Bureau of Industry and Security chief Kevin Wolf told a congressional committee this week that BIS “will not be implementing as final” a May 2015 proposed rule on licensing requirements for exports of specified cybersecurity items. Wolf said BIS is still determining how best to respond to the predominantly negative comments received on the proposal.
BIS proposed a license requirement for the export, reexport or transfer (in-country) of the following cybersecurity items to all destinations except Canada.
- systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software (including network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices)
- software specially designed or modified for the development or production of such systems, equipment or components
- software specially designed for the generation, operation or delivery of, or communication with, intrusion software
- technology required for the development of intrusion software (including proprietary research on the vulnerabilities and exploitation of computers and network-capable devices)
- Internet protocol network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor
Wolf said that “virtually all” of the 264 comments BIS received on the proposed rule were negative and that they focused on three main issues. First, the proposed definition of “intrusion software” is too broad and would catch products such as malware recovery tools and defense research tools. Second, there would be a heavy and unnecessary licensing burden on legitimate transactions that contribute to cyber security, such as using tools proposed for control to test systems and networks for vulnerabilities. Third, the rule could cripple legitimate cybersecurity research by subjecting vulnerability research, assessments and testing to export licensing requirements, including classification, screening and other control elements.
Wolf noted that commenters had many suggestions on how to deal with these concerns and that BIS and other involved agencies “will be reviewing all of them and many other ideas for how to address the policy objectives of the control but without unintended collateral harms.” He added that BIS “will continue to seek input from those with expertise and equities in cyber security in both the U.S. government and the private sector before deciding in conjunction with its interagency partners what the next step should be.”