BIS Revises Export Controls On Cybersecurity Items Used For Malicious Cyber Activity – Fin Tech | #cybersecurity | #cyberattack


On May 26, 2022, the US Department of Commerce’s Bureau of
Industry and Security (“BIS”) published a final rule revising the restrictions on the
export, reexport and transfer (in-country) of certain
“cybersecurity items” used for malicious cyber activities
(“final rule”). Effective immediately upon publication,
the final rule amends the October 21, 2021, interim final rule (“interim rule”)
that went into effect on March 7, 2022, which we addressed in a previous Legal Update.

More specifically, the final rule:

  • Adds a new end use restriction1
    to License Exception Encryption Commodities, Software, and
    Technology (“ENC”) to mirror the restrictions applicable
    to License Exception Authorized Cybersecurity Exports
    (“ACE”) and close a potential loophole for certain
    items;

  • Limits the scope of carve-outs available under License
    Exception ACE for certain government end users to only account for
    “digital artifacts” for purposes of criminal or civil
    investigations or prosecutions of cybersecurity incidents;

  • Further defines “government end user” under License
    Exception ACE by providing an illustrative list of seven types of
    users who meet the definition and adds a definition for
    “partially operated or owned by a government or governmental
    authority”; and

  • Makes a number of structural clarifications and restores
    5D001.e to Export Control Classification Number (“ECCN”)
    5D001. BIS states that 5D001.e was “inadvertently
    removed” from the interim rule.

Background

As discussed in our prior Legal Update, the interim rule
implemented new controls on “intrusion software”2 that balanced US foreign policy and
national security concerns with the need for legitimate
cybersecurity transactions. It reflected several years of
negotiations codified in the multilateral Wassenaar Arrangement and
incorporated significant US stakeholder input.

BIS published the interim rule on October 20, 2021, with a
delayed effective date of January 19, 2022. On January 12, 2022,
BIS published a rule that further delayed the effective date
of the interim rule until March 7, 2022, at which point it went
into effect.

Response to Public Comments

The interim rule’s comment period ended December 12, 2021,
with 12 total comments. In addition to the regulatory changes
outlined above, BIS addressed a number of public comments:

  • Several commenters raised concerns that the complexity of ECCN
    5A001.j (which covers certain “IP network communications
    surveillance systems or equipment, and ‘specially designed’
    components therefor”) presents compliance difficulties. In
    response, BIS committed to provide additional FAQ guidance on
    5A001.j.

  • BIS also noted that it is working on providing additional
    guidance broadly related to License Exception ACE and the
    cybersecurity community.

  • Commenters expressed concerns that the definitions of
    “vulnerability disclosure” and “cyber incident
    response” are too narrow. BIS responded that it believes many
    of the specific activities mentioned in the comments, such as
    tactics and techniques of malicious actors, are not subject to a
    license requirement. While BIS declined to broaden these terms, it
    committed to clarify the scope of license requirements through
    FAQs.

Additionally, BIS acknowledged other comments but declined to
take further action:

  • Several commenters asked for clarification of BIS’s
    “reason to know” standard; however, BIS declined to
    provide additional sector-specific guidance. BIS stated that it
    believes the current guidance3 is
    sufficient to address the public’s questions.

  • One commenter requested BIS remove the licensing requirement
    for people acting on behalf of a “government end user”
    because it would “chill cross-border collaboration with
    cybersecurity researchers and bug bounty hunters” since
    exporters would be required to check whether an individual has a
    government affiliation before beginning communication. BIS
    disagreed with this recommendation, noting that the license
    requirement is necessary to prevent people who are acting on behalf
    of a Country Group D government from obtaining “cybersecurity
    items” for activities contrary to US national security and
    foreign policy interests. BIS noted that because of the limited
    scope and applicability of the license requirement, it believes the
    requirement will protect US interests without unduly affecting
    legitimate cybersecurity activities.

New End-Use Restriction for License Exception ENC

In the final rule, BIS added a new end-use restriction to 15
C.F.R. § 740.17 (“License Exception ENC”) to
prohibit the use of ENC for certain cybersecurity items4 if there is either knowledge or
“‘reason to know’ at the time of export, reexport, or
transfer (in-country) . . . that the item will be used to affect
the confidentiality, integrity, or availability of information or
information systems, without authorization by the owner, operator,
or administrator of the information system.” This language,
which adds cryptographic or cryptanalytic functionality to the
“cybersecurity item,” mirrors that of License Exception
ACE and is intended to close a loophole and prevent the evasion of
ACE restrictions by use of ENC.

