After much deliberation, the U.S. Department of Commerce has announced a new rule aimed at preventing the export or sale of hacking technologies and devices–specifically to countries of concern–such as China and Russia.  In the digital era, technology has become a valuable weapon mobilized by other countries and foreign organizations to threaten national security.  Therefore, this rule has been enacted to protect national security against potential terrorist threats that implement the use of spyware tools used for surveillance, and espionage. The US Secretary of Commerce, Gina M. Raimondo, underscored the purpose of the change, which is “to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights.”

This rule covers software products such as NSO’s Pegasus, an intrusive spyware product developed by the Israeli technology firm, that was distributed to other governments.  Although the manufacturer of Pegasus insists the software was only intended for use against criminals and terrorist threats, the spyware has previously been used to hack the smartphones of journalists and human rights activists around the world.  The software allows hackers to “activate the device’s microphone to listen in on conversations” all while going undetected. The attack methods displayed by NSO Pegasus software have become more advanced in past years, as the attacks can be achieved without any interaction from the actual owner of the phone.

 The US is a member of the Wassenaar Arrangement (“WA”), which is a voluntary export control regime that establishes rules on the export of dual-use technologies.  There has been a long and complicated history associated with these regulations spanning back to 2013, when the WA included the definition of “intrusion software” in its list of controls. Then in May of 2015, the Bureau of Industry and Security (“BIS”), published a proposal for a rule describing how these new controls would work in terms of export regulations and asked for information from the public about the impact it may have on the U.S. industry.  The responses voiced serious apprehension pertaining to the scope and implementation of these regulations.  Specifically, there was concern that: (1) the controls were overly broad in terms of items intended for control; (2) the rule imposed a heavy licensing burden on necessary transactions of cybersecurity; and (3) the proposed scope of the rule would impede legitimate cybersecurity development and research.  As a result, the US chose to amend the proposed rule.

 The amendments released in 2017 included significant changes to the language, which now reflects the intention to control tools that can be used maliciously while exempting cyber incident response technology.  A new license exception entitled Authorized Cybersecurity Exports (“ACE”) authorizes cybersecurity exports in order to avoid curtailing legitimate cybersecurity research and incident response activities.  This licensing exception authorizes exports of these items to most destinations with a few listed exceptions. The US is the last of the 42 countries participating in the WA to impose restrictions on the sale of hacking tools due to the implications the rule may have on cybersecurity.  The newly implemented rule by the US is complex in order to protect the future of cybersecurity.  Under this new rule, if a US company wants to export spyware to a government that poses a national threat to security, the company needs to acquire a license.  The inquiring companies always need a license when exporting hacking software and other tools to China, Russia, and other listed countries, regardless of whether it is for cyber defense.  Alternatively, if the software is specifically for cyber defense and is not sold to anyone linked to the government, no license is required.  The Department of Commerce is allowing an initial 45-day period for public comments, and an additional 45-day period to make any changes before going into effect in January of 2022.

Although the US proposed the rule in an effort to curb the spread of certain technologies to countries that are regarded as a threat to national security, experts have expressed concern previously as to how such a rule may prevent future communication between cybersecurity specialists from other countries.  On the other hand, it is clear that spyware, such as Pegasus, can be extremely dangerous and intrusive when used for malicious purposes.  By allowing software intended for cyber defense purposes to be exported without a license, the rule still encourages international collaboration with security specialists overseas.  Correctly stated by Raimondo, “The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities.”  The projected impact of these newly proposed controls on the US industry and national cyber security looks promising, and will likely enable cybersecurity collaboration while simultaneously acting as a barrier to malicious, threatening software.

Student Bio:  Alexa Sullivan is a second-year law student at Suffolk University Law School. She is a staffer on the Journal of High Technology Law. Alexa received a Bachelor of Science Degree in Biology and with a minor in Business from Loyola Maryland University.

 Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.