On October 21, 2021, the Department of Commerce’s Bureau of Industry and Security (BIS), released an Interim Final Rule to implement export controls on certain cybersecurity items that can be used for malicious cyber activities. Public comments are accepted until December 6, 2021. The final rule will become effective on January 19, 2022, and will revise the Commerce Control List (CCL) with new controls on these items for national security and anti-terrorism reasons. The rule will also create a new License Exception, Authorized Cybersecurity Exports (ACE), that authorizes exports of these items to many destinations. BIS states that “[t]hese items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it.”

The rule will create new Export Control Classification Numbers (ECCNs) under Category 4 of the CCL – specifically, 4A005, 4D004 and a new paragraph 4E001.c. Under Category 5 of the CCL, numerous ECCNs will be revised and a new paragraph added as ECCN 5A001.j to more clearly define “IP network communications surveillance systems or equipment.” This new rule also makes various amendments and revisions to the definition of certain terms covered under the rule, such as “cybersecurity items,” “digital artifacts,” “cyber incident response” and “vulnerability disclosure.”

New License Exception, Authorized Cybersecurity Exports (ACE), will authorize exports, reexports and transfers (in-country) of cybersecurity items which are not also controlled in Category 5 – Part 2 of the CCL or for Surreptitious Listening (SL) reasons. There are certain “government end user” and “non-government end user” restrictions which will apply for exports to certain countries. “Favorable treatment” cybersecurity end users will be any of the following: (i) A ‘‘U.S. subsidiary’’; (ii) providers of banking and other financial services; (iii) insurance companies; or (iv) civil health and medical institutions. Finally, the license exception has a broad end-use restriction when the exporter “has reason to know” the cybersecurity item “will be used to affect the confidentiality, integrity or availability of information or information systems.” BIS stated that this license exception will “allow the export, reexport and transfer (in-country) of ‘cybersecurity items’ to most destinations, while retaining a license requirement for exports to countries of national security or weapons of mass destruction concern.”

In a press statement, the Department of Commerce indicated that “The United States Government opposes the misuse of technology to abuse human rights or conduct other malicious cyber activities, and these new rules will help ensure that U.S. companies are not fueling authoritarian practices.” While BIS will implement the rule on January 19, 2022, it is accepting public comments until December 6, 2021. Any comments must be submitted via the Federal rulemaking portal (www.regulations.gov). The docket number for this rule is BIS–2020–0038. BIS has noted that commenters should also refer to RIN 0694–AH56 in all comments.