The Commerce Department released a rule Wednesday aimed at stopping offensive cybersecurity tools made in the U.S. from falling into the hands of countries that use such software undermine human rights or national security.
The new rule requires U.S. companies to obtain a license from the Commerce Department’s Bureau of Industry and Security before selling hacking tools to the governments and individuals in countries of national security concern, including China and Russia. Sales of defensive cybersecurity software are largely exempt from the rule. Technologies covered by the new rule include spyware and tools designed to carry out nefarious tasks, such as malicious trojans.
“The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights,” Commerce Secretary Gina Raimondo said in a statement.
The new rule, which will take effect in 90 days, brings the U.S. into line with other allies involved with the Wassenaar Arrangement, a global arms agreement signed by 41 countries. The Wassenaar Arrangement first added cybersecurity tools to its weapons agreement in 2013.
U.S. efforts to incorporate these guidelines into its arms export regulations met initial resistance. Industry, researchers and privacy advocates criticized a 2015 attempt by the Commerce Department as overly broad, and potentially opening the door for interference with legitimate security research.
The latest step was important “diplomatically” but is relatively limited in its effectiveness given that Russia and China have significant domestic hacking resources, said Maurice Turner, a cybersecurity fellow at the Alliance for Securing Democracy.
Additionally, the Wassenaar Arrangement does not include Israel, a major exporter of surveillance technology including that of the controversial NSO Group. Israel is covered by new Commerce guidelines, as well as Saudi Arabia and the United Arab Emirates.
What will be the most important test of the rule is how the United States, which has one of the world’s largest cybersecurity industries, handles exports to allies said John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab.
“The real question here is going to be how this thing winds up getting implemented and who ends up getting licenses and for what,” said Railton. “The real questions have to do with whether the U.S. can do things like restrain itself from selling tech to potential allies that have just a notorious human rights record.”
The new rule comes on the heels of the introduction of a bipartisan bill in the House seeking to put limits on the ability of former U.S. intelligence agents to contract for foreign nations. In September the Justice Department charged three former U.S. intelligence officers with hacking and conspiracy charges for providing spy technology to the United Arab Emirates without U.S. approval.