BIS Finalizes Changes To New License Exception For “Cybersecurity Items” – Security

On May 26, 2022, the US Department of Commerce, the Bureau of
Industry and Security (BIS) issued a final rule, finalizing changes to License
Exception Authorized Cybersecurity Exports (ACE) and making related
changes to other sections of the Export Administration Regulations
(EAR). These changes include narrowing of exceptions for end use
restrictions applicable to certain government end users in Cyprus,
Israel, and Taiwan under License Exception ACE and addition of new
end use restrictions for License Exception ENC (Encryption
Commodities, Software, and Technology).

Background

On October 21, 2021, BIS published a long-awaited interim final rule implementing the decisions
from the Wassenaar Arrangement in 2017 on controls of cybersecurity
items. This interim final rule, among others, added or revised the
following Export Control Classification Numbers (ECCNs) on the
Commerce Control List: 4A005, 4D004, 4E001.a, 4E001.c, and 5A001.j.
According to BIS, these items warrant export controls because they
could be used for surveillance, espionage, or other actions that
disrupt, deny or degrade the network or devices on it.

The interim final rule also created a new License Exception ACE
to authorize certain exports, reexports, and transfers (in-country)
of "cybersecurity items."¹The interim
final rule imposed certain restrictions for License Exception ACE,
restricting its use when the item is destined to a country in
Country Group E:1 or E:2, or to a "government end user"
in a country listed in Country Group D:1, D:2, D:3, D:4, or D:5
with certain exceptions.

The interim final rule was initially set to take effect on
January 19, 2022, but BIS delayed the effective date to March 7,
2022 via another interim final rule. After reviewing
the comments to the October 21 interim final rule, BIS finalized
changes to License Exception ACE and made other corresponding
changes to the EAR on May 26, 2022.

Changes to License Exception ACE

Exceptions for Country Group D End Use Restriction

As noted above, License Exception ACE is not available when the
cybersecurity item is destined to (1) a destination that is listed
in Country Group E:1 or E:2 or (2) to a "government end
user" of any country listed in Country Group D:1, D:2, D:3,
D:4, or D:5.²License Exception ACE, however,
provides an exception which permits the use of License Exception
ACE for certain "digital
artifacts"³and "cybersecurity
items" as described below destined to police, judicial bodies,
or national computer security incident response teams in Country
Group D countries that are also listed in Country Group
A:6⁴for purposes of criminal or civil
investigations or prosecutions, among others.

While the October 21 interim final rule's exception read to
allow the export, reexport, or transfer of "digital
artifacts" to anyone in a Country Group D country that is also
listed in Country Group A:6, the May 26 final rule amended to
narrow that exception's destination to police or judicial
bodies. After the amendment, "digital artifacts" and
"cybersecurity items" may be exported, reexported, or
transferred under License Exception ACE to certain government end
users in Country Group D countries that are also listed in Country
Group A:6 as follows:

• "Digital artifacts" (that are related to a
  cybersecurity incident involving information systems owned or
  operated by a "favorable treatment cybersecurity end
  user"⁵) to police or judicial bodies in
  Country Group D countries that are also listed in Country Group A:6
  for purposes of criminal or civil investigations or prosecutions of
  such cybersecurity incidents; or
• To national computer security incident response teams in
  Country Group D countries that are also listed in Country Group A:6
  of "cybersecurity items" for purposes of responding to
  cybersecurity incidents, for purposes of "vulnerability
  disclosure,"⁶or for purposes of criminal
  or civil investigations or prosecutions of such cybersecurity
  incidents.

BIS also revised the structure of the restriction provision to
address confusions voiced in the public comments.

Definition of "Government End User"

BIS revised the definition of the term "government end
user" in License Exception ACE by adding a detailed
illustrative list of end users that meet this definition and added
a note to provide further guidance on the term "partially
operated or owned by a government or governmental authority"
used in some of the examples included for the term "government
end user."

