The US Department of Commerce announced export controls on hacking tools used for surveillance. The aim is to curb access to authoritarian governments who have been identified for human rights violations and abuses. Any companies who intend to sell their wares abroad will need to acquire a License Exception Authorized Cybersecurity Exports (ACE). An additional license is required for any companies seeking to do business with a country of national security concern or subject to a US arms embargo.
This change comes several years after the department’s initial attempt to implement a similar rule. The business community and other stakeholders worried that the wording was too broad and could negatively impact the security community. After taking public comment, revisions now include certain exceptions for activities such as vulnerability disclosure and cyber incident response, among other changes. The rule will take effect 90 days from its October 20th, 2021 announcement.
This rule is a move in the right direction, and it offers clearer boundaries to organizations and companies seeking to sell services or share their research outside the US. The security industry has been rapidly evolving. Companies and individuals have increasingly walked a tight rope of domestic and international security laws. One example of this gray area researchers find themselves in is working for a private offensive security company in a foreign country. Kim Zetter’s Zero Day blog post features an interview with a former NSA staffer who went on to work for the private company DarkMatter in the United Arab Emirates (UAE). The company’s operations involved offensive surveillance operations on behalf of the UAE’s security agency against foreign states. These actions eventually led the Justice Department to convict several former US intelligence staff for breaking multiple laws. On the other end of the spectrum is an interview with Mark Dowd on the Risky Biz podcast, who talks about the legal zero-day industry and the relationship they have with selling to Five Eye countries.