The Bureau of Industry and Security (BIS) recently issued a proposed rule that would require an export license for specified cybersecurity items to all destinations, except Canada. The changes include controls related to intrusion software and network communications surveillance items, with new and revised Export Control Classification Numbers (ECCNs) to implement the proposed controls. BIS requests public comments be submitted by July 20, 2015. 

Under the current rules, the cybersecurity items specified generally are classified based on their encryption functionality, under Category 5, Part 2 of the Export Administration Regulations (EAR). Under the proposed regulation, new and revised ECCNs would apply which would require a BIS license for export of these cybersecurity items to nearly all destinations. Current EAR encryption requirements (i.e., registration, review and reporting) for these items will continue to apply, but License Exception ENC and mass market treatment will no longer be available. 

Intrusion Software

The proposed rule includes restrictions related to intrusion software, aka malware or exploits, including systems, equipment and components for such software. It also includes controls on items that are specially designed for the generation, operation or delivery of, or communication with, intrusion software. 

BIS’s proposed definition of “intrusion software” is software specially designed to avoid detection by monitoring tools¹ or to defeat protective countermeasures², and which performs:

• the extraction of data or information, from the computer or device, or the modification of system or user data; or
• the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

The following are specifically excluded from the definition of intrusion software: hypervisors, debuggers, Software Reverse Engineering tools and Digital Rights Management software.  Also excluded is software designed to be installed for asset tracking or recovery.

The proposed rule does not directly control intrusion software itself.  Rather, it controls the command and delivery platforms for generating, operating, delivering and communicating with intrusion software, as well as the technology for developing intrusion software.  Although the changes are intended to control “offensive” products, BIS acknowledges that some “defensive” products may fall under the new/revised ECCNs, in particular “penetration testing” products.

New/revised Category 4 ECCNs are proposed to implement these changes.  ECCN 4A005 is proposed for equipment, systems and components and ECCN 4D004 for software, specially designed for the generation, operation or delivery of, or communication with, intrusion software.  ECCN 4D001 would be revised to include software specially designed or modified for the development or production of 4A005 and 4D004 items.  Finally, ECCN 4E001 would be revised to cover technology required for 4A005 and 4D004 items and for 4D001 software related to intrusion software.  4E001 would also cover “proprietary research on the vulnerabilities and exploitation of computers and network capable devices.”

The controls for these new/revised ECCNs would require a license for exports to all destinations, except Canada.  No license exceptions, including ENC, are allowed except for License Exception GOV, which covers exports to or on behalf of the U.S. government.

Internet Protocol (IP) Network Communications Surveillance Items

The proposed rule also includes IP network communications surveillance items as cybersecurity items.  BIS's rationale for proposing export controls on these products is based, at least in part, on increasing concern with network traffic analysis systems that work by “intercepting and analyzing messages to produce personal, human and social information from the communications traffic.”  

The IP network communications surveillance systems, equipment and specially designed components to be controlled are items having all of the following:

1.  Performing all of the following on a carrier class IP network (e.g., national grade IP backbone):

• • analysis at the application layer (e.g., Layer 7 of Open Systems Interconnection (OSI) model (ISO/IEC 7498-1);

• • extraction of selected metadata and application content (e.g., voice, video messages, attachments); and
  • indexing of extracted data; and

2.  Being specially designed to carry out all of the following:

• • execution of searches on the basis of hard selectors (i.e., data related to an individual such as name, address, email, among others); and
  • mapping of the relational network of an individual or of a group of people.

Excluded from coverage are systems or equipment specially designed for marketing purposes, Network Quality of Services (QoS) or Quality of Experience (QoE).

ECCN 5A001.j would be added to cover IP network communications surveillance systems or equipment and test, inspection, production equipment and specially designed components.

As with the intrusion software, a license will be required for such items to all destinations, except Canada.  No license exceptions may be used, except for License Exception GOV.

Licensing and Related Policy for Cybersecurity Items

Under existing rules, certain information generally must be provided in a license application.  There also are separate registration and review requirements under the EAR encryption rules.

The proposed rule also would require the submission of certain technical information for cybersecurity items.  Such information will include the Commodity Classification Automated Tracking System (CCATS) number(s) or license numbers for any items in the license application or, if there has been no license application or classification, the answers to certain questions regarding the cybersecurity functionality of the item.  In addition, if requested by BIS, the applicant must provide a copy of sections of the source code and other software that implement the cybersecurity functionality.

As noted, licenses will be required to export the cybersecurity items to nearly all destinations.  BIS, however, proposes to review favorably license applications for certain end users and destinations (e.g., to government end users in Australia, Canada, New Zealand and the UK).  BIS will review other applications on a case-by-case basis. 

License applications for any items that have or support rootkit or zero-day exploit capabilities will be subject to a presumption of denial.

Deadline for Comments to BIS

The deadline for providing comments to BIS regarding the proposed rule is July 20, 2015.  BIS has included some specific questions it would like the public to respond to including, among others: (1) how many licenses annually would these changes require your company to make? and (2) how many license applications would be required for items that would have been subject to license exceptions?

Companies may wish to take this opportunity to inform BIS regarding any increased burden these rules will place on their ability to do business globally.

---

Endnotes

[1] “Monitoring tools” are software or hardware devices that monitor system behaviors and processes running on a device.  This includes antivirus (AV) products, end point security products, Personal Security Products (PSP), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) or firewalls.

[2] “Protective Countermeasures” are techniques designed to ensure the safe execution of code, such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) or sandboxing.

© 2015 Perkins Coie LLP

---

Sign up for the latest legal news and insights  >

---