On May 20, 2015, the US Department of Commerce’s Bureau of Industry and Security (BIS) published a proposed export control rule that seeks to impose strict controls on the export of certain intrusion and surveillance (“cybersecurity”) items. The rule would add new licensing and reporting requirements for companies developing and exporting intrusion and surveillance cyber products. This proposal is meant to implement the December 2013 cybersecurity additions to the Wassenaar Arrangement, an agreement among 41 states that coordinate export control proposals foor enactment into national law. The proposed rule tightens control over a potentially wide range of cybersecurity items, increases the regulatory burden on companies to a potentially prohibitive level, and could impede some exports altogether to certain countries and end-users.
The proposed rule could cover a wide range of cybersecurity companies and products and is likely to generate significant comments from industry. Concerns primarily stem from the overbroad and vague language used in the proposed rule, which could include many defensive products, items related to vulnerability research, and even some products not directly connected with security. As such, the proposed rule could damage US security companies’ ability to compete abroad and stunt US cybersecurity efforts. We saw this same scenario play out for the US space industry as a result of excessive and burdensome ITAR export control regulation of technologies in that sector that had dual use capability. The US Government needs to take stock, not forget the lessons of the past, and be more innovative in establishing a control regime that comports with global realities. Companies that develop, produce, test, market, or are major offshore users of cybersecurity items should carefully consider submitting comments regarding the potential impact of the rule on their business and whether the rules impose unmanageable burdens. BIS is accepting comments on the proposed rule until July 20, 2015.