U.S. introduces regulations on export of hacking tools

The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) announced on October 20 (local time) that it is introducing new export control regulations aimed at curbing the export and re-export of hacking tools to certain countries. Authorities are holding a public opinion call to introduce a rule that has been put on hold for years on fear that it will undermine improvements in domestic cybersecurity.

The new rules issued by the Ministry of Commerce regulate the export, re-export or transfer within the country of certain items that could be used for malicious cyber activities. It requires a license to export items to countries with arms embargoes in the United States and to countries of national security concerns or suspected of possessing weapons of mass destruction.

According to the report, a license is required for companies that want to export certain items to the government, for example Israel, the United Arab Emirates and Saudi Arabia, but unless the software is used for cybersecurity purposes, such as intrusion detection testing, and sold to non-governmental parties. . It also states that a license is required for export to China and Russia in any case.

The rules also include Pegasus, software developed by Israeli security firms to spy on foreign journalists and senior officials. As for Pegasus, journalists around the world have been harmed, and journalists and security companies have protested against the Pegasus supplier and asked the government to crack down.

According to the report, a high-ranking official from the Ministry of Commerce said that this regulation cannot prevent American musicians from working with foreign researchers to discover software flaws and security companies from responding to issues such as hacking. The rule has been on hold for several years in the country due to concerns that it might impede work in the cyber sector. Authorities around the time of this introduction said it was a well-tuned approach to protecting the United States from malicious cyber attackers while ensuring legitimate cybersecurity activities. The authorities also set a 45-day deadline from October 20 and are soliciting comments on the rule, but it will take effect after 90 days. Related information can be found here.