2021-10-21
Commerce Export Rule for Spyware and Hacking Tools
The US Commerce Department’s Bureau of Industry and Security (BIS) has published an interim rule that regulates the “export, reexport, or transfer (in-country) of certain items that can be used for malicious cyber activities.” The rule bars companies from selling spyware and other technologies to China, Russia, and several other countries without first obtaining a license from BIS. In determining whether or not to grant a license, BIS will look closely at the intended end-user of the technology. The rule takes effect in 90 days.
Editor's Note
This follows the changes made to the Wassenaar Arrangement (WA) in 2013 when they added cybersecurity items to the WA list, which resulted in comments and refinement of that language in the WA 2017 amendment. This rule attempts to implement that language. There is a 45-day comment period, which started October 20, 2021. A concern remains that tools can be used for malicious or sanctioned activities; and once licensed for an approved use, a malicious insider can use them for malfeasance. Further, researchers and our cyber security teams need the tools the advisories have to understand attacks, verify security and prepare response measures.

Lee Neely
As CTO of a company that sells a platform that will most likely fall in scope, I welcome this regulation. Current requirements are limited to export control checks. I do not want our attack platform (or any other platform for that matter) in the wrong hands. Current due-diligence background checks are based on ethics that other companies may not have.

Jorge Orchilles
Many otherwise useful tools “can be used for malicious cyber activities.”

William Hugh Murray
Read more in
Federal Register: Information Security Controls: Cybersecurity Items | Interim final rule, with request for comments. (PDF)
Washington Post: Commerce Department announces new rule aimed at stemming sale of hacking tools to Russia and China
ZDNet: US rolls out new rules governing export of hacking, cyberdefense tools
The Register: Uncle Sam to clip wings of Pegasus-like spyware – sorry, 'intrusion software' – with proposed export controls
Bleeping Computer: US govt to ban export of hacking tools to authoritarian regimes