons of mass destruction concern,” Commerce Department officials said in a release. Countries under U.S. arms embargoes are eligible for the exports but are subject to additional licensing requirements.

Restricted end users targeted by the rule will need to include a “government end user” for countries that pose certain national security risks while still allowing exclusions. Further, the license exception for authorized cybersecurity exports will require an end-use restriction in instances where “the exporter, re-exporter, or transferor” has reason to believe at the time of the export that the cybersecurity export will be used for malicious purposes without the owner, operator or administrator’s knowledge.

The new policies were made to better ensure the technology is not being misused to “abuse human rights or conduct other malicious cyber activities” in order to certify that domestic technology firms are not bolstering “authoritarian practices,” according to the Commerce Department. Department officials are also encouraging U.S. exporters of the cybersecurity items to consult with the State Department’s guidance on implementing “Guiding Principles” regarding transactions linked to foreign end users to minimize the potential for misuse of the products.

The department made the rule consistent with specifications ironed out in negotiations in the Wassenaar Arrangement, a voluntary export control authority in which participating entities exchange information on “transfers of conventional weapons and dual-use goods and technologies,” according to the Arms Control Association. Public comments on the rule’s speculated impact on domestic industries and the cybersecurity community may be submitted no later than 45 days from Wednesday ahead of the rule’s enactment.

“The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights,” Commerce Secretary Gina Raimondo said in a written statement. “The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities.” 

Reece can be reached at [email protected].