Image: Lucas Sankey
The Commerce Department’s Bureau of Industry and Security (BIS) today announced new controls that would ban U.S. companies from exporting and reselling software and hardware tools that could be used to fuel authoritarian practices through malicious hacking activities and human rights abuse.
The rule will become effective in 90 days and will effectively ban the export of “cybersecurity items” for National Security (NS) and Anti-terrorism (AT) reasons.
It also establishes a new License Exception Authorized Cybersecurity Exports (ACE) that bans exports and resale of these items to problematic countries, such as China and Russia, without a license.
The complete list includes states of weapons of mass destruction or national security concern or subject to a U.S. arms embargo.
“The United States Government opposes the misuse of technology to abuse human rights or conduct other malicious cyber activities, and these new rules will help ensure that U.S. companies are not fueling authoritarian practices,” the BIS said.
— U.S. Commerce Dept. (@CommerceGov) October 20, 2021
BIS’ new rule says that these items warrant controls because they could be leveraged to conduct malicious cyber activities, including but not limited to surveillance, espionage, or other actions that would disrupt, deny or degrade access to network devices.
“Today’s rule is consistent with the result of BIS’s negotiations in the Wassenaar Arrangement (W.A.) multilateral export control regime and with a review of comments from Congress, the private sector, academia, civil society, and other stakeholders on previously proposed BIS rulemaking in this area,” the Commerce Department bureau said.
U.S. Secretary of Commerce Gina M. Raimondo added that the new rule is designed to block malicious threat actors’ access to hacking tools that could be used to target U.S. entities and threaten U.S. national security, while also allowing their use for legitimate purposes.
“The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights,” Raimondo said.
“The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities.”