BIS Proposes Licencing Requirements for Cybersecurity Item Exports, More Information for Export Control Documents

The Bureau of Industry and Security is inviting through 20 July comments on a proposed rule that would impose a licence requirement for the export, re-export or transfer (in-country) of the following cybersecurity items to all destinations except Canada.

• systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software (including network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices)

• software specially designed or modified for the development or production of such systems, equipment or components

• software specially designed for the generation, operation or delivery of, or communication with, intrusion software

• technology required for the development of intrusion software (including proprietary research on the vulnerabilities and exploitation of computers and network-capable devices)

• Internet protocol network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor

According to BIS, this rule proposes to add Export Control Classification Number 4A005 (systems, equipment or components therefor specially designed for the generation, operation or delivery of, or communication with, intrusion software) and ECCN 4D004 (software specially designed for the generation, operation or delivery of, or communication with, intrusion software) to the Commerce Control List. These ECCNs would be controlled for national security, regional stability and anti-terrorism reasons to all destinations except Canada. No licence exceptions would be available except certain provisions of licence exception GOV (exports to or on behalf of the U.S. government). This rule also proposes adding a licence requirement note and a note in the related controls paragraph for these ECCNs to alert exporters to include all relevant information when submitting classification requests and licencing applications.

BIS states that although these cybersecurity capabilities were not previously designated for export control, many have been controlled for their information security functionality, including encryption and cryptanalysis. This rule continues applicable encryption items registration and review requirements while setting forth proposed licence review policies and special submission requirements to address the new cybersecurity controls, including submission of a letter of explanation with regard to the technical capabilities of the cybersecurity items.

Comments may also be submitted by 6 July on how the export clearance requirements in part 758 of the Export Administration Regulations can be improved, including how they can be better harmonised with the export clearance requirements under the International Traffic in Arms Regulations. In particular, BIS is considering requiring the following information on export control documents (the commercial invoice and contractual documentation).

• ECCNs for all items on the CCL (except those designated EAR99)

• identification of the country of ultimate destination (BIS believes this would only impact a small number of exports because in most cases the export control documents already identify the country of ultimate destination)

• the licence number, licence exception code or "no licence required" designation (comments are specifically requested on the application of this requirement to mixed authorisation and mixed jurisdiction shipments)

Also of potential interest are separate proposals by BIS and State Department to harmonise the destination control statements required under the EAR and the ITAR. The proposed rules would make a number of other changes as well. Comments on these proposed rules are due no later than 6 July.

The EAR require exporters to include a destination control statement on certain export control documents that accompany a shipment for most exports. The purpose of this statement is to alert other parties outside the United States that receive the item that the item is subject to the EAR, that the item was exported in accordance with the EAR and that diversion contrary to U.S. law is prohibited. The ITAR include the same type of requirement but specific to the ITAR context and with slightly different text. The purpose of the requirements is the same under both sets of regulations.

BIS states that because the transfer of formerly ITAR-controlled defence article parts and components to the EAR under the Export Control Reform Initiative has increased the incidence of exporters shipping articles subject to both the ITAR and the EAR in the same shipment, there has been confusion among exporters as to which destination control statement to include on such mixed shipments or whether to include both. Harmonising these statements is thus intended to simplify export clearance requirements for exporters because they would not have to decide which statement to include. Harmonisation is also an "important step" to prepare both regulators and the regulated public for the eventual creation of a single export control list and single licencing agency.

The harmonised destination control statement would adopt language that would be equally applicable under the ITAR and the EAR. The first sentence of the statement would specify that "these items are controlled and authorised by the U.S. government for export only to the specified country of ultimate destination for use by the end-user herein identified." The term "authorised" would include exports designated as "no licence required."

The second sentence would focus on alerting the persons receiving the items that they may not be resold or transferred or otherwise be disposed of to any other country or any person other than the authorised end-user or consignee(s), either in their original form or after being incorporated into other items, without first obtaining approval from the U.S. government or as otherwise authorised by U.S. law and regulations. BIS states that the application of this second sentence would be different under the ITAR and the EAR due to the different types of authorisations and other approvals in the respective regulations as well as other differences, such as the de minimis requirements in the EAR.

Other changes proposed by BIS or State include the following.

• adding clarifying language to various provisions of the ITAR pertaining to the export of items subject to the EAR pursuant to a Department of State authorisation when such exports are made in conjunction with items subject to the ITAR (including guidance on the use of licencing exemptions as well as clarification that items subject to the EAR are not considered defence articles even when exported under a licence or other approval (to include exemptions) issued by State)

• clarifying when exports may be made to or on behalf of a U.S. government agency without a licence and expanding this exemption to allow for permanent, not just temporary, exports

• clarifying how parties may obtain authorisation from State to export or retransfer items subject to the EAR

• removing from the ITAR the requirement to provide seven paper copies for various export licence requests, which has not been necessary for many years due to the use of electronic licence submissions

• removing the pilot filing requirement in the ITAR because it does not take into account the practices of modern airport operations and is no longer necessary