US Cracks Down on Sale of Offensive Cybersecurity ToolsTools Used for Personal Surveillance, Malicious Activities Must Be Licensed
The U.S. Bureau of Industry and Security, a part of the U.S. Department of Commerce, has issued an interim final rule to curb and control the export, reexport, or in-country transfer of certain offensive cyber tools that are used in surveillance of private citizens and other malicious activities that could potentially undermine the nation's security.
The Department of Commerce has kept the interim rule open for public comments for the next 45 days, after which a final discussion followed by necessary changes will be carried out and the rule will then come into effect, 90 days from now.
In a statement issued by the Commerce Department on Wednesday, U.S. Secretary of Commerce Gina M. Raimondo says, "The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights. The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities."
The New Licensing Body
The interim rule introduces a new License Exception Authorized Cybersecurity Exports, or ACE, body that will "allow the export, reexport and transfer of 'cybersecurity items' to most destinations, while retaining a license requirement for exports to countries of national security or weapons of mass destruction concern," the Commerce Department says.
Citing that offensive tools warrant controls for surveillance, espionage and/or other disruptive actions, the U.S.-based companies are now required to obtain a license from ACE before selling these offensive cyber tools to foreign governments, organizations and individuals in countries where national security is a concern. The rule, however, is not applicable to defensive software and hardware. Organizations developing tools that are mainly used to protect national interests of nation-states are largely exempted from this rule, the interim rule document says.
The Commerce Department justification is that the deliverables of this rule are in line with the Wassenaar Arrangement - a global arms agreement signed by 42 countries. The Wassenaar Arrangement’s list of dual-use technologies was amended in 2013 to include "intrusion software" controls. All 42 members are subject to export controls, according to this agreement.
But the Wassenaar Arrangement does not cover a country such as Israel, which is a known provider of surveillance software through companies including the NSO Group and Cellebrite. Revelations about some authoritarian customers of NSO tools using them against human rights activists, journalists and others have sparked lawmakers’ renewed interest in this sector.
According to the Bureau of Industry and Security, on May 20, 2015, it proposed a rule describing how these new controls would fit into the Export Administration Regulations. But during public comments, the proposed rule brought some serious issues to light.
Many commenters asserted that the entries were "overly broad, captured more than what was intended and ... failed to accurately describe the items intended for control," according to the statement released by the agency." Commenters also said that, as written, the rule "imposed a heavy and unnecessary licensing burden on legitimate transactions that contribute to cybersecurity" and that "the proposed rule's control on technology for the 'development' of 'intrusion software' could cripple legitimate cybersecurity research."
The statement goes on to say that the new interim final rule resolves these issues.