Clarifications to License Exception ACE

In response to public comments regarding the lack of clarity on
the definition of “government end user” in License
Exception ACE, codified at 15 C.F.R. § 740.22(b)(4), and
potential overlap with the definition of “favorable treatment
cybersecurity end users” for purposes of License Exception
ACE, BIS made a number of revisions and clarifications in the final
rule:

  • The final rule adds an illustrative list of end users that meet
    the definition of a “government end user” under License
    Exception ACE, differentiating between “more-sensitive
    government end users” and “less-sensitive government end
    users,” which are terms already defined in the Export
    Administration Regulations (“EAR”).5 The final rule also amends these
    definitions to clarify that they apply to cybersecurity items and
    are now referenced in License Exception ACE.6

  • BIS included the expression “partially operated or owned
    by a government or governmental authority” in three categories
    of listed “government end users”—utilities,
    transportation hubs and services, and retail or wholesale
    firms—and added a note to define the expression.7

  • The final rule amends § 740.22(c)(2)(i) to correct the
    text, which “inadvertently increased the scope of the
    exception.” As previously written, that paragraph
    allowed:

(a) Exports of “digital
artifacts”8 to anyone in a
Country Group D country that is also listed in Country Group A:6
(currently, Cyprus, Israel, or Taiwan); and

(b) Exports of any
“cybersecurity item”9 to
police or judicial bodies to Country Group D countries that are
also listed in Country Group A:6.

However, BIS stated that the final
rule clarifies its intention to only allow exports of “digital
artifacts” to police or judicial bodies in Country Group D
countries that are also listed in Country Group A:6 for purposes of
criminal or civil investigations or prosecutions.

The final rule also included structural changes in response to
public comments on clarity.10

Conclusion

Any party relying on License Exceptions ENC or ACE should
carefully consider and apply appropriate risk-based due diligence
to evaluate potential prohibited end-user and end-use
considerations in order to mitigate potential exposure in
connection with these controls.

Footnotes

1 15 C.F.R. §
740.17(f).

2 “Intrusion
software” is defined as “‘software’ specially
designed or modified to avoid detection by ‘monitoring
tools’, or to defeat ‘protective countermeasures’, of a
computer or network-capable device, and performing any of the
following: (1) The extraction of data or information, from a
computer or network-capable device, or the modification of system
or user data; or (2) The modification of the standard execution
path of a program or process in order to allow the execution of
externally provided instructions.” § 772.

3 BIS noted the
terms “know” and “reason to know” under License
Exception ACE use the same definition found in 15 C.F.R.
§ 772.1 for the term “knowledge.” BIS also
cited the “Know Your Customer” guidance located in
Supplement No. 3 to Part 732 of the EAR and on its website provides
additional information applicable to ACE.

4 These items
include:

– “cryptanalytic
items,” classified in ECCN 5A004.a, 5D002.a.3.a or c.3.a, or
5E002;

– network penetration tools
described in § 740.17(b)(2)(i)(F), and ECCN 5E002
“technology”; or

– automated network
vulnerability analysis and response tools described in
§ 740.17(b)(3)(iii)(A), and ECCN 5E002
“technology.”

5 See 15 C.F.R.
§ 772 for a complete list of terms defined in the
EAR.

6 15 C.F.R. §
740.22(b)(4).

7 15 C.F.R.
§ 740.22(b)(5).

8 “Digital
Artifacts” are defined within License Exception ACE as
“items (e.g., ‘software’ or ‘technology’)
found or discovered on an information system that show past or
present activity pertaining to the use or compromise of, or other
effects on, that information system.” 15 C.F.R. §
740.22(b)(2).

9
“Cybersecurity Items” are defined within License
Exception ACE as “ECCNs 4A005, 4D001.a (for 4A005 or 4D004),
4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004),
4E001.c, 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j),
5D001.c (for 5A001.j or 5B001.a (for 5A001.j)), and 5E001.a (for
5A001.j or 5D001.a (for 5A001.j)).” 15 C.F.R. § 740.22
(b)(1).

10 §
740.22(c).

The authors would like to thank Emily M. King for her help
writing this Legal Update.

Visit us at
mayerbrown.com

Mayer Brown is a global legal services provider
comprising legal practices that are separate entities (the
“Mayer Brown Practices”). The Mayer Brown Practices are:
Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited
liability partnerships established in Illinois USA; Mayer Brown
International LLP, a limited liability partnership incorporated in
England and Wales (authorized and regulated by the Solicitors
Regulation Authority and registered in England and Wales number OC
303359); Mayer Brown, a SELAS established in France; Mayer Brown
JSM, a Hong Kong partnership and its associated entities in Asia;
and Tauil & Chequer Advogados, a Brazilian law partnership with
which Mayer Brown is associated. “Mayer Brown” and the
Mayer Brown logo are the trademarks of the Mayer Brown Practices in
their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights
reserved.

This
Mayer Brown article provides information and comments on legal
issues and developments of interest. The foregoing is not a
comprehensive treatment of the subject matter covered and is not
intended to provide legal advice. Readers should seek specific
legal advice before taking any action with respect to the matters
discussed herein.



Original Source link

Leave a Reply

Your email address will not be published.

− eight = one