BIS issues significant new export controls on certain cybersecurity items and related guidance

On October 21, 2021, the Bureau of Industry and Security (BIS) published an interim final rule (IFR) to implement significant new controls regarding certain cybersecurity items. The rule contains new and updated Export Control Classification Numbers (ECCNs) and new License Exception Authorized Cybersecurity Exports (ACE). On November 12, 2021, BIS issued Frequently Asked Questions (FAQs) to provide guidance on the IFR and License Exception ACE.

On October 21, 2021, the Bureau of Industry Security (BIS) published an Interim Final Rule (IFR) to implement controls on certain “cybersecurity items” that can be used for malicious cyber activities. Most notably, the IFR defines “cybersecurity items” to include the new and updated Export Control Classification Numbers (ECCNs) and creates a new License Exception Authorized Cybersecurity Exports (ACE). This IFR follows BIS’s original proposal to implement the addition of cybersecurity items to the Wassenaar Arrangement (WA) in 2015. However, the 2015 proposed rule received substantial industry scrutiny, including concerns that the rule was overly broad, would impose a heavy burden on licensing for legitimate transactions, and could cripple legitimate cybersecurity research. In response to those and other concerns, BIS suspended implementation of the 2015 proposed rule and, instead, renegotiated changes to the WA control lists in 2017, intending to define more precisely the scope of the cybersecurity controls. BIS released the October 2021 IFR to implement the 2017 WA decisions. Public comments on the IFR are due December 6, 2021, and the IFR is set to go into effect on January 19, 2022.

On November 12, 2021, BIS issued Frequently Asked Questions (FAQs) that provide guidance on this IFR.

New Export Control Classification Numbers

“Cybersecurity items” are defined to include the new and updated ECCNs referenced below and certain related ECCNs in Categories 4 and 5.

Category 4 includes two new ECCNs related to “intrusion software”:

4A005 “Systems,” “equipment,” and “components” therefor, “specially designed” or modified for the generation, command and control, or delivery of “intrusion software.”
4D004 “Software” “specially designed” or modified for the generation, command and control, or delivery of “intrusion software.”

The EAR defines “intrusion software” as software “specially designed or modified to avoid detection by 'monitoring tools', or to defeat 'protective countermeasures', of a computer or network-capable device, and performing any of the following: (1) the extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or (2) the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.”

ECCN 4D004 does not control software “specially designed” and limited to providing software updates or upgrades that: (1) only operate with the authorization of the owner or administration of the system receiving it, and (2) do not change the functionality of the software that is updated or upgraded such that it would satisfy the criteria of ECCN 4D004, or would satisfy the EAR’s definition of “intrusion software.” In other words, if the update or upgrade implements capabilities for the software to generate, command and control, or deliver “intrusion software,” the software would be controlled under ECCN 4D004.

ECCN 4E001 includes new paragraph c to control “technology” for the “development” of “intrusion software.” This ECCN does not apply to “vulnerability disclosure” or “cyber incident” responses.

Category 5 includes new paragraphs for certain ECCNs:

ECCN 5A001.j controls IP network communications surveillance systems or equipment and certain “specially designed” components. ECCN 5A001.j does not control systems or equipment “specially designed” for marketing purposes, Network Quality of Service (“QoS”), or Quality of Experience (“QoE”).
ECCN 5A004.b controls items (not specified by ECCNs 4A005 or 5A004.a) designed to “extract raw data” from a computing or communications device and circumvent “authentication” or authorization controls of the device to perform that extraction function. For these purposes, “extracting raw data” means retrieving binary data from a storage medium (such as RAM, a flash or hard disk) of a device without interpretation by the device’s operating system or file system. ECCN 5A004 does not control systems or equipment “specially designed” for the development or production of a computing or communications device; debuggers or hypervisors; items limited to logical data extraction; data extraction items using chip-off or JTAG; or items specially designed and limited to jail-breaking or rooting.

What is a “cyber incident response” or “vulnerability disclosure”?

The IFR defines “cyber incident” response as “the process of exchanging necessary information of a cybersecurity incident with individuals or organizations responsible for conducting or coordinating remediation to address the cybersecurity incident.”

It also defines “vulnerability disclosure” as “the process of identifying, reporting, or communicating a vulnerability to, or analyzing a vulnerability with, individuals or organizations responsible for conducting or coordinating remediation for the purpose of resolving the vulnerability.”

The FAQs provide examples of “individuals or organizations responsible for conducting or coordinating remediation for the purpose of resolving the vulnerability,” including IT network systems administrators and chief information officer (CIO) / chief information security officer (CISO) staff; Computer Security Incident Response teams (CSIRTs) / Computer Emergency Readiness teams (CERTs); Commercial Product Development groups, software developers, hardware engineers, etc.; and Cybersecurity standards organizations.

Surreptitious Listing (“SL”) and “Information Security” Items

Items that are currently subject to controls for surreptitious listing (SL) reasons are unaffected by the IFR and remain classified under their current ECCNs (5A001.f.1 and 5A980; 5D001.c and 5D980.a; 5D001.a and 5D980.b; 5E001.a and 5E980; and 5D001.b). In other words, the SL control would prevail for items controlled for multiple reasons because the SL control has the most restrictive licensing requirements.

