On October 21, 2021, the Bureau of Industry and Security (BIS) published an interim final rule (IFR) to implement significant new controls regarding certain cybersecurity items. The rule contains new and updated Export Control Classification Numbers (ECCNs) and new License Exception Authorized Cybersecurity Exports (ACE). On November 12, 2021, BIS issued Frequently Asked Questions (FAQs) to provide guidance on the IFR and License Exception ACE.
On October 21, 2021, the Bureau of Industry Security (BIS) published an Interim Final Rule (IFR) to implement controls on certain âcybersecurity itemsâ that can be used for malicious cyber activities. Most notably, the IFR defines âcybersecurity itemsâ to include the new and updated Export Control Classification Numbers (ECCNs) and creates a new License Exception Authorized Cybersecurity Exports (ACE). This IFR follows BISâs original proposal to implement the addition of cybersecurity items to the Wassenaar Arrangement (WA) in 2015. However, the 2015 proposed rule received substantial industry scrutiny, including concerns that the rule was overly broad, would impose a heavy burden on licensing for legitimate transactions, and could cripple legitimate cybersecurity research. In response to those and other concerns, BIS suspended implementation of the 2015 proposed rule and, instead, renegotiated changes to the WA control lists in 2017, intending to define more precisely the scope of the cybersecurity controls. BIS released the October 2021 IFR to implement the 2017 WA decisions. Public comments on the IFR are due December 6, 2021, and the IFR is set to go into effect on January 19, 2022.
On November 12, 2021, BIS issued Frequently Asked Questions (FAQs) that provide guidance on this IFR.
New Export Control Classification NumbersÂ
âCybersecurity itemsâ are defined to include the new and updated ECCNs referenced below and certain related ECCNs in Categories 4 and 5.
Category 4 includes two new ECCNs related to âintrusion softwareâ:
- 4A005 âSystems,â âequipment,â and âcomponentsâ therefor, âspecially designedâ or modified for the generation, command and control, or delivery of âintrusion software.â
- 4D004 âSoftwareâ âspecially designedâ or modified for the generation, command and control, or delivery of âintrusion software.â
The EAR defines âintrusion softwareâ as software âspecially designed or modified to avoid detection by 'monitoring tools', or to defeat 'protective countermeasures', of a computer or network-capable device, and performing any of the following: (1) the extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or (2) the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.â
ECCN 4D004 does not control software âspecially designedâ and limited to providing software updates or upgrades that: (1) only operate with the authorization of the owner or administration of the system receiving it, and (2) do not change the functionality of the software that is updated or upgraded such that it would satisfy the criteria of ECCN 4D004, or would satisfy the EARâs definition of âintrusion software.â In other words, if the update or upgrade implements capabilities for the software to generate, command and control, or deliver âintrusion software,â the software would be controlled under ECCN 4D004.
ECCN 4E001 includes new paragraph c to control âtechnologyâ for the âdevelopmentâ of âintrusion software.â This ECCN does not apply to âvulnerability disclosureâ or âcyber incidentâ responses.
Category 5 includes new paragraphs for certain ECCNs:
- ECCN 5A001.j controls IP network communications surveillance systems or equipment and certain âspecially designedâ components. ECCN 5A001.j does not control systems or equipment âspecially designedâ for marketing purposes, Network Quality of Service (âQoSâ), or Quality of Experience (âQoEâ).
- ECCN 5A004.b controls items (not specified by ECCNs 4A005 or 5A004.a) designed to âextract raw dataâ from a computing or communications device and circumvent âauthenticationâ or authorization controls of the device to perform that extraction function. For these purposes, âextracting raw dataâ means retrieving binary data from a storage medium (such as RAM, a flash or hard disk) of a device without interpretation by the deviceâs operating system or file system. ECCN 5A004 does not control systems or equipment âspecially designedâ for the development or production of a computing or communications device; debuggers or hypervisors; items limited to logical data extraction; data extraction items using chip-off or JTAG; or items specially designed and limited to jail-breaking or rooting.
What is a âcyber incident responseâ or âvulnerability disclosureâ?
The IFR defines âcyber incidentâ response as âthe process of exchanging necessary information of a cybersecurity incident with individuals or organizations responsible for conducting or coordinating remediation to address the cybersecurity incident.â
It also defines âvulnerability disclosureâ as âthe process of identifying, reporting, or communicating a vulnerability to, or analyzing a vulnerability with, individuals or organizations responsible for conducting or coordinating remediation for the purpose of resolving the vulnerability.â
The FAQs provide examples of âindividuals or organizations responsible for conducting or coordinating remediation for the purpose of resolving the vulnerability,â including IT network systems administrators and chief information officer (CIO) / chief information security officer (CISO) staff; Computer Security Incident Response teams (CSIRTs) / Computer Emergency Readiness teams (CERTs); Commercial Product Development groups, software developers, hardware engineers, etc.; and Cybersecurity standards organizations.
Surreptitious Listing (âSLâ) and âInformation Securityâ Items
Items that are currently subject to controls for surreptitious listing (SL) reasons are unaffected by the IFR and remain classified under their current ECCNs (5A001.f.1 and 5A980; 5D001.c and 5D980.a; 5D001.a and 5D980.b; 5E001.a and 5E980; and 5D001.b). In other words, the SL control would prevail for items controlled for multiple reasons because the SL control has the most restrictive licensing requirements.
