Why Commerce Went Against Microsoft on Rule to Control Cyber Exploits

A new rule at the Commerce Department regarding China’s access to cyber vulnerabilities that could harm national security has been put in effect without a major change, despite opposition from Microsoft.

The rule, finalized with a notice of publication in the Federal Register Thursday, requires entities sending potential cyber exploits across borders to get a license if they’re dealing with any organization or individual associated with governments like China’s—unless the activity is for legitimate cybersecurity purposes, such as public vulnerability disclosure or incident response.

Commerce didn’t identify Microsoft by name, but noted, “one commenter stated that the licensing requirement for people acting on behalf of a ‘government end user’ will chill cross-border collaboration with cybersecurity researchers and bug bounty hunters, because exporters will be required to check whether an individual has a government affiliation before communicating with them. The company recommends [the Commerce Department’s Bureau of Industry and Security] either remove this requirement or modify it. BIS disagrees with this recommendation.”

A review of comments in the rule’s docket identified Microsoft as the company BIS disagreed with. 

“This will inhibit Microsoft and other companies’ ability to deploy routine cybersecurity activities across multiple markets given uncertainty as to whether individuals or entities that participate in those activities are restricted for acting on behalf of a government entity,” Microsoft wrote, noting that could mean government operated research institutions. “To mitigate the likely compliance burden and unintended consequences on cybersecurity response and collaboration, BIS should strike the ‘on behalf of’ language in the definition of government end user, or at the very least, clarify what individuals or entities may be captured by this language.”

Microsoft made its case by pointing to reverse engineering and other techniques the company says it’s constantly using to develop patches and upgrades based on analysis of exploit code. Commerce did make some changes to its proposed rule based on feedback from the cybersecurity research community, but suggested Microsoft’s recommendation would undermine the whole point of the rule.  

“The license requirement for people acting on behalf of a government is necessary to prevent people who are acting on behalf of a Country Group D government from obtaining ‘cybersecurity items’ for activities contrary to U.S. national security and foreign policy interests,” Commerce wrote, referring to the category of nations—including China—that requires a case-by-case review of license applications. “Removing this requirement would risk allowing Country Group D governments access to those items.”

Microsoft thanked BIS for incorporating feedback from the research community and creating a carve out in its interim rule to protect legitimate cybersecurity activity. The company said it’s not possible to determine when such an exception might not be sufficient to address its concerns. 

“We fully appreciate that BIS recognized that the prior rule was overbroad … and has taken concrete steps to craft a new rule that is sensitive to the concerns previously raised by the cybersecurity community,” Microsoft wrote. “We remain concerned … given confusion as to what is and is not allowed. For activity that may be subject to licensing— which at this stage is undeterminable—we have concerns that the license process for technologies that do not fit neatly into a particular category of use is extremely cumbersome.” 

Commerce in turn acknowledged Microsoft’s concern but—as others on the powerful Committee of Foreign Investment in the United States have maintained in a similar context—asserted a net benefit for national security given the requirement’s narrow scope.

“BIS agrees that this means that exporters will in some cases have to check government affiliation of people and companies they work with,” reads the final rule. “However, because of the limited scope and applicability of the license requirement, BIS believes the requirement will protect U.S. national security and foreign policy interests without unduly impacting legitimate cybersecurity activities.”