Revisions Needed to Limit Impact of New BIS Cybersecurity Controls, Industry Says

BIS in October previewed the new controls, which are expected to create a new license exception for certain cybersecurity items while establishing more restrictions on items that can be used for “malicious cyber activities” (see 2110200036). The controls stem from a proposed rule issued by BIS in 2015, but the agency ultimately scrapped the rule and returned to the multilateral Wassenaar Arrangement to renegotiate the restrictions after receiving hundreds of critical comments from industry, with many saying the controls were too broad.

Some of those same concerns were echoed by Microsoft in December comments to BIS. The company acknowledged that BIS has “taken a more nuanced approach aimed at restricting only” items that may be used for malicious cyber activities, but the rule should still be tailored more narrowly. “[C]ertain unclear and overly broad aspects of the rule could have unintended consequences that frustrate legitimate cybersecurity activities within Microsoft and the broader cybersecurity community,” it said.

BIS should specifically narrow the rule’s broad definition of government end-user, Microsoft said, which is “significantly broader” than how the term is applied to encryption-related exports. The definition in the cybersecurity rule would restrict exports to any entity or person “acting on behalf of” a government end-user listed in certain Country Group D countries, which could “potentially chill cross-border collaboration on cybersecurity issues” and other activities with people or entities working on behalf of a foreign government. The scope of the definition could include Microsoft customers who “contract with or provide services” to Country Group D government entities, the company said.

Microsoft also said controls on deemed exports -- which impose license requirements on certain U.S. technology transfers to a foreign person on U.S. soil -- may be captured by any person or entity working “on behalf” of a government end-user entity. The company said this will hurt its ability to “deploy routine cybersecurity activities across multiple markets given uncertainty as to whether individuals or entities that participate in those activities are restricted for acting on behalf of a government entity -- which would include any national, regional or local department, agency or entity that provides any governmental function or service.”

Like Microsoft, the Information Technology Industry Council said the new rule is a “substantial” improvement over the controls proposed in 2015, adding that new License Exception Authorized Cybersecurity Exports (ACE) will “particularly assist less well-resourced researchers and threat intelligence stakeholders.”

But the council also said the rule’s definitions for information sharing related to “vulnerability disclosures” and “incident responses,” which are excluded from certain controls, are too limited. ITI said the definitions don’t “encompass the regular sharing of non-vulnerability and non-incident related cybersecurity information sharing, namely technical data on threat actors’ tactics, tools, techniques, and behaviors, as well as certain vulnerability handling activities.”

More practically, ITT said there is still “considerable ambiguity and complexity” surrounding the rule’s compliance requirements, which will likely raise costs for U.S. companies and “sap resources from cybersecurity defense activities” (see 2110270019). The broad scope of the exports captured under cybersecurity restrictions “will likely generate significant financial burdens on a range of technology providers related to an array of legitimate security practices, despite the welcome availability” of the ACE license exception, ITI said. “These compliance costs will be passed along to customers who are already struggling to dedicate the resources necessary to invest in, and maintain, an effective and resilient cybersecurity posture.”

BIS can help mitigate compliance costs by publishing “decision trees” to guide exporters through License Exception ACE and the new controls introduced by the rule, the council said. The Computing Technology Industry Association also suggested a decision tree for the new license exception to help companies determine when they can use it.

“Given the complexity of the various definitions and requirements noted in the interim final rule,” CompTIA said, “the decision-tree would serve to lessen confusion and questions to BIS about the applicability of ACE to a particular export and could further help exporters clearly determine what would be a covered ‘cybersecurity item’ under the rule.”

CompTIA also urged BIS to clarify one frequently asked question in its November guidance for the new cybersecurity export controls (see 2111120041). In the FAQ, BIS suggested that certain “specialized knowledge” may be subject to cybersecurity export controls.

“BIS should clarify that simply having personal knowledge is not inherently treated as ‘technology,’” CompTIA said. “As written, the answer may cause cybersecurity researchers to mistakenly believe that they need an export license simply to travel to certain destinations even if they aren't creating discrete pieces of documentation/other forms of ‘technology’ that could be subject to the” Export Administration Regulations.

While technology industry groups like ITI and CompTIA said parts of the rule can still be clarified to avoid harming industry, Access Now, a non-profit digital rights organization, said the restrictions don't go far enough. It said BIS should also control a “larger set of surveillance technology items” and expand the definition of cybersecurity items to better cover exports that have a “high risk of repression.” Controls should specifically be strengthened for biometric surveillance technologies, certain “electronic systems or equipment designed for surveillance and monitoring” and unmanned aerial vehicles capable of conducting surveillance, Access Now said.

The organization also recommended stricter due diligence requirements, saying BIS should not authorize any exports under License Exception ACE unless the exporter “shows that it does not know or does not have reason to know that the item will be abused.” Exporters should be required to submit a “sworn declaration” to BIS that they performed end-use due diligence and didn't find any red flags related to their export, the organization said, adding that exporters should also have to publicly disclose the destination countries of their shipments. “Companies often present their due diligence mechanism as effective,” Access Now said, “despite ample evidence that their internal controls fail or are inadequate to prevent the technologies from being repeatedly misused.”

Multiple commenters asked BIS to extend the comment period beyond the Dec. 6 cutoff date, especially “given how consequential the rule is to the cybersecurity community,” Microsoft said. Akin Gump, which said it represents several clients affected by the new restrictions, asked BIS to continue to allow comments until Jan. 5, two weeks before the rules take effect on Jan. 19, 2022. The law firm called the rules the “most complex” in the EAR.

“BIS is asking both industry and the public to consider all of these issues and provide insightful feedback in only 45 days, which is in itself surprising given that BIS has provided more time for comments on considerably less complex and less far-reaching regulatory changes in the recent past,” the law firm said. More time will allow for a “more meaningful opportunity to evaluate and comment on the potential impact of these rules before their effective date.”

A BIS spokesperson said the rule "reflects substantial input from the public" and the Commerce Department's technical advisory committees but declined to say whether the agency will extend the comment period. "BIS is currently reviewing the comments received and will consider whether revisions may be appropriate prior to the rule taking effect," the spokesperson said Dec. 13.