âCybersecurity itemsâ that also incorporate âinformation securityâ functionality specified in Category 5 â Part 2 are subject to the ECCNs in that category as long as the âinformational securityâ functionality remains present and usable (i.e., the encryption functionality is not absent, removed, or otherwise non-existent). So if an item is eligible for both License Exceptions ENC and ACE, License Exception ENC would prevail as long as the âinformation securityâ functionality is still present and usable.
No Items Subject to the ITAR are Being Transferred to the EAR
The IFR does not transfer any items subject to the International Traffic in Arms Regulations (ITAR) to the EAR. Items and services included on the U.S. Munitions List remain subject to the ITAR.
License Exception Authorized Cybersecurity Exports
License Exception ACE authorizes the export, reexport, and transfer of âcybersecurity itemsâ to most destinations and end-users but does not authorize the export, reexport, or transfer of âcybersecurity itemsâ (including deemed exports) to:
- countries in Country Groups E:1 and E:2 of Supp. No. 1 to part 740 of the EAR (Cuba, Iran, North Korea, and Syria), or Crimea;
- âgovernment end usersâ in Country Group D countries (which includes Russia and China) â note that the definition of âgovernment end userâ for purposes of License Exception ACE is not the same as for License Exception ENC;
- But ACE authorizes the export, reexport, or transferâ to âgovernment end usersâ of countries in both Country Group D and Country Group A:6 (currently Cyprus, Israel, and Taiwan) of
- âdigital artifactsâ related to a security incident involving information systems owned or operated by a âfavorable treatment cybersecurity end user,â or to police or juridical bodies for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents; or
- âcybersecurity itemsâ to national computer security response teams to respond to cybersecurity incidents, for purposes of âvulnerability disclosure,â or for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents.
- There is no exclusion for activities related to âvulnerability disclosureâ and âcyber incident responseâ for exports to government end-users. However, Note 1 to ECCN 4E001 excludes âvulnerability disclosureâ and âcyber incident responseâ from control under 4E001.a or .c, and this exclusion applies regardless of the type of end user. Those exclusions are unaffected by License Exception ACE.
- But ACE authorizes the export, reexport, or transferâ to âgovernment end usersâ of countries in both Country Group D and Country Group A:6 (currently Cyprus, Israel, and Taiwan) of
- non-government end users of countries in Country Groups D:1 or D:5 (which includes Russia and China).
ACE is not available when the exporter knows or has reason to know, at the time of export, that the cybersecurity item will be used to affect the confidentiality, integrity, or availability of information or information systems, without authorization by the owner, operator, or administrator of the information system (including the information and processes within such systems).
Even if ACE is unavailable, other License Exceptions may be available, such as GOV for certain exports, reexports, or transfers involving U.S. Government agencies or personnel, or TMP for exports of tools of the trade in certain situations. The FAQs provide examples of such scenarios.
What are âdigital artifactsâ and âfavorable treatment cybersecurity end usersâ? Is the definition of âgovernment end userâ identical to the definition of that term for License Exception ENC?
ACE defines âdigital artifactsâ as âitems found or discovered on an information system that show past or present activity pertaining to the use or compromise of, or other effects on, that information system.â
ACE defines a âfavorable treatment cybersecurity end userâ as 1) a United States subsidiary; 2) a provider of banking and other financial services; 3) an insurance company; or 4) civil health and medical institutions providing medical treatment or practicing medicine, including conducting medical research.
The definition of âgovernment end userâ under ACE may apply to entities that would not meet the definitions of âless sensitive government end usersâ and âmore sensitive government end usersâ as applied to encryption items.
âGovernment end userâ under ACE is defined as a national, regional or local department, agency or entity that provides any governmental function or service. This includes international governmental organizations, government operated research institutions, and entities and individuals who are acting on behalf of such an entity (emphasis added). This term also includes retail or wholesale firms engaged in the manufacture, distribution, or provision of items or services controlled on the Wassenaar Arrangement Munitions List.
CFIUS ImplicationsÂ
The new and updated ECCNs are controlled for National Security (NS) and Anti-Terrorism (AT) reasons, and therefore the âcybersecurity itemsâ are considered âcritical technologiesâ under the regulations of the Committee on Foreign Investment in the United States (CFIUS). Certain foreign investments in U.S. businesses that produce, design, test, manufacture, fabricate, or develop âcybersecurity itemsâ may therefore be subject to CFIUSâs jurisdiction and may require parties to submit a filing to CFIUS. It is not clear whether CFIUS will add License Exception ACE to the list of available EAR license exceptions at 31 C.F.R. § 800.401(e)(6) such that a mandatory filing would not be triggered for certain transactions when an export, reexport, or transfer qualifies for ACE.
Next steps
- The IFR goes into effect on January 19, 2022.
- Public comments to the IFR are due December 6, 2021. BIS has requested commenters provide input regarding the cost of implementing the IFR, as well as its impact on legitimate cybersecurity activities.
- Based on the complexity of this rule, it is possible BIS will issue further guidance or amend the IFR prior to its implementation in January. Hogan Lovells will provide updates as necessary.
Gloss