Commerce Export Rule for Spyware and Hacking Tools
The US Commerce Department’s Bureau of Industry and Security (BIS) has published an interim rule that regulates the “export, reexport, or transfer (in-country) of certain items that can be used for malicious cyber activities.” The rule bars companies from selling spyware and other technologies to China, Russia, and several other countries without first obtaining a license from BIS. In determining whether or not to grant a license, BIS will look closely at the intended end-user of the technology. The rule takes effect in 90 days.
This follows the changes made to the Wassenaar Arrangement (WA) in 2013 when they added cybersecurity items to the WA list, which resulted in comments and refinement of that language in the WA 2017 amendment. This rule attempts to implement that language. There is a 45-day comment period, which started October 20, 2021. A concern remains that tools can be used for malicious or sanctioned activities; and once licensed for an approved use, a malicious insider can use them for malfeasance. Further, researchers and our cyber security teams need the tools the advisories have to understand attacks, verify security and prepare response measures.
As CTO of a company that sells a platform that will most likely fall in scope, I welcome this regulation. Current requirements are limited to export control checks. I do not want our attack platform (or any other platform for that matter) in the wrong hands. Current due-diligence background checks are based on ethics that other companies may not have.
Many otherwise useful tools “can be used for malicious cyber activities.”
William Hugh Murray
Read more in
Bleeping Computer: US govt to ban export of hacking tools to authoritarian regimes