Changes to License Exception ENC

BIS added a new end use restriction to License Exception ENC to
avoid evasion of the end use restrictions under License Exception
ACE by adding cryptographic or cryptanalytic functionality to
"cybersecurity item" and relying on License Exception ENC
instead of License Exception ACE. Specifically, the new end use
restriction to License Exception ENC limits the reliance on License
Exception ENC where the exporter, reexporter, or transferor knows
or has reason to know that the specified items would be used to
affect "the confidentiality, integrity or availability of
information or information systems, without authorization by the
owner, operator or administrator of the information system
(including the information and processes within such
systems)." The specified items include:

• "Cryptanalytic items," classified in ECCN 5A004.a,
  5D002.a.3.a or c.3.a, or 5E002;
• Network penetration tools described in 15 C.F.R. §
  740.17(b)(2)(i)(F), and corresponding ECCN 5E002
  "technology"; and
• Automated network vulnerability analysis and response tools
  described in § 740.17(b)(3)(iii)(A), and corresponding ECCN
  5E002 "technology".

Other Changes to the EAR

BIS made other corresponding changes to the EAR, including
revising the definitions of the terms "less sensitive
government end users" and "more sensitive government end
users" to indicate that these terms apply to cybersecurity
items. Prior to this change, these definitions omitted a refence to
License Exception ACE. BIS also restored ECCN 5D001.e which was
erroneously removed by the October 21, 2021 interim final rule.

Conclusion

The May 26 final rule took immediate effect on May 26, 2022.
Practically speaking, we do not anticipate these new regulatory
obligations to meaningfully impact the day-to-day business
operations of the majority of interested parties. While complex,
the broad authorizations provided by License Exception ACE even as
modified by the May 26 final rule should permit the export,
reexport, and transfer (in-country) of cybersecurity items in most
circumstances. However, navigating the complex EAR licensing
requirements and exceptions may result in costly delays,
particularly where a company has been the victim of malicious
cyberactivity. Further, the changes in the final rule not only
affect License Exception ACE but also License Exception ENC.
Therefore, companies and individuals engaged in export, reexport,
or transfer of cybersecurity items and encryption items should
carefully review these changes to assess whether the changes may
affect the EAR compliance of their exports, reexports, or
transfers.

Footnotes

1. The "cybersecurity items" include: ECCNs
4A005, 4D001.a (for 4A005 or 4D004), 4D004, 4E001.a (for 4A005,
4D001.a (for 4A005 or 4D004) or 4D004), 4E001.c, 5A001.j, 5B001.a
(for 5A001.j), 5D001.a (for 5A001.j), 5D001.c (for 5A001.j or
5B001.a (for 5A001.j)), and 5E001.a (for 5A001.j or 5D001.a (for
5A001.j)). 15 C.F.R. §740.22(b)(1).

2. 15 C.F.R. § 740.22(c).

3. The term "digital artifacts" is defined as
"items (e.g., 'software' or
'technology') found or discovered on an information system
that show past or present activity pertaining to the use or
compromise of, or other effects on, that information system."
15 C.F.R. §740.22(b)(2).

4. Currently, the countries listed in both Country Group
D and Country Group A:6 are: Cyprus, Israel, and Taiwan.
See15 C.F.R. Supplement No. 1 to Part 740.

5. "The term "favorable treatment cybersecurity
end user" includes: a U.S. subsidiary; providers of banking
and other financial services; insurance companies; and civil health
and medical institutions providing medical treatment or otherwise
conducting the practice of medicine, including medical research. 15
C.F.R. §740.22(b)(3).

6. The term "vulnerability disclosure" is
defined as "the process of identifying, reporting, or
communicating a vulnerability to, or analyzing a vulnerability
with, individuals or organizations responsible for conducting or
coordinating remediation for the purpose of resolving the
vulnerability." 15 C.F.R. §772.1.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Comments are closed.