9 November 2021 • 11 minute read

BIS Interim Final Rule: Commerce cybersecurity controls were years in the making

Written by:Nicholas Klein Nate Bolin Thomas deButts Richard Newcomb

On October 21, 2021, the Department of Commerce’s Bureau of Industry and Security (BIS) published an interim final rule (Interim Final Rule) establishing new controls in the Export Administration Regulations (EAR) on the export of certain cybersecurity exploitation, intrusion and monitoring hardware and software. The rule provides new definitions, creates new export control classification numbers (ECCNs), and establishes license exception “Authorized Cybersecurity Exports” (ACE). Although License Exception ACE may authorize exports to most countries, it is highly fact-specific, limiting its utility to a narrow subset of export transactions.

Background

The Interim Final Rule has been years in the making. Originally published in May 2015, BIS’s proposed controls on cybersecurity products, which mirrored those controls and definitions established under the multilateral Wassenaar Arrangement list, generated significant concern and criticism from the cybersecurity and IT industries in the United States. The hundreds of public comments received in 2015 identified several issues, led by a concern that overbroad definitions and license requirements in the proposed rule would chill legitimate activity – such as the detection and reporting of “zero day” flaws that could lead to cyber breaches – and reduce the overall ability of the industry to continue to increase the security of devices and networks.

BIS took careful note of these comments and worked within the Wassenaar process to address them, mainly by seeking to narrow the scope of technology, software, and activities that would be subject to license requirements. With the Interim Final Rule, which takes effect on January 19, 2022, BIS implements these modifications and replaces the proposals in the 2015 proposed rule.

New terms and definitions

To narrow the scope of these cybersecurity controls, BIS incorporated two new defined terms in the EAR:

“vulnerability disclosure” means “the process of identifying, reporting, or communicating a vulnerability to, or analyzing a vulnerability with, individuals or organizations responsible for conducting or coordinating remediation for the purpose of resolving the vulnerability”
“cyber incident response” means “the process of exchanging necessary information on a cybersecurity incident with individuals or organizations responsible for conducting or coordinating remediation to address the cybersecurity incident”

These terms exclude software platforms developed for either of these purposes from control under the new ECCN 4E001.c, discussed below.

New export controls on certain cybersecurity items

The Interim Final Rule adds several new categories of cybersecurity-related hardware, software, and technology to the list of items controlled for export under the EAR. These items are identified by new ECCNs on the Commerce Control List (CCL) in Categories 4 and 5 Part 2, including those described below.

ECCN 4A005: systems, equipment, and components specially designed or modified for the generation, command and control, or delivery of intrusion software
- The use of the terms “command and control” relating to this type of hardware is meant to narrowly control products only when used maliciously.
ECCN 4D004: software specially designed for the development or production of products controlled under 4A005
- There is an exclusion note under this category for specially-designed software patches providing basic updates and upgrades. This exclusion applies as long as the upgrade is authorized by the system administrator and does not result in conversion to intrusion software. This exclusion is intended to prevent the new export controls from restricting legitimate cybersecurity activity, such as the patching of “zero day” flaws in software.
ECCN 4E001.a: controls technology for the development, production, or use of equipment or software controlled under category 4A
- This broad category captures technology related to the development, production and use of 4A005 hardware but excludes software designed for vulnerability disclosure and cyber incident response, as noted above.
ECCN 4E001.c: controls technology for the development of intrusion software
- Like 4E001.a, this ECCN excludes software designed for vulnerability disclosure and cyber incident response.
For technology that falls under new ECCNs 4E001.a and 4E001.c, BIS notes that it can request information from companies making use of the exclusions discussed above to verify their compliance with the scope of the exclusions. It is unclear at this time how frequently BIS will subject companies to such scrutiny
The new rule adds ECCN 5A001.j, which covers certain IP network communications surveillance systems and equipment, and “specially designed” components therefor, when such systems and equipment:
- perform all of the following functions on a carrier class IP network (eg, national grade IP backbone):
  - analysis at the application layer (eg, Layer 7 of Open Systems Interconnection (OSI) model (ISO/IEC 7498-1));
  - extraction of selected metadata and application content (eg, voice, video, messages, attachments); and
  - indexing of extracted data; and being “specially designed” to carry out all of the following:
    - executing searches on the basis of “hard selectors”; and
    - mapping of the relational network of an individual or of a group of people”

BIS emphasizes that the above categories of items do not apply to specially designed IP network communications for marketing, network quality of service, or quality of experience.

