US to Ban Export of Hacking Tools to Authoritarian States

The US government has issued new rules designed to prevent the export of hacking and surveillance tools to regimes guilty of human rights abuses.

The “interim final rule” was released by the Commerce Department’s Bureau of Industry and Security (BIS) and will go into force in 90 days,

Governments singled out by the proposals are “of concern for national security reasons” or subject to an arms embargo.

Restrictions will also apply if the exporter knows that the product will be used to impact the confidentiality, integrity or availability of IT systems without the knowledge of their owner/administrator.

“The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights,” said commerce secretary Gina Raimondo.

“The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities.”

The move will do nothing to impact the export of hacking tools from other countries to authoritarian regimes. Controversial spyware developer NSO Group is headquartered in Israel, for example.

The cybersecurity community has 45 days to comment on the proposals. They include a License Exception Authorized Cybersecurity Exports (ACE) designed to ensure products can still be sold to “most destinations” unhindered.

The latest action by BIS comes as a result of BIS’s negotiations in the multilateral Wassenaar Arrangement, which governs export controls. The long-running treaty has been criticized in the past for adding unnecessary red tape for cybersecurity vendors wanting to export their products abroad.

Several years ago, it was claimed the rules could even restrict the sharing of vulnerability information globally between legitimate threat researchers.

Full details of the new BIS interim final rule are available here.

What’s Hot on Infosecurity Magazine?