The US Commerce Department on Wednesday announced new rules intended to curb the sale of offensive cybersecurity products to some countries with “authoritarian” practices, according to a Federal Register submission.
US companies and any company that sells US-made cyber software will need a licence when selling hacking tools to certain foreign governments or any buyers, including middlemen, located in Russia or China.
“The US government opposes the misuse of technology to abuse human rights or conduct other malicious cyber activities, and these new rules will help ensure that US companies are not fuelling authoritarian practices,” the Commerce Department said in a statement.
A licence would be required for sales to foreign governments that are categorised as “countries of national security or weapons of mass destruction concern,” or which are already subject to an arms embargo.
Historically, US companies were already required to seek a licence from the federal government when selling sensitive encryption technologies or communication interception systems abroad.
“These items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it,” a summary of the new rules in the Federal Register states.
Experts say it is difficult to regulate this market because of how the industry categorises offensive and defensive cybersecurity products.
Depending on how a certain defensive tool is deployed or re-engineered, it can be potentially transformed into a surveillance capability.
The US is a leader in the sale of cybersecurity products, alongside Israel.
“The US is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights,” US Secretary of Commerce Gina Raimondo said in a statement.
The rules will become final in 90 days, following a public comment period.
The announcement follows charges by the US Justice Department against three former US intelligence community officials who offered hacking services to the United Arab Emirates government, helping it spy on dissidents and geopolitical rivals. The three men worked for a Maryland defence contractor before joining a local Emirati company.
The Biden administration has instituted a series of new cybersecurity regulations to help protect critical infrastructure, like gas pipelines and transportation hubs, from being attacked by hackers. But the rules announced on Wednesday are among the most consequential concerning the export of American cyber technologies abroad.