The Commerce Department has placed new restrictions on the export of certain cybersecurity items that can be used for malicious cyber activities, including software, hardware, and technology specially designed to generate, command and control or deliver “intrusion software” as well as certain IP network communications surveillance tools. These new restrictions are complex, and the determination of whether an item can be exported or shared with a foreign person depends upon the item, the destination, the end-user, and the end-use of the equipment.
- Intrusion software refers to software that can avoid or defeat network-device monitoring tools and protective countermeasures and can either extract or modify data or modify a program to allow for externally provided instructions. The definition of intrusion software does not include hypervisors, debuggers and Software Reverse Engineering (SRE) tools; Digital Rights Management (DRM) software; and software designed to be installed by manufacturers, administrators or users, for the purposes of asset tracking or recovery.
- IP network communications surveillance systems or equipment do not include those that are specially designed for marketing purposes, quality of service (QoS), or quality of experience (QoE).
- The use of the terms “command and control” relating to this type of hardware is meant to narrowly control products only when used maliciously.
For more information see the Commerce Department’s FAQs: https://www.bis.doc.gov/index.php/documents/pdfs/2872-cyber-tools-le-ace-faqs-final-version-nov-2021/file
Under the new restrictions, an export license or license exception would be required for exports of such items to most countries, and no exports would be permitted to Cuba, Iran, North Korea or Syria. There are also restrictions for exports to government and non-governmental end-users in several countries under various circumstances. Finally, exports are not permitted where there is knowledge or reason to know that the cybersecurity item will be used to affect the confidentiality, integrity or availability of information or information systems without authorization of the owner, operator, or administrator of the information system.
The rule provides several carve-outs for certain legitimate cybersecurity technologies and activities, including those related to the provision of basic software updates and upgrades, vulnerability disclosure, cyber incident response, and for certain legitimate network monitoring tools.
If you need to ship or hand carry such equipment outside the U.S. or need to share technology associated with such equipment with foreign persons in the U.S., please contact firstname.lastname@example.org so that we can provide you with guidance, maintain the proper documents for federal recordkeeping requirements, and, if required, assist with obtaining an export license. Remember that, even if your projects are considered fundamental research, the export regulations still apply if you need to ship or hand carry equipment outside the U.S.