The U.S. Commerce Department on Wednesday announced new rules barring the sales of hacking software and equipment to authoritarian regimes and potentially facilitate human rights abuse for national security (NS) and anti-terrorism (AT) reasons.
The mandate, which is set to go into effect in 90 days, will forbid the export, reexport and transfer of "cybersecurity items" to countries of "national security or weapons of mass destruction concern" such as China and Russia without a license from the department's Bureau of Industry and Security (BIS).
"The United States Government opposes the misuse of technology to abuse human rights or conduct other malicious cyber activities, and these new rules will help ensure that U.S. companies are not fueling authoritarian practices," BIS said in a press release.
The rule does not cover "intrusion software" itself, but rather the following —
- Systems, equipment, and components specially designed or modified for the generation, command, and control, or delivery of intrusion software (ECCN 4A005)
- Software specially designed or modified for the development or production of systems, equipment, and components (ECCN 4D001.a)
- Software specially designed for the generation, operation, delivery, or communication with intrusion software (ECCN 4D004), and
- Technology required for the development, production, and use of systems, equipment, and components, and development of intrusion software (ECCNs 4E001.a and 4E001.c)
However, it's worth noting that the restriction does not apply when it comes to responding to cybersecurity incidents or for purposes of vulnerability disclosure, as well as for pursuing criminal investigations or prosecutions that may follow in the wake of digital intrusions.
It also doesn't apply when the items are being sold to any "favorable treatment cybersecurity end user," which could be a U.S. subsidiary, providers of banking and other financial services, insurance firms, and civil health and medical institutions.
The move is expected to align the U.S. with 42 European and other countries such as Australia, Canada, India, Russia, and South Korea, who are members of the Wassenaar Arrangement that lays out voluntary export control policies on conventional arms and dual-use goods and technologies, including internet-based surveillance systems.
"The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights," U.S. Secretary of Commerce Gina M. Raimondo said.
"The Commerce Department's interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America's national security against malicious cyber actors while ensuring legitimate cybersecurity activities," Raimondo added.