“Cybersecurity items” that also incorporate “information security” functionality specified in Category 5 – Part 2 are subject to the ECCNs in that category as long as the “informational security” functionality remains present and usable (i.e., the encryption functionality is not absent, removed, or otherwise non-existent). So if an item is eligible for both License Exceptions ENC and ACE, License Exception ENC would prevail as long as the “information security” functionality is still present and usable.

No Items Subject to the ITAR are Being Transferred to the EAR

The IFR does not transfer any items subject to the International Traffic in Arms Regulations (ITAR) to the EAR. Items and services included on the U.S. Munitions List remain subject to the ITAR.

License Exception Authorized Cybersecurity Exports

License Exception ACE authorizes the export, reexport, and transfer of “cybersecurity items” to most destinations and end-users but does not authorize the export, reexport, or transfer of “cybersecurity items” (including deemed exports) to:

countries in Country Groups E:1 and E:2 of Supp. No. 1 to part 740 of the EAR (Cuba, Iran, North Korea, and Syria), or Crimea;
“government end users” in Country Group D countries (which includes Russia and China) – note that the definition of “government end user” for purposes of License Exception ACE is not the same as for License Exception ENC;
- But ACE authorizes the export, reexport, or transfer” to “government end users” of countries in both Country Group D and Country Group A:6 (currently Cyprus, Israel, and Taiwan) of
  - “digital artifacts” related to a security incident involving information systems owned or operated by a “favorable treatment cybersecurity end user,” or to police or juridical bodies for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents; or
  - ”cybersecurity items” to national computer security response teams to respond to cybersecurity incidents, for purposes of “vulnerability disclosure,” or for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents.
- There is no exclusion for activities related to “vulnerability disclosure” and “cyber incident response” for exports to government end-users. However, Note 1 to ECCN 4E001 excludes “vulnerability disclosure” and “cyber incident response” from control under 4E001.a or .c, and this exclusion applies regardless of the type of end user. Those exclusions are unaffected by License Exception ACE.
non-government end users of countries in Country Groups D:1 or D:5 (which includes Russia and China).
- But ACE authorizes the export, reexport, or transfer of
  - certain “cybersecurity items” to any “favorable treatment cybersecurity end users,” or
  - cybersecurity items” to these users for “vulnerability disclosure” or “cyber incident response.”

ACE is not available when the exporter knows or has reason to know, at the time of export, that the cybersecurity item will be used to affect the confidentiality, integrity, or availability of information or information systems, without authorization by the owner, operator, or administrator of the information system (including the information and processes within such systems).

Even if ACE is unavailable, other License Exceptions may be available, such as GOV for certain exports, reexports, or transfers involving U.S. Government agencies or personnel, or TMP for exports of tools of the trade in certain situations. The FAQs provide examples of such scenarios.

What are “digital artifacts” and “favorable treatment cybersecurity end users”? Is the definition of “government end user” identical to the definition of that term for License Exception ENC?

ACE defines “digital artifacts” as “items found or discovered on an information system that show past or present activity pertaining to the use or compromise of, or other effects on, that information system.”

ACE defines a “favorable treatment cybersecurity end user” as 1) a United States subsidiary; 2) a provider of banking and other financial services; 3) an insurance company; or 4) civil health and medical institutions providing medical treatment or practicing medicine, including conducting medical research.

The definition of “government end user” under ACE may apply to entities that would not meet the definitions of “less sensitive government end users” and “more sensitive government end users” as applied to encryption items.

“Government end user” under ACE is defined as a national, regional or local department, agency or entity that provides any governmental function or service. This includes international governmental organizations, government operated research institutions, and entities and individuals who are acting on behalf of such an entity (emphasis added). This term also includes retail or wholesale firms engaged in the manufacture, distribution, or provision of items or services controlled on the Wassenaar Arrangement Munitions List.

CFIUS Implications

The new and updated ECCNs are controlled for National Security (NS) and Anti-Terrorism (AT) reasons, and therefore the “cybersecurity items” are considered “critical technologies” under the regulations of the Committee on Foreign Investment in the United States (CFIUS). Certain foreign investments in U.S. businesses that produce, design, test, manufacture, fabricate, or develop “cybersecurity items” may therefore be subject to CFIUS’s jurisdiction and may require parties to submit a filing to CFIUS. It is not clear whether CFIUS will add License Exception ACE to the list of available EAR license exceptions at 31 C.F.R. § 800.401(e)(6) such that a mandatory filing would not be triggered for certain transactions when an export, reexport, or transfer qualifies for ACE.

Next steps

The IFR goes into effect on January 19, 2022.
Public comments to the IFR are due December 6, 2021. BIS has requested commenters provide input regarding the cost of implementing the IFR, as well as its impact on legitimate cybersecurity activities.
Based on the complexity of this rule, it is possible BIS will issue further guidance or amend the IFR prior to its implementation in January. Hogan Lovells will provide updates as necessary.

Hogan Lovells would be pleased to assist in submitting comments to the IFR and to help with questions about the IFR and how it could affect your business.

Authored by Adam Berry, Ashley Roberts, Emily Jenkins, and Hao-Kai Pai.