Applicable license exceptions

Few standard license exceptions are available for items in the above categories. However, BIS has established a completely new license exception – License Exception ACE – for certain export activities related to these newly controlled cybersecurity items. License Exception ACE is intended to allow exports, reexports, and transfers of cybersecurity items for certain legitimate activities (ie, activities intended to increase the security of data, devices, and networks from unauthorized breaches) including cybersecurity research and cyber incident response, acknowledging the potentially negative impacts raised in response to the proposed rule in 2015. As described below, however, License Exception ACE is complex and limited in many important ways.

License Exception ACE applies only to certain eligible “cybersecurity items,” “digital artifacts,” “favorable treatment cybersecurity end-users,” and “government end-users” as defined below:

“cybersecurity items” are defined as a combination of the new and existing ECCNs. In summary, this term describes products specially designed for delivery of intrusion software capable of undetected activities such as hacking
“digital artifacts” are “items (eg, “software” or “technology”) found or discovered on an information system that show past or present activity pertaining to the use or compromise of, or other effects on, that information system”
“favorable treatment cybersecurity end-users” are “any of the following: (i) [a] ‘US subsidiary’; (ii) providers of banking and other financial services; (iii) insurance companies; or (iv) civil health and medical institutions providing medical treatment or otherwise conducting the practice of medicine, including medical research”
“government end-user” means a “national, regional or local department, agency or entity that provides any governmental function or service, including international governmental organizations, government operated research institutions, and entities and individuals who are acting on behalf of such an entity. This term includes retail or wholesale firms engaged in the manufacture, distribution, or provision of items or services, controlled on the Wassenaar Arrangement Munitions List.”

License Exception ACE – application

License Exception ACE allows the export, reexport, and transfer (in-country) of “cybersecurity items,” to most countries. License Exception ACE does not apply to exports, reexports or transfers of such items to (i) Cuba, Iran, North Korea, Crimea and Syria (ii) government end users in Country Group D (eg, Russia, China, Saudi Arabia, and the United Arab Emirates) and (iii) non-government end-users in Country Group D:1 and D:5 (eg, China, Russia).

The Interim Final Rule, however, makes an exception to such limitations on License Exception ACE for exports of the newly controlled cybersecurity items for any favorable treatment cybersecurity end-user, vulnerability disclosures, or cyber incident response to government end-users listed under Country Group D. This “exception to the exception” applies to non-government end-users in Country Group D:1 and D:5. In other words, exporters are free to use License Exception ACE for government and non-government end-users in D:1 and D:5 countries as long as the end user or type of response falls into one of the “exception to the exception” categories. For example, companies could potentially use the “exception to the exception” to export information on a vulnerability to a Russian government end-user to facilitate an exchange of necessary information on a cybersecurity incident with individuals or organizations responsible for conducting or coordinating remediation to address the cybersecurity incident.

In practice, the complexities and myriad of potential use cases for License Exception ACE – and the “exception to the exception” – will require careful analysis and may be challenging to apply. As a result, the Interim Final Rule may still chill legitimate cybersecurity activity because the new controls may be applied overly broadly. Companies that have such concerns over the new rule, or that may see other negative impacts to their business from the controls as proposed, may wish to comment on the interim final rule to ensure their views are properly accounted for in any final rule that is issued by BIS.

Conclusion

For businesses involved in these types of transactions, it is important to maintain strict record keeping procedures when invoking exceptions such as ACE because of its complexity. By relying on an exception for a particular export transaction, a company is acting on its own assessment of the regulations, which leaves it vulnerable to potential liability arising from incorrect determinations. Companies relying on License Exception ACE should carefully document their analysis and assemble supporting evidence so that, if required, they can demonstrate to BIS that each element of the exception is satisfied.

Additionally, when relying on ACE, companies should consider additional end-user and end-use assurances to demonstrate “Know Your Customer” diligence. If exporting to sensitive countries, these assurances can help to avoid or mitigate potential penalties.

Companies that believe their products are captured by the new controls should also submit commodity classification requests to BIS for such products to ensure they are properly classifying their items for export and can use such a request to make arguments to BIS for why their products should not be included in the new controls, if such arguments are applicable.

In sum, the new interim rule substantially revises and narrows the previously proposed export controls on cybersecurity items but includes several complex concepts and requirements that may be challenging for some companies to apply. Companies that are potentially impacted should carefully review the new rules and consider whether to submit comments in advance of any final rulemaking on this topic. Comments must be received by BIS no later than December 5, 2021.