Commerce Department announces new rule aimed at stemming sale of hacking tools to Russia and China

The rule, which will take effect in 90 days, would cover software such as Pegasus, a potent spyware product sold by the Israeli firm NSO Group to governments that have used it to spy on dissidents and journalists.

It would bar sales of hacking software and equipment to China and Russia, as well as to a number of other countries of concern, without a license from the department's Bureau of Industry and Security (BIS).

What it is not intended to do, senior Commerce Department officials say, is prevent American researchers from working with colleagues overseas to uncover software flaws, or cybersecurity firms from responding to incidents.

The rule had been in the works for years, stalled earlier by fears that it would stymie cyber defensive work. Now officials hope they have reached the right balance.

"The rationale is these are items that can be misused to abuse human rights, to track and identify dissidents or disrupt networks or communications, but they also have very legitimate cybersecurity uses," said one senior official, who spoke on the condition of anonymity under ground rules set by the agency. "So what the rule does is restrict these exports to the problematic countries."

Commerce already has export controls on products containing encryption, so the new rule applies to products that do not contain encryption, officials said.

There are probably few U.S. companies whose products would be covered by the rule, but anyone who sells U.S.-origin software or technology to develop cyber intrusion products outside the United States must also seek authorization, officials said.

The rule is complicated. For instance, an American company wanting to ship "intrusion software" to the governments of Israel, the United Arab Emirates and Saudi Arabia would require a license. If the software is to be used for cyberdefense purposes, such as penetration testing, and will be sold to nongovernment persons, then a license is not required.

Any intrusion software, even for defensive purposes, being sold to anyone in China or Russia, whether they work for the government, will require a license, according to the rule.

Commerce's BIS will vet the end user before deciding whether to grant a license.

"That's one of the primary purposes of the license application," said Kevin Wolf, a former assistant secretary of export administration at the Commerce Department. "Do we trust that the company overseas is going to use it for the reason stated? If there are doubts, they will deny the application."

The rule will align the United States with the 42 European and other allies that are members of the Wassenaar Arrangement, which sets voluntary export control policies on military and dual-use technologies - or products that can be used for both civilian and military purposes.

China is not a Wassenaar member, but Russia is. Israel is also not a member but voluntarily adopts its controls, although that apparently did not prevent Pegasus from being sold to and used by Saudi Arabia to track journalists and dissidents, as countries can vary in how they implement Wassenaar controls.

Most of the other Wassenaar countries have already imposed regulations on hacking tools. The United States would be the last or near last to do so, officials said. The delay grew out of the issue's complexity and the agency's desire not to impede legitimate cybersecurity work.

Unlike most of the other Wassenaar countries, the United States has a large cybersecurity industry. When Commerce several years ago released a proposed rule governing this area, companies voiced concerns that the regulation could restrict legitimate work such as responding to network attacks or disclosing software flaws to software makers.

The new rule is an attempt to address those concerns while seeking to prevent tools and technology from being misused by authoritarian states, officials said.

"We're trying to walk the line between not impairing legitimate cybersecurity collaboration across borders, but trying to make sure these pieces of hardware and software technology aren't obtained and used by repressive governments," the senior official said.

The push for a control on hacking tools began about a decade ago in the wake of reports about firms whose wares were used to target dissidents. The official recalled how he learned that Libyan leader Moammar Gaddafi, who was deposed and killed in 2011, had used surveillance tools to track dissidents and activists. They were made by a French company, Amesys, according to the Wall Street Journal.

In the ensuing years, other companies that produced spyware made headlines: The Italian company Hacking Team. The European firm Gamma. The Israeli NSO Group.

In late 2013, Wassenaar members agreed to add products that aid cyber intrusions to the list of controls. It was up to each member state to adopt the control as it saw fit.

The rule's complexity makes comment from the security community crucial, said Dave Aitel, a computer scientist who worked for the National Security Agency and who consulted on the rule's provisions. Commerce should assign a team tasked with educating cyber researchers and companies about it, he said. "They're very used to engaging with large companies but the security community is not centered in a few industry giants."

Wolf, the former senior official, was glad to see the rule finally emerge.

"Commerce appears to have threaded the needle of controlling cyber intrusion software without harming legitimate cyber defense efforts," said Wolf, a former head of BIS who spearheaded the effort to create the rule from 2013 until he left the agency in 2017.

He noted that Commerce is giving the public 45 days to comment on the rule, and the agency will have another 45 days to make changes before the rule becomes final.