US decides to control overseas sales of hacking tools

A computer keyboard lit by a displayed cyber code is seen in this illustrative photo taken on March 1, 2017. REUTERS / Kacper Pempel

October 20 (Reuters) – The US Department of Commerce on Wednesday announced new rules intended to curb the sale of offensive cybersecurity products to certain countries with “authoritarian” practices, according to a Federal Register submission.

American companies and any company that sells computer software made in the United States will need a license to sell hacking tools to certain foreign governments or to buyers, including middlemen, located in Russia or China.

“The United States government opposes the misuse of technology to infringe human rights or carry out other malicious cyber activity, and these new rules will help ensure that American businesses do not power up authoritarian practices, “the Commerce Department said in a statement.

A license would be required for sales to foreign governments classified as “countries of national security or of concern for weapons of mass destruction”, or which are already subject to an arms embargo.

Historically, US companies already had to apply for a license from the federal government when selling sensitive encryption technology or communication interception systems abroad.

“These elements justify controls because these tools could be used for purposes of surveillance, espionage or other actions which disrupt, prohibit or degrade the network or the devices which are there”, indicates a summary of the new rules of the Federal Register.

Experts say it’s difficult to regulate this market because of how the industry classifies offensive and defensive cybersecurity products.

Depending on how a certain defensive tool is deployed or reconfigured, it can potentially be transformed into a surveillance capability.

The United States is a leader in the sale of cybersecurity products, alongside Israel.

“The United States is committed to working with our multilateral partners to prevent the spread of certain technologies that can be used for malicious activities threatening cybersecurity and human rights,” said US Secretary of Commerce Gina Raimondo in a statement.

The rules will become final in 90 days, after a period of public comment.

The announcement follows charges by the US Department of Justice against three former US intelligence community officials who offered hacking services to the UAE government, helping it spy on dissidents and rivals geopolitics. The three men worked for a Maryland defense contractor before joining a local Emirati company.

The Biden administration has put in place a series of new cybersecurity regulations to help protect critical infrastructure, such as gas pipelines and transportation hubs, from hacker attacks. But the rules announced Wednesday are among the most consistent regarding the export of American cybertechnologies abroad.

Reporting by Christopher Bing Editing by Paul Simao

Our Standards: Thomson Reuters Trust Principles.

About Leni Loberns

Check Also

Behind schedule Mountain Valley Pipeline wants permit extension / Public News Service

Developers of a more than 300-mile gas pipeline that would cross North Carolina, Virginia and …