New BIS Cybersecurity Controls Could Have Broad Compliance Implications, Law Firms Say

BIS announced the controls in an interim final rule this month, issuing new restrictions for certain cybersecurity items and new License Exception ACE (see 2110200036). The controls stemmed from a proposed rule issued by BIS in 2015, but the agency scrapped the rule and returned to the multilateral Wassenaar Arrangement to renegotiate the controls after receiving hundreds of critical comments from industry, with many saying the controls were too broad. The agency is accepting comments through Dec. 6 on its latest rule, which it believes has a “limited scope” and sufficiently addresses industry concerns.

But several law firms said more work can be done. It’s clear “BIS has tailored the interim final rule relatively narrowly,” Steptoe & Johnson said in an October alert. “Still, it imposes new regulatory burdens on the vast majority of impacted parties that are engaged in critical security work, and ultimately in effect only restricts a small sliver of cyber activity that may be more controversial or malicious.”

Although BIS estimated the rule will impose an additional annual cost of $2,250 on industry, which accounts for the expected increase in license applications required by the rule, that number “may strike affected companies as an underestimation,” the firm said. “Stakeholders may have real questions regarding the scope and costs of the rule.”

If BIS focuses only on “specific cyber-intrusion and network surveillance equipment” and other malicious activities, the rules could prove to be narrow, Fenwick said in an October alert. But exports to countries of national security concern, including China and Russia, will be “highly restricted,” the firm said, and companies will have to “navigate” new exclusions when dealing with Cyprus, Israel and Taiwan. All three are exempt from certain end-user restrictions under License Exception ACE.

“Network infrastructure manufacturers, cybersecurity software and service providers, IT forensics firms, bug bounty programs, and those engaged in vulnerability testing and research may feel the impact of the rule,” Fenwick said. Companies may want to determine “whether there are more effective ways to draw lines around controlled products and whether they can propose more accurate definitions” to BIS that “reflect industry understanding of the terminology used in the rule.”

Mayer Brown made similar points, saying in an alert this month that the rule could have “significant implications” and urging businesses to submit comments. The new controls may even affect “non-U.S. companies who deal with ‘cybersecurity items’ and potential foreign investors in U.S. businesses whose activities involve such technologies.”

Although BIS said the new controls are designed to be limited and effective, some view any effort to impose controls on “intrusion software” items as “fundamentally misguided,” Steptoe said, because cyber tools can be used for a range of beneficial security purposes. “Therefore, the critics say, it is like putting a round peg in a square hole to try to use export controls in this context.”

But BIS has clearly “signaled that there is still time for these regulations to be made more clear and potentially even more narrowly tailored,” the firm said. “Industry and other affected stakeholders may wish to take advantage of the 45 day comment period and communicate to BIS any concerns about the interim final rule to help the government understand its impacts and ambiguities.”

At the same time, companies should also keep in mind BIS has faced criticism from Republican lawmakers for taking too long to issue emerging and foundational technology controls under the Export Control Reform Act of 2018 (see 2110250035), Steptoe said. The agency “has been on the receiving end of considerable pressure from members of Congress to move more quickly and aggressively in those efforts,” the firm said, which could affect this rule.