The Commerce Department’s Bureau of Industry and Security (BIS) has published a final rule in the Federal Register that restricts cybersecurity export controls in an effort to prevent foreign adversaries from accessing hacking tools.
The rule – which became effective May 26 – restricts the export or resale of tools such as intrusion software from being used by countries like Russia and China – unless they have a license from the agency.
“These items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it,” the rule says.
The rule aligns the United States with the 42 European and other allies that are members of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.
BIS gathered public feedback after publishing an interim final rule in October 2021, which helped to shape the final rule. The agency is also clarifying the scope of the rule via guidance in a “Frequently Asked Questions” document.
“Controlling exports, of course, is not the same as cutting off exports. Export controls on a technology enable us to look at the destination, end use, and end user involved in a collaboration,” Assistant Secretary of Commerce for Export Administration Thea D. Rozman Kendler said earlier this month.
“This gives us insight into whether such exports or collaborators are a U.S. national security concern,” she added.