US government bans sale of hacking tools to China and Russia

The U.S. Department of Commerce has announced that it will ban the export of hacking tools to authoritarian governments in an effort to curb violations of human rights and other malicious cyber activities.

The rule, first reported by The Washington Post and later confirmed by the Commerce Department, will effectively ban the export or resale of hacking software and equipment to China, Russia and other countries of concern, for national security reasons, without a license from the department’s Bureau of Industry and Security (BIS).

The move comes after the Biden administration in March restricted the export of U.S. technologies — including advanced semiconductors and software that uses encryption for information security — to China and Russia as it continues to take a hard-line national security approach toward the two countries.

The latest sanctions are due to go into effect in 90 days and will cover software such as Pegasus, spyware developed by Israeli firm NSO Group that several authoritarian governments have used to hack into the phones of their most vocal critics, including journalists, activists, politicians and business executives.

Software intended for cyber defense purposes, on the other hand, is exempt from needing an export license, since the new rule won’t prevent U.S-based cybersecurity researchers from collaborating with colleagues overseas or disclosing flaws to software makers. When BIS first published a proposed rule in 2015, it received almost 300 comments that raised “substantial concerns” about the impact it would have on legitimate cybersecurity research and incident response activities.

The rule brings the U.S. in line with the 42 European nations and allies that are members of the Wassenaar Arrangement, which sets voluntary export control policies on military and dual-use technologies.

“The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights,” said Commerce Secretary Gina M. Raimondo. “The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities.”

The Commerce Department — which last year become one of the first victims of the Russia-linked SolarWinds hack — is giving the public 45 days to comment on the rule, and is seeking comments on the potential cost of compliance and any impacts it could have on legitimate cybersecurity activities. The agency will have another 45 days to make changes before the rule becomes final.