Export controls have been announced by the United States (US) in an interim measure for products that can be used for “malicious cyber activities”, according to a press release by the US government’s commerce department. It means that American exporters will need a license to sell cybersecurity products to countries of national security or weapons of mass destruction concern, it added.
The license will also be necessary for countries under a U.S. arms embargo. Cybersecurity items include hacking and surveillance tools like the Pegasus spyware. The new rules will be effective in 90 days as the department’s Bureau of Industry and Security (BIS) has requested public comments.
The clandestine nature of surveillance technology came under fire in the aftermath of the Pegasus Project’s revelations. Many rights groups demanded tighter export controls and moratoriums on the sale of such technology to states with a poor human rights record. The US government’s proposed rules could be a response to these demands as it is one of the leading cybersecurity exporters in the world.
Details of the proposed rule
- BIS has explained that end users targeted by this interim rule include a ‘government end user’.
- The License Exception ACE imposes an end-use restriction in situations where the exporter has reason to believe that the ‘cybersecurity item’ will be used to affect the confidentiality and integrity of information without authorisation from the owner at the time of export.
- US exporters must refer the US State Department’s guiding principles for transactions involving foreign government for surveillance products to minimise the risk of misuse by governments to violate or abuse human rights.
- The rule is complex by design, as per The Verge. The website adds that if the software is specifically for cyber defense and not sold to anyone associated with the government, no license would be needed.
- The Commerce Department has export controls on products containing encryption, so the new rule applies to products that do not contain encryption, Washington Post reported.
Why is the US late to align with the Wassenaar Agreement?
The Wassenaar Arrangement is a voluntary export control regime that sets rules on the export of dual-use (civilian & military) technologies. It has 42 participating countries including India.
The proposed rules are not meant to create roadblocks for American researchers from working with overseas colleagues and cybersecurity firms, according to a Washington Post report.
The delay was a result of BIS’s concerns of impeding legitimate cybersecurity work which sees a lot of cross-border exchanges. Therefore, the rule had been in the works for years but government officials feel they have reached the right balance with the proposed rules, the report added.
Overview of developments on export of surveillance tech in the past
October 2020: The US State Department released due diligence guidelines for American companies exporting products, including surveillance software abroad.
July 2021: The US, UK, EU and allies released a joint statement accusing China of carrying out malicious cyber activities and has urged Chinese authorities to address the situation.
July 2021: WhatsApp’s chief executive officer Will Cathcart urged governments to step in and impose a complete moratorium on the spyware industry in an interview with The Guardian in the wake of the Pegasus project‘s revelations.
September 2021: UN High Commissioner Michelle Bachelet, at the EU’s Committee on Legal Affairs and Human Rights, said that it was time for a pause. She said that until compliance with human rights standards can be guaranteed, governments should implement a moratorium on the sale and transfer of surveillance technology.
India’s purported misadventure
A couple of months ago, a cyber espionage campaign by India targeted government and telecom entities in China and Pakistan, according to a report by Forbes.
The aforementioned new rules would have made it difficult for India to go through with this attack. India used zero day vulnerabilities sold by Exodus Intelligence, a zero day exploit broker based in Austin, Texas, to run a campaign from June 2020 to April 2021. Exodus cut off’ India from buying its zero day exploit research.
Zero day exploit brokers are companies that sell information about crucial software vulnerabilities and software which could exploit them.
- Transparency needed in content moderation rules of social media firms, UN rapporteur agrees
- UN Human Rights Council faces pressure to denounce and investigate Pegasus surveillance
- EU Parliament favours blanket ban on biometric mass surveillance and use of AI by police
- All surveillance mechanisms must be brought under judicial oversight: SFLC’s Pegasus petition
Have something to add? Post your comment and gift someone a MediaNama subscription.