Commerce Announces Rule for Selling Hacking Tools to Foreign Governments

U.S. companies will need to obtain a license from the Commerce Department to sell certain kinds of software—specifically cybersecurity tools that could be used for hacking or surveillance purposes—to foreign governments.

An interim rule announced Wednesday by the agency’s Bureau of Industry and Security establishes “controls on the export, re-export or transfer (in-country) of certain items that can be used for malicious cyber activities.”

The lengthy rule is complicated, but would require U.S. firms to secure a license to export select cyber technologies to countries “of national security or weapons of mass destruction concern,” including Russia and China. The rule further includes license requirements for companies that wish to sell cyber technologies to companies under U.S. arms embargo, or users who could intentionally misuse products.

“These items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it,” the interim rule reads.

The rule will go into effect in 90 days, but has been in the works for several years. Most recently, BIS received nearly 300 comments about the proposed rule, including concerns that changes might curtail legitimate cyber research and incident response activities. According to BIS, the agency “conducted extensive outreach with the security industry, financial institutions, and government agencies that manage cybersecurity” before scrapping some of the rule’s original verbiage. Wednesday’s interim rule brings the U.S. government on par with 42 other nations that are members of the Wassenaar Arrangement. The pact sets voluntary export controls on some military and civilian purposes. The interim rule imposes regulations on the sale of hacking tools, which most other member nations had already done.

“The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights,” Secretary of Commerce Gina Raimondo said in a statement. “The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities.”