Cybersecurity Item Exports Would Require a License Under BIS Proposal
The Bureau of Industry and Security is inviting through July 20 comments on a proposed rule that would impose a license requirement for the export, reexport or transfer (in-country) of the following cybersecurity items to all destinations except Canada.
- systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software (including network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices)
- software specially designed or modified for the development or production of such systems, equipment or components
- software specially designed for the generation, operation or delivery of, or communication with, intrusion software
- technology required for the development of intrusion software (including proprietary research on the vulnerabilities and exploitation of computers and network-capable devices)
- Internet protocol network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor
According to BIS, this rule proposes to add Export Control Classification Number 4A005 (systems, equipment or components therefor specially designed for the generation, operation or delivery of, or communication with, intrusion software) and ECCN 4D004 (software specially designed for the generation, operation or delivery of, or communication with, intrusion software) to the Commerce Control List. These ECCNs would be controlled for national security, regional stability and anti-terrorism reasons to all destinations except Canada. No license exceptions would be available except certain provisions of license exception GOV (exports to or on behalf of the U.S. government). This rule also proposes adding a license requirement note and a note in the related controls paragraph for these ECCNs to alert exporters to include all relevant information when submitting classification requests and licensing applications.
BIS states that although these cybersecurity capabilities were not previously designated for export control, many have been controlled for their information security functionality, including encryption and cryptanalysis. This rule continues applicable encryption items registration and review requirements while setting forth proposed license review policies and special submission requirements to address the new cybersecurity controls, including submission of a letter of explanation with regard to the technical capabilities of the cybersecurity items.