1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

BIS Issues New Proposed Rule on Cybersecurity Items

Proposed Measure Would Add New Categories and Licensing Requirements; Move Some Items From Encryption Controls to New ECCNs

Amid a flurry of reports about someone claiming to have hacked a passenger plane through its entertainment system, BIS has issued an uncannily well-timed proposed rule (available here) that would control certain cybersecurity items.  The new rule implements certain 2013 changes to the Wassenaar Arrangement.  There is a comment period ending July 20.  Companies whose products and services may be affected by this proposed rule should review it carefully and consider whether comments would be appropriate.

Broadly speaking, the proposed rule would do the following:

  • Create new ECCNs (4A005, 4D004) and amend others (4D001 and 4E001) to control several items, software and technology relating to “intrusion software” (a new defined term – see below).  Specifically, the new ECCNs would control items and software specially designed for the generation, operation or delivery of, or communication with, “intrusion software.”  The revised ECCNs would control software and technology related to the newly added ECCNs.
  • Create new ECCN 5A001.j, which would control IP network communications surveillance systems (and certain related items) that intercept and analyze messages to produce “personal, human and social information from the communications traffic.”  Associated test equipment, software and technology for such items would become controlled under 5B001, 5D001, and 5E001, respectively.  This proposed category is intended to control systems that perform the indicated functions in connection with security and would exclude items used for marketing, quality of service, or quality of experience purposes.
  • Subject cybersecurity items to control for Regional Stability (RS) reasons, but establish a favorable licensing policy for several types of recipients, including foreign subsidiaries not located in Country Groups D:1 and E:1, certain foreign commercial partners, and certain favored government end-users.
  • Define “intrusion software” as software specially designed or modified to avoid detection by ‘monitoring tools’ (such as antivirus/intrusion detection products and firewalls) or to defeat ‘protective countermeasures’ (such as sandboxing or execution prevention) of a computer or network-capable device that also extracts or modifies data, or modifies the standard execution path of a program or process to allow execution of externally provided instructions.  This new definition expressly excludes hypervisors, debuggers, reverse engineering tools, digital rights management software, or certain software designed for asset tracking and recovery.
  • Clarify that “cybersecurity items,” including those defined in the new ECCNs, are not controlled under encryption ECCNs (and hence are ineligible for exception ENC) even if they use encryption.  However, if they do use encryption, they must also satisfy the registration, review and reporting requirements applicable to encryption items.  Furthermore, license applications for such items will also be subjected to a “focused” EI control review.
  • Remove certain license exceptions from eligibility for use for these ECCNs and items (e.g., STA, TSU).
  • Require certain information to be submitted with license applications for cybersecurity items.  This would take the form of a letter of explanation addressing, among other subjects, a detailed technical description of the cybersecurity functionality of the item.

BIS seeks comment specifically on the additional compliance burdens the proposed rule would create, as well as to what extent it would affect companies’ legitimate cybersecurity efforts.  The proposed rule appears to at least have the potential to significantly impact both areas.  Others have noted that the Wassenaar definition of “intrusion software,” on which the new EAR definition is based, is so broad that it includes “the primary known means through which research and engineering progress has been made” in security software.1  In addition, BIS states that it has attempted to offset the impact of additional controls with a favorable licensing policy for certain items.  However, the continuing application of certain encryption control requirements and the requirement to provide a detailed letter of explanation in support of licensing requests for cybersecurity items could present significant compliance burdens.  In light of these potentially important changes, industry attention and engagement with BIS is critical at this juncture.

