The US Department of Commerce’s Bureau of Industry and Security (BIS) released an interim final rule on Thursday adding cybersecurity technologies to the Export Administration Regulations (EAR). The EAR limits export and reexport of listed technology, products, and raw material, typically for national security reasons. In this case, the cybersecurity technologies in question are being added because of their use in surveillance and espionage.
The EAR restricts technology listed on the Commerce Control List (CCL) from being exported or reexported to certain countries. For example, nuclear material and chemical and biological weapons generally require a license for export regardless of the country of origin. Goods that are under the jurisdiction of BIS that do not have a specific classification only require a license if they are being exported to an embargoed country, such as Iran. The EAR is broadly applicable; it applies to any good in the United States, any foreign product that contains US products or materials, or any foreign product that is bundled with US products or materials.
The new rule establishes a general license for domestic transfers of cybersecurity technology, provided it is not listed for surreptitious listening. Moreover, the license excludes exports where the end-user is a foreign government. As a result, this regulation would restrict the ability of US companies to sell surveillance equipment to foreign governments. In the press release for these regulations, BIS stated, “The United States Government opposes the misuse of technology to abuse human rights or conduct other malicious cyber activities, and these new rules will help ensure that U.S. companies are not fueling authoritarian practices.”