The U.S. Commerce Department’s Bureau of Industry and Security (BIS) has released an interim final rule that establishes controls on the export, reexport, or transfer (in-country) of certain items that can be used for malicious cyber activities.
Here is a key part of the press release:
The United States Government opposes the misuse of technology to abuse human rights or conduct other malicious cyber activities, and these new rules will help ensure that U.S. companies are not fueling authoritarian practices. U.S. exporters are likewise encouraged to consult the State Department’s Guidance in Implementing the “Guiding Principles” for Transactions Linked to Foreign Government End Users for Products or Services with Surveillance Capabilities to minimize the risk that their products or services are misused by governments to violate or abuse human rights.
The Washington Post eported that this was a long-awaited rule that officials hope will stem the export or resale of hacking tools to China and Russia while still enabling cybersecurity collaboration across borders.
The rule will take effect after 90 days. Here is what it covers:
- Software such as Pegasus, a potent spyware product sold by the Israeli firm NGO Group to governments that have used it to spy on dissidents and journalists
- Bars sales of hacking software and equipment to China and Russia, as well as to a number of other countries of concern, without a license from the department’s Bureau of Industry and Security (BIS)
According to The Washington Post, The U.S. Department of Commerce already has export controls on products containing encryption, so the new rule applies to products that do not contain encryption. The Washington Post also reported that any intrusion software, even for defensive purposes, being sold to anyone in China or Russia, whether or not they work for the government, will require a license, according to the rule.
In addition, the rule will align the United States with the 42 European and other allies that are members of the Wassennaar Arrangement. This group sets voluntary export control policies on military and dual-use technologies (products that can be used both for civilian ad military purposes).
The Washington Post says that China is not a Wassenaar member. Israel is also not a member but voluntarily adopts its controls. Russia is a Wassenaar member.
In my opinion, the rule seems like a common-sense idea. There is no good reason to sell, transfer, or export tools to other countries that might be inclined to use those tools to hurt people.