1 Why Wassenaar Arrangement’s Definitions of “Intrusion Software” and “Controlled Items” Put Security Research and Defense At Risk, Sergey Bratus, Michael Locasto, Anna Shubina, July 23, 2014

BIS Issues New Proposed Rule on Cybersecurity Items

BIS Issues Guidance on Due Diligence to Prevent Unauthorized Transshipment to Russia

Since the Bureau of Industry and Security (“BIS”) – as well as the Office of Foreign Assets Control (“OFAC”) – began imposing restrictions on Russia in response to the situation in Crimea, U.S. exporters have wrestled with what those restrictions mean for their businesses and how to comply with them.  In March 2014, BIS announced that it was placing an indefinite hold on the processing of license applications to Russia.  Following this, BIS imposed additional restrictions on exports to certain industry sectors in Russia, as well as additional end use and end user restrictions.  For instance, BIS imposed restrictions on the export of certain items destined for Russian deep water, Arctic offshore, or shale energy exploration or production in August 2014.  In September 2014, BIS imposed restrictions on exporting specified items if they will be used by a military end user or for a military end use. Then in December 2014, BIS added certain microprocessors to the military end user and end use restrictions.

The restrictions on exports to Russia do not only affect U.S. businesses that have dealings with Russia.  They also increase the risk that other parties to an export transaction may seek to illegally divert goods to Russia.

BIS recently published guidance on its website to help exporters conduct due diligence to prevent such unauthorized diversions or transshipments to Russia.  Exporters with sophisticated compliance programs will likely notice that the guidance itself is familiar: it largely references existing BIS guidance on red flags and knowing one’s customer (see also EAR Part 732, Supp. 3).  For instance, BIS reiterates its admonition concerning the “red flag” that an exported item will not be used for its intended purpose or by its intended recipient.  It advises researching all parties to a transaction with a watchful eye for indications of planned diversion.  This includes researching freight forwarders and distributors to understand which countries and industries they service.  The new guidance also points readers to the consolidated export screening list as well as the list-based and end-user and end-use based controls that may apply to Russia.

The familiar substance of this “new” guidance does not so much suggest that BIS believed additional guidance was necessary.  Rather, it suggests that BIS believes exporters could be doing more to prevent unlawful diversion of items – explicitly including those items controlled for national security (NS) reasons – to Russia.  While it provides information that should aid exporters in compliance, it also suggests an increased likelihood of enforcement action against companies who neglect to conduct appropriate due diligence and whose exports wind up in Russia. Finally, it serves as a reminder that even (and, perhaps, particularly) exporters who believe they do not conduct business in Russia should carefully examine their end user and end use due diligence processes to ensure that their shipments arrive at the intended destination.

BIS Issues Guidance on Due Diligence to Prevent Unauthorized Transshipment to Russia

Commerce Department Imposes New Restrictions on Exports to Venezuela

Today, the Bureau of Industry and Security (BIS) imposed military end use and end user licensing requirements on exports to Venezuela.  This new restriction parallels the existing restrictions in place regarding China (for military end uses) and Russia (for both military end uses and end users).  It prohibits unlicensed exports to Venezuela of certain items subject to the EAR that the exporter knows are destined for military end users or end uses, as those terms are defined in the rule.

For exporters, this change reinforces the importance of knowing the EAR’s end use and end user restrictions and conducting effective due diligence on customers and other parties to export transactions.

Unlike similar changes of this type, BIS gave exporters a bit of a break by not making the restriction retroactive to contracts signed prior to November 7, 2014.

For more information, the full Federal Register notice is available here.

Commerce Department Imposes New Restrictions on Exports to Venezuela

Final Rule issued for USML Category XI (Military Electronics)

Export control reform took another step forward earlier this month, with the publication of the State and Commerce final rules relating to military electronics (USML Category XI).  As with previous reform initiatives, the changes make the USML list of controlled items a positive one rather than a catch-all and moves certain formerly ITAR-controlled items to the Commerce Control List.  Most of the changes will take effect December 30, 2014.  The State Department rule also makes certain changes to Category VIII (Aircraft) that will take effect in August.  These relate to wing folding systems.  Links to the new rules are below.

