WASHINGTON — The Commerce Department on Wednesday announced a rule that officials hope will help stem the export or resale of hacking tools to repressive governments while still enabling cybersecurity collaboration across borders.
The rule, which will take effect in 90 days, would cover software such as Pegasus, a potent spyware product sold by the Israeli firm NSO Group to governments that have used it to spy on dissidents and journalists.
It would bar sales of hacking software and equipment to China and Russia without a license from the department’s Bureau of Industry and Security.
What it is not intended to do, senior Commerce Department officials say, is prevent American researchers from working with colleagues overseas to uncover software flaws or cybersecurity firms from responding to incidents.
‘’The rationale is these are items that can be misused to abuse human rights, to track and identify dissidents or disrupt networks or communications, but they also have very legitimate cybersecurity uses,’’ said one senior official, who spoke on the condition of anonymity under ground rules set by the agency. ‘’So what the rule does is restrict these exports to the problematic countries.’’
Commerce already has export controls on products containing encryption, so the new rule applies to products that do not contain encryption, officials said.
There are probably few US companies whose products would be covered by the rule, but anyone who sells US-origin software or technology to develop cyber intrusion products outside the United States must also seek authorization, officials said.
The rule is complicated. For instance, an American company wanting to ship ‘’intrusion software’' to the governments of Israel, the United Arab Emirates, and Saudi Arabia would require a license. If the software is to be used for cyberdefense purposes, such as penetration testing, and will be sold to nongovernment persons, then a license is not required.
Any intrusion software, even for defensive purposes, being sold to anyone in China or Russia, whether or not they work for the government, will require a license, according to the rule.
Commerce will vet the end user before deciding whether to grant a license. The agency wants to know if the party can be trusted to use the product for the reason stated in the application.
The rule will align the United States with the 42 European and other allies that are members of the Wassenaar Arrangement, which sets voluntary export control policies on products that can be used for both civilian and military purposes.
China is not a Wassenaar member, but Russia is. Israel is also not a member but voluntarily adopts its controls, although that apparently did not prevent Pegasus from being sold to and used by Saudi Arabia to track journalists and dissidents, as countries can vary in how they implement Wassenaar controls.
The push for a control on hacking tools began about a decade ago following reports about firms whose wares were used to target dissidents. A senior US official recalled how after Libyan leader Moammar Gadhafi was deposed and killed in 2011, experts identified surveillance tools that the regime had used to track dissidents and activists. They were made by a French company, Amesys.
In the ensuing years, other companies that made spyware made the headlines: The Italian company Hacking Team. The European firm Gamma. The Israeli NSO Group.
In late 2013, Wassenaar members agreed to add products that aid cyber intrusions to the list of controls. It was up to each member state to adopt the control as it saw fit.
Commerce is giving the public 45 days to comment on the rule, and the agency will have another 45 days to make changes before the rule becomes final.