Northwest Arkansas Democrat-Gazette
U.S. unveils hacking-tool regulation
Rule allows collaboration but bars sale of spyware, gear to China, Russia
WASHINGTON — The Commerce Department on Wednesday announced a long-awaited rule that officials hope will help stem the export or resale of hacking tools to China and Russia while still enabling cybersecurity collaboration across borders.
The rule, which will take effect in 90 days, would cover software such as Pegasus, a potent spyware product sold by the Israeli firm NSO Group to governments that have used it to spy on dissidents and journalists.
It would bar sales of hacking software and equipment to China and Russia, as well as to a number of other countries of concern, without a license from the department’s Bureau of Industry and Security.
What it is not intended to do, senior Commerce Department officials say, is prevent American researchers from working with colleagues overseas to uncover software flaws, or cybersecurity firms from responding to incidents.
The rule had been in the works for years, stalled earlier by fears that it would stymie cyber defensive work. Now officials hope they have reached the right balance.
“The rationale is these are items that can be misused to abuse human rights, to track and identify dissidents or disrupt networks or communications, but they also have very legitimate cybersecurity uses,” said one senior official, who spoke on the condition of anonymity under ground rules set by the agency. “So what the rule does is restrict these exports to the problematic countries.”
Commerce already has export controls on products containing encryption, so the new rule applies to products that do not contain encryption, officials said.
There are probably few U.S. companies whose products would be covered by the rule, but anyone who sells U.S.-origin software or technology to develop cyber intrusion products outside the United States must also seek authorization, officials said.
The rule is complicated. For instance, an American company wanting to ship “intrusion software” to the governments of Israel, the United Arab Emirates and Saudi Arabia would require a license. If the software is to be used for cyberdefense purposes, such as penetration testing, and will be sold to nongovernment persons, then a license is not required.
Any intrusion software, even for defensive purposes, being sold to anyone in China or Russia, whether they work for the government, will require a license, according to the rule.
Commerce’s Bureau of Industry and Security will vet the end user before deciding whether to grant a license.
“That’s one of the primary purposes of the license application,” said Kevin Wolf, a former assistant secretary of export administration at the Commerce Department. “Do we trust that the company overseas is going to use it for the reason stated? If there are doubts, they will deny the application.”
The rule will align the United States with the 42 European and other allies that are members of the Wassenaar Arrangement, which sets voluntary export control policies on military and dual-use technologies — or products that can be used for both civilian and military purposes.
China is not a Wassenaar member, but Russia is. Israel is also not a member but voluntarily adopts its controls, although that apparently did not prevent Pegasus from being sold to and used by Saudi Arabia to track journalists and dissidents, as countries can vary in how they implement Wassenaar controls.
Most of the other Wassenaar countries have already imposed regulations on hacking tools. The United States would be the last or near last to do so, officials said. The delay grew out of the issue’s complexity and the agency’s desire not to impede legitimate cybersecurity work.
Unlike most of the other Wassenaar countries, the United States has a large cybersecurity industry. When Commerce several years ago released a proposed rule governing this area, companies voiced concerns that the regulation could restrict legitimate work such as responding to network attacks or disclosing software flaws to software makers.
The new rule is an attempt to address those concerns while seeking to prevent tools and technology from being misused by authoritarian states, officials said.
“We’re trying to walk the line between not impairing legitimate cybersecurity collaboration across borders, but trying to make sure these pieces of hardware and software technology aren’t obtained and used by repressive governments,” the senior official said.