On May 20, 2015, the Department of Commerce Bureau of Industry and Security (BIS) published a proposed rule affecting exports of intrusion software, surveillance systems, and related systems, equipment, software, and components. The proposed rule provides for new and amended export control classification numbers (ECCNs) for these “cybersecurity items,” resulting in new licensing and reporting requirements. Currently, these items typically are controlled based on their cryptographic functionality, but the new proposed ECCNs and control regime would disallow the use of most license exceptions, including the encryption (ENC) license exception, for many of these items. Export control professionals have been anticipating rulemaking in this area following the 2013 Wassenaar Arrangement Agreements that added intrusion software and penetration systems to the dual use, multi-lateral export control regime. BIS is seeking comments on the proposed rule with a deadline of July 20, 2015. The following are some of the key changes that are being proposed.
New Definition of “Intrusion Software”
The proposed rule would add a new definition of “intrusion software” that is critical to understanding the proposed export controls. “Intrusion software” under the new rule would include:
“Software” “specially designed” or modified to avoid detection by “monitoring tools,” or to defeat “protective countermeasures,” of a computer or network-capable device (including mobile devices and smart meters), and performing any of the following:
(a) the extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or
(b) the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.
Here “monitoring tools” are software or hardware devices that monitor system behaviors or processes running on a device, including antivirus products, end point security products, Personal Security Products, Intrusion Detection Systems, Intrusion Prevention Systems, or firewalls. “Protective countermeasures” within the proposed rule are techniques designed to ensure the safe execution of code, such as Data Execution Prevention, Address Space Layout Randomization, or sandboxing.
The proposed definition adds a number of notes that would remove certain standard commercial products from the definition. In particular, the proposed definition of “intrusion software” does not include: (1) hypervisors, debuggers or Software Reverse Engineering (SRE) tools; (2) Digital Rights Management software; or (3) software designed to be installed by manufacturers, administrators or users, for the purposes of asset tracking or recovery.
New and Amended ECCNs for “Intrusion Software”
Based on the proposed definition summarized above, the proposed rule would add two ECCNs to the Commerce Control List (CCL) for “intrusion software” and related systems, equipment, components and software:
4A005: “systems,” “equipment,” or “components” for intrusion software, “specially designed” for the generation, operation or delivery of, or communication with “intrusion software”
4D004: “software” “specially designed” for the generation, operation or delivery of, or communication with, “intrusion software”
BIS noted in its proposed rule that these ECCNs include “network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices.”
These new ECCNs would be controlled for national security (NS), regional stability (RS), and anti-terrorism (AT), creating an export license requirement for all destinations except for Canada. No license exceptions (except for certain portions of License Exception GOV) would be available for 4A005 and 4D004 items.
In addition, existing ECCNs affected by the “intrusion software” include 4D001, which would cover “development” and “production” intrusion software, and 4E001 which would cover “technology” “required” for the “development” of intrusion software. BIS notes that technology here will include “proprietary research on the vulnerabilities and exploitation of computers and network-capable devices.” Like new 4A005 and 4D004, these amended ECCNs would not be eligible for the use of license exceptions, including License Exception Technology and Software Under Restriction (TSR) or Strategic Trade Authorization (STA).
ECCN for Network Communications Surveillance Systems
The proposed rule also would add Internet Protocol network communication surveillance systems as “cybersecurity items” in ECCN 5A001.j. These systems include those that intercept and analyze messages to produce personal, human, and social information from network communications traffic. Excluded from 5A001.j are systems or equipment specially designed for a marketing purpose, network quality of services, or quality of experience. Like 4A005 and 4D004 for “intrusion software”, 5A001.j would be controlled for NS, RS, and AT (all Column 1), resulting in a license requirement for all exports and reexports except Canada. Also like the “intrusion software” ECCNS, 5A001.j would not be eligible for license exceptions except for certain provisions of GOV.
Continuing Registration, Review and Reporting Requirements for Cryptographic Items
While “cybersecurity items” – including intrusion software and network communication surveillance systems – would not be eligible for License Exception ENC, and would no longer be classified based on their information security functionality (e.g., in ECCNs 5A002, 5D002, or 5E002), information security registration, review, and reporting requirements would still apply under the proposed rule. Relevant ECCNs (discussed in the sections above) include a note requiring the registration, review, and reporting aspects of now-existing sections 740.17, 742.15(b), and 748.3(d), including with BIS and the ENC Encryption Request Coordinator. Currently, companies typically meet these requirements in order to qualify for ENC license exception or mass market treatment. Under the proposed rule, these requirements would continue even though ENC and mass market treatment would not be available.
Export Licenses for Cybersecurity Items
While licenses would be required under the proposed rule to most destinations, BIS, under the proposed rule, would review favorably license requests to certain destinations, including U.S. companies or subsidiaries outside Country Group D:1 or E:1 countries, commercial partners in Country Group A:5, and government end users in Australia, Canada, New Zealand, and the United Kingdom. There would be a presumption of denial of licenses for items that have or support rootkit or zero-day exploit capabilities. Items would also be reviewed for licensing based on their information security functionality.
License applications for cybersecurity items would have to fulfill new requirements under the proposed rule, including the submission of certain technical information and, upon request, copies of sections of source code and other software implementing or invoking cybersecurity functionality.
The proposed requirements would result in new licensing requirements for some products that currently qualify for ENC and other license exceptions. Companies that produce, test and market intrusion software and related cybersecurity items will want to weigh in on the potential impact of the rule on their business – particularly whether the proposed implementation of the new licensing requirements and ineligibility for license exceptions will impose unmanageable burdens. Companies operating in this area will also want to weigh in on whether aspects of the proposed rule could hamper vulnerability research and testing, and the ability to protect commercial and government networks.