The U.S. Department of Commerce has put out interim rules intended to curb the export or transfer (in-country) of cybersecurity/ hacking tools that can be used for malicious cyber activities.
The rules will create a “License Exception Authorized Cybersecurity Exports” (ACE). The department is soliciting comments from the public within the next 45 days. The rules will become effective after 90 days.
The Proposed Licensing Rules
The ACE would allow the export and transfer of ‘cybersecurity items’ to most countries except in certain circumstances. It will retain a license requirement for exports to countries that pose a national security concern. The Department’s Bureau of Industry and Security will issue licenses for export to these countries. e.g. Russia & China.
The rule aims to curb the use of these cybersecurity tools for surveillance, espionage, or other disrupting actions. It would also impose end-use restrictions to achieve this aim. If the exporter knows or has a reason to know that the item will be used for any of the above actions, it will need to impose end-use restrictions.
In a statement, the Department said:
“The United States Government opposes the misuse of technology to abuse human rights or conduct other malicious cyber activities, and these new rules will help ensure that U.S. companies are not fueling authoritarian practices,”
The rules bring the U.S in line with 42 other European nations that are members of the Wassenaar Agreement on voluntary export control policies on military and dual-use technologies.
Some Context to the Issue
Three former U.S. intelligence operatives admitted to having helped the UAE spy on its enemies by hacking into accounts of activists, journalists, and rival governments.
Besides, the U.S. has suffered major cybersecurity breaches this year. In fact, the Commerce Department itself was one of the first victims of the SolarWinds hack. In the past few months, the USA has witnessed multiple cyberattacks including the Colonial Pipe hack, REvil ransomware at a United States nuclear weapons contractor, JBS hack, among others.
The government has started an online helpline to support ransomware victims. It has even issued guidance to investigate ransomware & terrorist attacks alike and introduced five bipartisan bills to protect critical infrastructure.
Further, in an attempt to crack down on cybercriminals’ payment infrastructure, the government has imposed sanctions on a crypto exchange facilitating ransomware payments.