Photo of Curtis Dombek

Curt Dombek is a partner in the Governmental Practice. Curt divides his time between the firm's Brussels and Los Angeles offices.

If you are not aware, please take note that the July 20, 2015 deadline is fast approaching for comments to the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) proposed rule on the export control of certain intrusion and surveillance related software.  The proposed rule, which addresses changes to the U.S. Export Administration Regulations (EAR), is designed to align with agreements made in the December 2013 Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, a multilateral export control regime with 41 participating states committed to promoting transparency and responsibility in cross-border transfers of arms and dual-use goods and technologies.  The wide-reaching rule proposes adding new controls in Category 4 of the EAR’s Commerce Control List (CCL) intended to address “intrusion software” used by hackers and other cybercriminals.  The difficulty is that, in the way the proposed rule is worded (and explained), it also subjects network penetration testing products, the type that use “intrusion software” to identify cyber-vulnerabilities, to the same export licensing requirements.  That is to say, the manner in which the controlled intrusion software would be defined includes the good as well as the bad, and – could have a chilling effect on beneficial research and development of defensive software.
Continue Reading The Baby and the Bathwater: The Department of Commerce’s Bureau of Industry and Security (BIS) Intrusion and Surveillance Software Export Licensing Proposal