Commerce Department Establishes New Export Controls on Cybersecurity Items

The U.S. Commerce Department on Thursday published an interim final rule to establish export controls on cyber intrusion software and other cybersecurity items capable of malicious use. The changes, effective Jan. 19, 2022, will impose stringent restrictions on these cybersecurity items and includes a new license exception to authorize certain exports.

These new controls were long-awaited and published as part of United States obligations as a member of the Wassenaar Arrangement, an international export control regime. Most other Wassenaar member countries have already implemented controls on cybersecurity items.

The Commerce Department originally proposed controls on cybersecurity items in 2015. The proposal resulted in several hundred public comments from academia and private industry, interagency comments, and Congressional testimony that identified substantial problems with the proposed controls. The United States therefore worked with other Wassenaar members to narrow the controls.

The interim final rule reflects the most recent Wassenaar changes. Among them, the new controls expressly exclude certain software specially designed and limited to providing basic updates and upgrades meeting certain requirements and excludes certain technology exchanged in “vulnerability disclosures” and “cyber incident responses,” as defined by the amendments.

The interim final rule further creates License Exception Authorized Cybersecurity Exports (“ACE”), which will allow for exports, reexports, and in-country transfers of certain cybersecurity items to most destinations, subject to certain limitations. Notable among these limitations, License Exception ACE will not apply where persons export, reexport, or transfer with knowledge or reason to know that a cybersecurity item will be used to affect the confidentiality, integrity, or availability of information or information systems without proper authorization.

The Commerce Department may further revise the controls before the effective date. It is accepting public comments to the interim final rule until Dec. 6, 2021, and is particularly interested in hearing about the potential cost of complying with the new controls, and any prospective impacts on legitimate cybersecurity activities.

If you have any questions regarding the content of this alert, please contact Mark Ludwikowski (mludwikowski@clarkhill.com), Matthew Goldstein (mgoldstein@clarkhill.com), or another member of Clark Hill’s International Trade Business Unit.