Earlier this year, the US Bureau of Industry and Security (BIS) published a proposed rule relating to the export of “cybersecurity items”, a category which includes software used to intrude on systems, network communications surveillance systems, and software, equipment, and technology used in the design and operation of these programs. Some products which fall under the new “cybersecurity items” heading are already controlled for their information security functionality under rules applying to “encryption items”, which are designed to maintain the secrecy of information, and are subject to registration and review requirements prior to export. These controls would continue to apply in addition to the new restrictions.
The proposed rule is designed to implement agreements by the Wassenaar Arrangement, a multilateral export control regime comprising 41 states (including the US and majority of Europe), made at a plenary session in December 2013. It:
- subjects intrusion and surveillance software, and related items, to export controls;
- requires a licence for the export, reexport, or domestic transfer of these items to all destinations except Canada;
- imposes a strict licencing policy, including a policy of presumptive denial for certain cybersecurity items;
- requires that specific technical information be submitted in support of licence applications, in addition to the usual information requirements; and
- makes cybersecurity items ineligible for most licence exceptions under the Export Administration Regulations and ends the application of License Exception ENC to encryption items, meaning that an export licence would be required for exports to foreign subsidiaries and foreign national employees of US companies.
BIS also requested that software and technology companies comment on the proposed rules. There have been strong objections, with Google publishing an article stating that the “proposed rules, as currently written, would have a significant negative impact on the open security research community. They would also hamper our ability to defend ourselves, our users, and make the web safer”. These sentiments have been echoed by the Electronic Frontier Foundation, a prominent digital rights charity based in the US (here).