BIS Delays Implementation of New Cybersecurity Items Interim Final Rule
In an October 21, 2021 interim final rule (“IFR”), the Bureau of Industry and Security (“BIS”) published long-awaited “cybersecurity items” controls in Categories 4 (Computers) and 5, Pt. 1 (Telecommunications) of the Commerce Control List (“CCL”) and followed the IFR up on November 12, 2021 with relevant FAQs. The IFR will impose new export controls on certain “cybersecurity items” that relate to “intrusion software” or “IP network communications surveillance.” The IFR, originally scheduled to become effective on January 19, 2022, will now become effective on March 7, 2022. In the January 12, 2022 notice announcing the delay, BIS stated it “may consider some modifications for the final rule” and indicated it would “provide the public with additional guidance.” Below we describe the IFR as it currently stands. We will update readers when BIS implements any additional edits to the IFR and/or updates its guidance.
The IFR establishes two (2) new export control classification numbers (“ECCNs”) and expands the control text of several additional ECCNs within the CCL. The IFR collectively defines the items falling under these CCL modifications as the “cybersecurity items.” Each “cybersecurity item” covered in the IFR will be destination-controlled for National Security (“NS”) and Anti-Terrorism (“AT”) reasons. The modifications fall under two (2) broad topics: (i) expanded control text in Category 4 for hardware, software, and technology providing the infrastructure for managing “intrusion software”; and (ii) expanded control text in Category 5, Pt. 1 related to “IP network communications surveillance” items. The IFR also includes notes which clarify that, in the event any commodities or software which qualify as “cybersecurity items” also incorporate “information security” functionality described in any Category 5, Pt. 2 ECCNs (which will often involve encryption or cryptanalysis), then those Category 5, Pt. 2 ECCN classifications will prevail. However, those notes do not cover technology (which has a special definition under the EAR). The notes also specifically state that elements of source code implementing functionality not controlled by Category 5, Pt. 2 may still be subject to the “cybersecurity item” controls implemented by the IFR. “Cybersecurity items” controlled for Surreptitious Listening (“SL”) reasons under pre-existing ECCNs will also remain under those ECCNs.
The new “intrusion software”-related parameters will control hardware and software specially designed or modified for the generation, command and control, or delivery of “intrusion software,” as well as technology for the “development” or “production” of that hardware or software. The EAR’s pre-existing definition of “intrusion software,” will remain. It is primarily designed to describe exploits or payloads that do not involve encryption but that are nonetheless specially designed or modified to avoid detection by ‘monitoring tools’ or to defeat ‘protective countermeasures’ for the purpose of extracting data or modifying a standard software program execution to allow the execution of externally provided instructions. Importantly, the IFR does not impose export controls on the “intrusion software” itself. “Intrusion software,” when designed for military offensive cyberspace operations, would more appropriately be considered for classification purposes under the International Traffic in Arms Regulations (“ITAR”) as clarified by BIS FAQ #5.
The new “IP network communications surveillance” parameters will control telecommunications equipment capable of servicing a carrier class Internet Protocol (“IP”) network, performing application layer analysis, indexing extracted data, and being “specially designed” to execute searches based on “hard selectors” (i.e., personal data) and mapping relational networks of individuals or groups of people (hereafter referred to in this post as the “Telecommunications Surveillance Equipment”). The new and expanded control text will also control the software equivalents of the Telecommunications Surveillance Equipment as well as the test equipment, software, and technology specially designed or modified for the “development,” “production,” or “use” of the Telecommunications Surveillance Equipment.
The IFR also creates a new License Exception Authorized Cybersecurity Exports (“License Exception ACE”). Although LE ACE is similar to the EAR’s existing License Exception Encryption Commodities, Software, and Technology (“License Exception ENC”), there are some key differences between License Exceptions ACE and ENC. Exporters hoping to use the new License Exception ACE’s authorizations will need to consider the full range of U.S. export controls represented in its terms and conditions: destination, end-user, and end-use. For instance, License Exception ACE lays out a multi-layered approach where the nature of the end-user (e.g., “U.S. subsidiary,” “non-government end user,” “government end user,” and/or “favorable treatment cybersecurity end user”) must be considered alongside the destination and any knowledge or “reason to know” of an illegitimate end-use (which, without citing the EAR definition, is what is commonly understood as black hat and/or state-sponsored “hacking”). “Deemed” exports to Country Group D foreign nationals of any Country Group D destination are presumptively not authorized under LE ACE. However, when an exporter can determine the end-user of the export or “deemed” export is a “non-government end user,” then License Exception ACE will provide authorization to certain Country Group D destinations for (i) exports to “favorable treatment cybersecurity end users”; (ii) exports for “vulnerability disclosure” or “cyber incident response”; and (iii) “deemed” exports to foreign nationals.
A final note on License Exception ACE, especially for those proficient in License Exception ENC, is that License Exception ACE’s definition of “government end user” is far broader than the parallel definition in License Exception ENC.
Some heightened areas of risk under the IFR will include exports and reexports to non-U.S. subsidiaries in Country Group D countries and proper due diligence to meet BIS’ “reason to know” standard for end-use restrictions in License Exception ACE.
Grant Leach is an Omaha-based partner with the law firm Husch Blackwell LLP focusing on international trade, export controls, trade sanctions and anti-corruption compliance.