Commerce Imposes New Export Controls on Technology Items that Could be Used for Malicious Cyber Activities

December 2021

BY

Damon V. PikePrincipal, Customs & International Trade Services

The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) on October 21, 2021 published a notice in the Federal Register imposing new export controls on cybersecurity items and tools that are capable of being used for surveillance, espionage or other actions that disrupt, deny or degrade a network or the devices on it. This action was taken to implement the 2017 Wassenaar Arrangement (WA) decisions related to cyber security, which reflects the U.S. government’s priorities to prevent U.S. technology and tools from being used to conduct malicious cyber activities or to abuse human rights.

 
The new rule, which will take effect on January 19, 2022, implements multilateral controls over cybersecurity hardware and software by adding several new Export Control Classification Numbers (ECCNs) to the Commerce Control List (CCL), updating existing ECCNs with additional controls, and provides a new license exception for Authorized Cybersecurity Exports (ACE). These new ECCNs are controlled for National Security (NS) and Anti-terrorism (AT) reasons, so that, for practical purposes, an export license or license exception will be required for most exports, reexports or in-country transfers of cybersecurity items.
 
Specific revisions include the introduction of new ECCN item entries and updates under CCL Categories 4 and 5 (which control computers and telecommunication and information security items respectively). The new revisions cover technology relating to the generation, command and control or delivery of “intrusion software” defined in the EAR as:

"Software specially designed or modified to avoid detection by “monitoring tools,” or to defeat “protective countermeasures,” of a computer or network-capable device, and performing any of the following:
(1) The extraction of data or information, from a computer of network-capable device, or the modification of system or user; or
(2) The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions."

The ACE (not to be confused with the “Automated Commercial Environment” system operated by U.S. Customs & Border Protection) license exception may not be used for shipments to destinations covered by U.S. AT controls, including Cuba, Iran, North Korea and Syria and, in most instances, government end-users in countries controlled by NS controls--Group D countries--or non-government end-users located in countries under NS controls.
 
Limited exclusions exist for government end-users in Group D countries that are also listed as close allies of the United States in Country Group A:6 for exports, reexports and in-country transfers of “digital artifacts” that are related to a cybersecurity incident involving information systems owned or operated by a “favorable treatment cybersecurity end-user.” Group D countries listed in Country Group A:6 include Cyprus, Israel and Taiwan and the interim rule defines “favorable treatment end-users” as U.S. subsidiaries, i.e., a foreign branch or most foreign subsidiaries of U.S. companies, financial service providers, insurance companies and civil health and medical institutions providing medical treatment and research.
 
Additionally, license exception ACE is not authorized if the exporter, re-exporter or transferor knows or has reason to know that covered items will be used to affect the confidentiality, integrity or availability of information or information systems without authorization by the owner, operator or administrator of the information system.
 
Due to the exacting nature and complexity of this rule, companies engaged in the export of cybersecurity equipment, software and technology should carefully review all related controls and assess relevant products and technology against the functionality of the new cybersecurity ECCNs to determine which of their items may be impacted. U.S. businesses also should consult BIS’s “Know Your Customer Guidance” to evaluate whether “Red Flags” exist for any potential sales of these items.
 

How BDO can help

BDO knows the unique challenges that U.S. and global businesses face when regulated products, software and information cross borders both physically and virtually. We provide businesses with cost-effective support in all aspects of export planning, diligence and compliance. Our professionals help businesses understand and manage their compliance obligations arising from the export of goods, technology and services under U.S. law. We identify, manage and monitor risk efficiently across industries and geographies, while at the same time identifying all possible duty savings in importing jurisdictions.
 
Our services include: 
  • Export compliance assessments
  • Commodity jurisdiction requests
  • Export license applications
  • Export classification reviews
  • Supply chain planning
  • Administrative filings