US Department of Commerce proposes licensing requirements for export and transfer of cybersecurity items

International Trade Alert

Cybersecurity Law Alert

In December 2013, the Wassenaar Arrangement − a group of 41 countries including the United States − agreed to add so-called cybersecurity items to its list of controlled dual-use items. On May 20, 2015, the Department of Commerce, Bureau of Industry and Security (BIS), proposed a rule to implement the new dual-use controls. The proposed rule imposes an export licensing requirement for the export, re-export or transfer (in-country) of cybersecurity items to all destinations, except Canada.

Controlled cybersecurity items

The following are included as “cybersecurity items” under the proposed rule:

  • Systems, equipment or components specially designed for the generation, operation or delivery or, or communication with, intrusion software (ECCN 4A005)
  • Software specially designed or modified for the development or production of such systems, equipment or components (ECCN 4D001)
  • Software specially designed for the generation, operation or delivery of or communication with, intrusion software (ECCN 4D004)
  • Technology required for the development of intrusion software (ECCN 4E001)
  • Internet Protocol (IP) network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor (ECCN 5A001).

New definition of “intrusion software”

The rule proposes to add a new definition of “intrusion software.” The term is defined as software specially designed or modified to avoid detection by “monitoring tools” or to defeat “protective countermeasures” and performing:

  • The extraction of data or information, from a computer or network-capable device, or the modification of system or user data or
  • The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions

“Monitoring tools” are defined as software or hardware devices that monitor system behaviors or processes running on a device. “Protective countermeasures” are techniques designed to ensure the safe execution of code.

Excluded from the definition are hypervisors, debuggers or software reverse engineering tools, digital rights management software and software designed for the purpose of asset tracking or recovery.

Addition of two Export Control Classification Numbers (ECCNs) to the Commerce Control List (CCL)

The rule proposes to add ECCNs 4A005 and 4D004 (detailed above) to the CCL while amending existing ECCNs 4D001, 4E001 and 5A001. ECCNs 4A005 and 4D004 are to be controlled for anti-terrorism, national security and regional stability reasons.  No license exceptions would be available for these new ECCNs except certain portions of License Exception GOV (government end users).

Addition of network communication surveillance systems to ECCN 5A001

The rule proposes to add IP network communication surveillance systems in paragraph 5A001.j to ECCN 5A001.  IP network communication surveillance systems are defined as including all of the following:

  • Performing all of the following on a carrier class IP network:
      • Analysis at the application layer
      • Extraction of selected metadata and application content and
      • Indexing of extracted data and
  • Being “specially designed” to carry out all of the following:
      • Execution of searches on the basis of “hard selectors” and
      • Mapping of the relational network of an individual or of a group of people.

“Hard selectors” are defined as data or set of data related to an individual (e.g. name, email, phone number, group affiliations or street address). ECCN 5A001.j does not apply to systems specially designed for marketing purposes, network quality of service (QoS) or quality of experience (QoE). No license exceptions are available for 5A001.j  items aside from certain portions of License Exception GOV.

Information to be submitted with a license application

Many of the items in the proposed rule are already controlled for their “information security” functionality. The proposed rule continues those registration and review requirements while setting forth new license review policies and special submission requirements. Proposed additional requirements include submitting specific technical information and either the Commodity Classification Application Tracking System (CCATS) number or license number or answers to three questions in lieu of the CCATS and license numbers.

Companies that manufacture or export items potentially controlled under these new and revised export controls should assess whether their items are captured under the new licensing requirements and consider filing comments to the proposed new licensing requirement.

Find out more about these changes by contacting Thomas M. deButts and Richard Newcomb.