BIS Finalizes the Rule Covering Cybersecurity Activities


On October 21, 2021, the Commerce Department’s Bureau of Industry and Security (“BIS”) published a rule that will restrict some exports, reexports, and other overseas transfers of equipment, software, and technology (technical know-how) that can be used for cyberattacks or surveillance. The rule, part of the Export Administration Regulations, has two components:

(i) controls on certain cybersecurity-related items that can be used for malicious cyber activities (such as surveillance, espionage, or other actions that disrupt, deny, or degrade the network or devices on it), and

(ii) a new license exception to permit what are viewed as legitimate cybersecurity activities to occur without export licensing.

According to BIS, the new controls are intended to “deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights.” It would be useful for companies that design, develop, produce, or trade in cybersecurity products or services to assess whether the new rule covers items with which they work, including related software or technology. In this regard, U.S. export controls extend not only to conventional exports, reexports, and transfers but also to so-called “deemed” exports and reexports—release of source code and technology to non-U.S. nationals in some circumstances.

The new rule is scheduled to come into effect on January 19, 2022. BIS will be accepting public comments on the rule’s impact on the U.S. industry and the cybersecurity community through December 6, 2021.

Initially proposed in 2015, the new rule has been held up for several years amid concerns that additional controls and restrictions would undermine legitimate cybersecurity research and incident response activities. BIS contends that it has modified proposed versions of the new rule in ways that address cybersecurity companies’ concerns.

The rule creates new Export Administration Regulations License Exception “Authorized Cybersecurity Exports” (ACE). License Exception ACE would generally authorize the export, reexport, and in-country transfer of “cybersecurity items” to nongovernment end users in most countries (not including Cuba, Iran, North Korea, and Syria) and to government end users in many countries (including all European Union members, Australia, Japan, and Korea). License Exception ACE will not apply if the exporter, reexporter, or transferor has reason to know at the time of the transaction that the cybersecurity item will be used to affect the confidentiality, integrity, or availability of information or information systems, without authorization by the owner, operator, or administrator of the information system.

Along with the 2020 and 2021 advisories on ransomware payments issued by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), the new export control rule is another in a stream of examples of the U.S. government deploying regulatory restrictions to restrain cyber-related international trade activity believed to jeopardize national security. Companies providing, as well as those consuming, cybersecurity services face an increasingly complex legal landscape.