Proposed Measure Would Add New Categories and Licensing Requirements; Move Some Items From Encryption Controls to New ECCNs
Amid a flurry of reports about someone claiming to have hacked a passenger plane through its entertainment system, BIS has issued an uncannily well-timed proposed rule (available here) that would control certain cybersecurity items. The new rule implements certain 2013 changes to the Wassenaar Arrangement. There is a comment period ending July 20. Companies whose products and services may be affected by this proposed rule should review it carefully and consider whether comments would be appropriate.
Broadly speaking, the proposed rule would do the following:
- Create new ECCNs (4A005, 4D004) and amend others (4D001 and 4E001) to control several items, software and technology relating to “intrusion software” (a new defined term – see below). Specifically, the new ECCNs would control items and software specially designed for the generation, operation or delivery of, or communication with, “intrusion software.” The revised ECCNs would control software and technology related to the newly added ECCNs.
- Create new ECCN 5A001.j, which would control IP network communications surveillance systems (and certain related items) that intercept and analyze messages to produce “personal, human and social information from the communications traffic.” Associated test equipment, software and technology for such items would become controlled under 5B001, 5D001, and 5E001, respectively. This proposed category is intended to control systems that perform the indicated functions in connection with security and would exclude items used for marketing, quality of service, or quality of experience purposes.
- Subject cybersecurity items to control for Regional Stability (RS) reasons, but establish a favorable licensing policy for several types of recipients, including foreign subsidiaries not located in Country Groups D:1 and E:1, certain foreign commercial partners, and certain favored government end-users.
- Define “intrusion software” as software specially designed or modified to avoid detection by ‘monitoring tools’ (such as antivirus/intrusion detection products and firewalls) or to defeat ‘protective countermeasures’ (such as sandboxing or execution prevention) of a computer or network-capable device that also extracts or modifies data, or modifies the standard execution path of a program or process to allow execution of externally provided instructions. This new definition expressly excludes hypervisors, debuggers, reverse engineering tools, digital rights management software, or certain software designed for asset tracking and recovery.
- Clarify that “cybersecurity items,” including those defined in the new ECCNs, are not controlled under encryption ECCNs (and hence are ineligible for exception ENC) even if they use encryption. However, if they do use encryption, they must also satisfy the registration, review and reporting requirements applicable to encryption items. Furthermore, license applications for such items will also be subjected to a “focused” EI control review.
- Remove certain license exceptions from eligibility for use for these ECCNs and items (e.g., STA, TSU).
- Require certain information to be submitted with license applications for cybersecurity items. This would take the form of a letter of explanation addressing, among other subjects, a detailed technical description of the cybersecurity functionality of the item.
BIS seeks comment specifically on the additional compliance burdens the proposed rule would create, as well as to what extent it would affect companies’ legitimate cybersecurity efforts. The proposed rule appears to at least have the potential to significantly impact both areas. Others have noted that the Wassenaar definition of “intrusion software,” on which the new EAR definition is based, is so broad that it includes “the primary known means through which research and engineering progress has been made” in security software.1 In addition, BIS states that it has attempted to offset the impact of additional controls with a favorable licensing policy for certain items. However, the continuing application of certain encryption control requirements and the requirement to provide a detailed letter of explanation in support of licensing requests for cybersecurity items could present significant compliance burdens. In light of these potentially important changes, industry attention and engagement with BIS is critical at this juncture.
1 Why Wassenaar Arrangement’s Definitions of “Intrusion Software” and “Controlled Items” Put Security Research and Defense At Risk, Sergey Bratus, Michael Locasto, Anna Shubina, July 23, 2014