On 20 October 2021, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) issued new rules framing the “export, re-export, or transfer” of cybersecurity tools “that can be used for malicious cyber activities.”
Under the new regulations, a U.S. company will still be able to export its cybersecurity tools without authorization in most cases.
However, an export license signed by the federal government will be required for exports to countries subject to a U.S. arms embargo, or “where national security or weapons of mass destruction are a concern.”
The rule also prohibits the export of U.S. cybersecurity tools if they could be used “to affect the confidentiality, integrity, or availability of information or information systems, without the authorisation of the owner, operator, or administrator of the information system.”
This provision is a direct response to recent scandals that revealed that foreign governments have used U.S. cyber intelligence technologies to illegally monitor their opponents.