BIS Finalizes Changes to New License Exception for “Cybersecurity Items”
On May 26, 2022, the US Department of Commerce, the Bureau of Industry and Security (BIS) issued a final rule, finalizing changes to License Exception Authorized Cybersecurity Exports (ACE) and making related changes to other sections of the Export Administration Regulations (EAR). These changes include narrowing of exceptions for end use restrictions applicable to certain government end users in Cyprus, Israel, and Taiwan under License Exception ACE and addition of new end use restrictions for License Exception ENC (Encryption Commodities, Software, and Technology).
On October 21, 2021, BIS published a long-awaited interim final rule implementing the decisions from the Wassenaar Arrangement in 2017 on controls of cybersecurity items. This interim final rule, among others, added or revised the following Export Control Classification Numbers (ECCNs) on the Commerce Control List: 4A005, 4D004, 4E001.a, 4E001.c, and 5A001.j. According to BIS, these items warrant export controls because they could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it.
The interim final rule also created a new License Exception ACE to authorize certain exports, reexports, and transfers (in-country) of “cybersecurity items.”1 The interim final rule imposed certain restrictions for License Exception ACE, restricting its use when the item is destined to a country in Country Group E:1 or E:2, or to a “government end user” in a country listed in Country Group D:1, D:2, D:3, D:4, or D:5 with certain exceptions.
The interim final rule was initially set to take effect on January 19, 2022, but BIS delayed the effective date to March 7, 2022 via another interim final rule. After reviewing the comments to the October 21 interim final rule, BIS finalized changes to License Exception ACE and made other corresponding changes to the EAR on May 26, 2022.
Changes to License Exception ACE
Exceptions for Country Group D End Use Restriction
As noted above, License Exception ACE is not available when the cybersecurity item is destined to (1) a destination that is listed in Country Group E:1 or E:2 or (2) to a “government end user” of any country listed in Country Group D:1, D:2, D:3, D:4, or D:5.2 License Exception ACE, however, provides an exception which permits the use of License Exception ACE for certain “digital artifacts”3 and “cybersecurity items” as described below destined to police, judicial bodies, or national computer security incident response teams in Country Group D countries that are also listed in Country Group A:64 for purposes of criminal or civil investigations or prosecutions, among others.
While the October 21 interim final rule’s exception read to allow the export, reexport, or transfer of “digital artifacts” to anyone in a Country Group D country that is also listed in Country Group A:6, the May 26 final rule amended to narrow that exception’s destination to police or judicial bodies. After the amendment, “digital artifacts” and “cybersecurity items” may be exported, reexported, or transferred under License Exception ACE to certain government end users in Country Group D countries that are also listed in Country Group A:6 as follows:
- “Digital artifacts” (that are related to a cybersecurity incident involving information systems owned or operated by a “favorable treatment cybersecurity end user”5) to police or judicial bodies in Country Group D countries that are also listed in Country Group A:6 for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents; or
- To national computer security incident response teams in Country Group D countries that are also listed in Country Group A:6 of “cybersecurity items” for purposes of responding to cybersecurity incidents, for purposes of “vulnerability disclosure,”6 or for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents.
BIS also revised the structure of the restriction provision to address confusions voiced in the public comments.
Definition of “Government End User”
BIS revised the definition of the term “government end user” in License Exception ACE by adding a detailed illustrative list of end users that meet this definition and added a note to provide further guidance on the term “partially operated or owned by a government or governmental authority” used in some of the examples included for the term “government end user.”
Changes to License Exception ENC
BIS added a new end use restriction to License Exception ENC to avoid evasion of the end use restrictions under License Exception ACE by adding cryptographic or cryptanalytic functionality to “cybersecurity item” and relying on License Exception ENC instead of License Exception ACE. Specifically, the new end use restriction to License Exception ENC limits the reliance on License Exception ENC where the exporter, reexporter, or transferor knows or has reason to know that the specified items would be used to affect “the confidentiality, integrity or availability of information or information systems, without authorization by the owner, operator or administrator of the information system (including the information and processes within such systems).” The specified items include:
- “Cryptanalytic items,” classified in ECCN 5A004.a, 5D002.a.3.a or c.3.a, or 5E002;
- Network penetration tools described in 15 C.F.R. § 740.17(b)(2)(i)(F), and corresponding ECCN 5E002 “technology”; and
- Automated network vulnerability analysis and response tools described in § 740.17(b)(3)(iii)(A), and corresponding ECCN 5E002 “technology”.
Other Changes to the EAR
BIS made other corresponding changes to the EAR, including revising the definitions of the terms “less sensitive government end users” and “more sensitive government end users” to indicate that these terms apply to cybersecurity items. Prior to this change, these definitions omitted a refence to License Exception ACE. BIS also restored ECCN 5D001.e which was erroneously removed by the October 21, 2021 interim final rule.
The May 26 final rule took immediate effect on May 26, 2022. Practically speaking, we do not anticipate these new regulatory obligations to meaningfully impact the day-to-day business operations of the majority of interested parties. While complex, the broad authorizations provided by License Exception ACE even as modified by the May 26 final rule should permit the export, reexport, and transfer (in-country) of cybersecurity items in most circumstances. However, navigating the complex EAR licensing requirements and exceptions may result in costly delays, particularly where a company has been the victim of malicious cyberactivity. Further, the changes in the final rule not only affect License Exception ACE but also License Exception ENC. Therefore, companies and individuals engaged in export, reexport, or transfer of cybersecurity items and encryption items should carefully review these changes to assess whether the changes may affect the EAR compliance of their exports, reexports, or transfers.
© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
The “cybersecurity items” include: ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004), 4E001.c, 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)), and 5E001.a (for 5A001.j or 5D001.a (for 5A001.j)). 15 C.F.R. § 740.22(b)(1).
The term “digital artifacts” is defined as “items (e.g., ‘software’ or ‘technology’) found or discovered on an information system that show past or present activity pertaining to the use or compromise of, or other effects on, that information system.” 15 C.F.R. § 740.22(b)(2).
“The term “favorable treatment cybersecurity end user” includes: a U.S. subsidiary; providers of banking and other financial services; insurance companies; and civil health and medical institutions providing medical treatment or otherwise conducting the practice of medicine, including medical research. 15 C.F.R. § 740.22(b)(3).
The term “vulnerability disclosure” is defined as “the process of identifying, reporting, or communicating a vulnerability to, or analyzing a vulnerability with, individuals or organizations responsible for conducting or coordinating remediation for the purpose of resolving the vulnerability.” 15 C.F.R. § 772.1.