New Export Controls on Cybersecurity Tools

STRIKING THE BALANCE BETWEEN GOVERNMENT AND INDUSTRY CONCERNS

by Matthew Goldstein and Mark Ludwikowski of CLARK HILL PLC

The U.S. Commerce Department issued an interim final rule last week to establish export controls on cyber intrusion software and other cybersecurity items capable of malicious use. The new controls, effective January 19, 2022, will impose new export restrictions on a range of software and other items routinely used by cybersecurity professionals to do their job.

Although capable of malicious use in human rights violations, cybercrime, and cyber-espionage, there are also many legitimate uses for cybersecurity items. Companies around the world, to include U.S. companies with non-U.S. operations, hire cybersecurity professionals to protect their corporate resources and information. These professionals use cybersecurity items to search out network vulnerabilities and exercise a company’s ability to detect and respond to a cyberattack.

The new encryption controls were long-awaited and published as part of United States obligations as a member of the Wassenaar Arrangement, an international export control regime with 41 member states. Under the regime, each member state agrees to implement multilateral export controls through national legislation.

Wassenaar added cybersecurity items to its control list in 2013 and most Wassenaar member countries have already implemented their own export controls on cybersecurity items. However, implementation by the United States was delayed until now.

The Commerce Department originally issued a proposed rule to implement the Wassenaar controls on cybersecurity items in 2015. Despite being published with good intentions, the proposed changes were broad, would have imposed heavy licensing burdens on legitimate transactions that contribute to cybersecurity, and would have impeded legitimate cybersecurity research.

The Commerce Department received hundreds of public comments from academia and private industry, comments from interagency stakeholders, and Congressional testimony noting prospective impacts on legitimate cybersecurity activities and opposing the proposal. The United States therefore returned to the negotiation table and worked with Wassenaar members to narrow the controls.

The interim final rule addresses many of the concerns raised in public comments to the Commerce Department’s original proposal and reflects the most recent Wassenaar changes. Specifically, the new cybersecurity controls will have carve-outs for certain software specially designed and limited to providing basic updates and upgrades meeting certain requirements and carve-outs for certain technology exchanged in “vulnerability disclosures” and “cyber incident responses,” as defined by the amendments.

The interim final rule further creates License Exception Authorized Cybersecurity Exports (“ACE”), which will authorize exports, reexports, and in-country transfers of certain cybersecurity items to certain classes of end users in most destinations, subject to certain limitations. Notable among these limitations, License Exception ACE will not apply where persons engage in transactions with knowledge or reason to know that a cybersecurity item will be used to affect the confidentiality, integrity, or availability of information or information systems without proper authorization.

The Commerce Department may further revise the new cybersecurity controls before the effective date. It is accepting public comments to the interim final rule until December 6, 2021 and is particularly interested in hearing about the potential cost of complying with the new controls, and any prospective impacts on legitimate cybersecurity activities.

About the Authors

matthew goldstein author

Matthew Goldstein

Matthew Goldstein and Mark Ludwikowski are members of Clark Hill’s International Trade Business Unit where they help clients manage risks arising in international transactions that involve hardware, software, technology, and services subject to the U.S. Export Administration Regulations (EAR), International Traffic in Arms Regulations (ITAR), Office of Foreign Assets Control (OFAC) regulations, and other federal regulatory controls. They can be reached at mgoldstein@clarkhill.com and mludwikowski@clarkhill.com. https://www.clarkhill.com/

mark ludwikowski author

Mark Ludwikowski

The views and opinions expressed in the article represent the views of the authors and not necessarily the official view of Clark Hill PLC. Nothing in this article constitutes professional legal advice nor is intended to be a substitute for professional legal advice.