https://www.federalregister.gov/articles/2014/07/01/2014-14683/revisions-to-the-export-administration-regulations-ear-control-of-military-electronic-equipment-and

https://www.federalregister.gov/articles/2014/07/01/2014-14681/amendment-to-the-international-traffic-in-arms-regulations-united-states-munitions-list-category-xi

Final Rule issued for USML Category XI (Military Electronics)

Export Control Reform Meets the Final Frontier

Effective November 10, 2014, commercial communications satellites will move from the United States Munitions List (“USML”) and the jurisdiction of the Directorate of Defense Trade Controls (“DDTC”) to the Commerce Control List (“CCL”) and the jurisdiction of the Bureau of Industry and Security (“BIS”).  While changes affecting commercial communications satellites are likely to garner the greatest amount of attention, the new rules are part of the Administration’s larger Export Control Reform (“ECR”) initiative, and effect numerous changes to USML Category XV, which covers spacecraft items.  The first of these changes – moving radiation hardened microelectronic circuits previously controlled under the ITAR to the CCL – will take effect even earlier than the satellites rule.  That change is effective June 27.  Notably, in addition to rad-hardened microelectronic circuits, the International Space Station (“ISS”) and all specially designed parts will be moved from the USML to the CCL.

In light of the numerous jurisdictional and licensing changes effected by the new rules, from the outset, manufacturers and exporters of items formerly controlled in USML Category XV will need to assess carefully where their products will now fall. Items moving to the CCL will generally remain subject to licensing requirements to most destinations.  Exporters must become familiar with these new controls.  Many spacecraft items formerly controlled under the ITAR will move to a new “500-series” within CCL Category 9, specifically ECCN 9×515.  As such, they will be subject to a combination of National Security (NS), Regional Stability (RS), and, in certain cases, Missile Technology (MT) controls.  Knowing whether a spacecraft item moving to the CCL requires a license will necessitate a clear understanding of precisely where that item falls within ECCN 9×515 and will depend on its intended destination.

Notwithstanding the shift of commercial communication satellites from the ITAR (where China is a prohibited destination) to the EAR (where it is not), any pent-up Chinese demand for U.S. spacecraft items will remain so for the time being.  Consistent with Congress’s mandate when it authorized the jurisdictional shift, BIS will apply a policy of denial to license requests to China for most spacecraft items moving to the CCL.

Export Control Reform Meets the Final Frontier

Export Control Reform: It’s On

Shutdown or no shutdown, the first round of export control reforms took effect yesterday, October 15. The objective of the Export Control Reform initiative is to apply more stringent controls to items that are significant from a national security perspective while lowering the barriers to exporting items that do not pose such concerns.

This first round of changes rewrites USML Category VIII (aircraft), establishes a new USML Category XIX (gas turbine engines) and creates new “Commerce Munitions List” categories (designated as the “600 series”) under the EAR for military items subject to less stringent controls. The reforms also create a new, unified definition of “specially designed,” which is a linchpin in how commodity jurisdiction and classification determinations will be made in the future.

The changes will affect how items are designated as defense articles subject to the ITAR or as items subject to the EAR.  In short, the long-standing sweeping USML categories and “specifically designed for a military application” analysis are out, replaced by what has been called a “positive list” that endeavors to identify with greater specificity which items are subject to which controls.

The changes will result in previously ITAR-controlled items becoming subject to the EAR, and may present opportunities for companies that make or sell items that may be moving from one list to the other.  At the same time, the new rules are complex and will doubtless present compliance challenges.  Enforcement agencies have already signaled that they will be vigilant in policing whether manufacturers or exporters are misclassifying items or misusing applicable license exceptions and exemptions.

The rules that took effect on October 15 were published April 16, 2013.  The Department of State rule can be found here and the Department of Commerce rule can be found here. Further significant changes are afoot as well.  The State Department’s Interim Final Rule on brokering takes effect October 25. In addition, the next round of reformed categories will take effect on January 6, 2014 and can be found here (State) and here (Commerce).

Export Control Reform: It’s On