In a bid to oppose the misuse of technology to abuse human rights or conduct malicious cyber activities, the U.S. Commerce Department on Wednesday announced that it would hence forth bar the sales of hacking software and equipment to authoritarian regimes.
This rule will go into effect in 90 days and will forbid the export, reexport and transfer of “cybersecurity items” to countries of “national security or weapons of mass destruction concern” such as China and Russia without a license from the department’s Bureau of Industry and Security (BIS)
The rule does not cover “intrusion software” itself, but rather the following —
Systems, equipment, and components specially designed or modified for the generation, command, and control, or delivery of intrusion software (ECCN 4A005)
Software specially designed or modified for the development or production of systems, equipment, and components (ECCN 4D001.a)
Software specially designed for the generation, operation, delivery, or communication with intrusion software (ECCN 4D004)
Technology required for the development, production, and use of systems, equipment, and components, and development of intrusion software (ECCNs 4E001.a and 4E001.c)
However, it’s worth noting that the restriction does not apply when it comes to responding to cybersecurity incidents or for purposes of vulnerability disclosure, as well as for pursuing criminal investigations or prosecutions that may follow in the wake of digital intrusions.
It also does not apply when the items are being sold to any “favorable treatment cybersecurity end user,” which could be a U.S. subsidiary, providers of banking and other financial services, insurance firms, and civil health and medical institutions.
This step would align the U.S with 42 European and other countries such as Australia, Canada, India, Russia and South Korea, who are members of Wassenaar Arrangement that lays out voluntary export control policies on conventional arms and dual-use goods and technologies, including internet-based surveillance systems.
The U.S. Secretary of Commerce Gina M. Raimondo has stated that, “The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities.”