BIS Expecting to Issue More Guidance for Cybersecurity Controls, Official Says
PHILADELPHIA -- The Bureau of Industry and Security hasn’t received many questions on its new cybersecurity export control rule since it took effect in March (see 2110200036 and 2201110025) but is planning more guidance to help industry and academia comply with the restrictions, a government official said. The official, who requested anonymity to speak candidly at the May 4 University Export Control Conference at the University of Pennsylvania, said the rule may not be getting much attention because its implementation coincided with a string of Russia-related export controls.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
“I assume that's why we haven't gotten a ton of questions,” the official said. “There's some other things of more pressing importance than the cyber rule, but I'm sure we will get them eventually.” The agency is planning “ongoing guidance and clarifications as questions and concerns arise."
The person also answered several compliance questions from university compliance officers, including whether U.S. colleges may be violating deemed export controls if foreign nationals are enrolled in their encryption courses. The official said those courses don’t constitute a deemed export control violation, even if the professor is using an export-controlled encryption software. “There's no export trigger there for students to use software that may be controlled,” the person said.
But BIS has been closely tracking paid, private courses that teach encryption or hacking techniques, the official said, which may violate the agency's cybersecurity export control rule under certain circumstances. “There are particular ways in which they're teaching hacking techniques” where “there could be some technology transfer there,” the official said. You would “have to vet foreign nationals sitting in those courses.”