Commerce Department cracks down on sale of hacking products to foreign governments

The Commerce Department on Wednesday took steps to crack down on the sale of certain hacking products used by foreign governments and other groups to surveil and repress individuals.  

The agency’s Bureau of Industry and Security issued an interim final rule that establishes controls on the export, reexport or transfer of certain cybersecurity items, requiring a license to ship these products to any countries posing a national security or weapons of mass destruction risk, such as China and Russia. 

Users restricted from using these products, which include surveillance tools, would include governments posing a threat or subject to arms embargoes, and users who intend to use the products in a way that would compromise information systems without the owner’s permission.

“These items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it,” the rule reads.

Commerce Secretary Gina Raimondo said Wednesday that the rule was intended to protect human rights. 

“The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights,” Raimondo said in a statement Wednesday. 

“The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities,” she said. 

The Commerce Department is accepting public comments on the interim final rule for the next 45 days, with the rule to go into effect in 90 days. 

The rule was issued following growing concerns about the use of hacking tools by foreign governments for surveillance purposes.

Apple last month released emergency updates for many of its products following the discovery of a vulnerability that allowed Israeli company NSO Group to infect Apple products with spyware. The vulnerability was discovered when Citizen Lab was investigating a phone used by a Saudi Arabian activist that had been infected with NSO Group spyware.

NSO Group’s products have become an increasing concern, with Reuters reporting last year that the FBI was investigating the use of the company’s spyware for hacking operations against U.S. citizens, organizations and foreign governments. 

NSO Group was also accused by WhatsApp in 2019 of allowing its spyware to be used by governments to target officials, and more recently its spyware was found to have been used by Dubai’s ruler Sheikh Mohammad bin Rashid Al Maktoum to hack the phone of his ex-wife and her legal team. 

But while the Biden administration is keen to take a stand against this type of activity, in the wake of a difficult year that has seen a massive spike in major cyber incidents, it is attempting to balance new regulations with collaboration. 

According to The Washington Post, the rule from the Commerce Department would have been issued long before Wednesday, but the agency was trying to find a way to curtail the use of cybersecurity tools for malicious purposes while not compromising global cybersecurity work. 

“We’re trying to walk the line between not impairing legitimate cybersecurity collaboration across borders, but trying to make sure these pieces of hardware and software technology aren’t obtained and used by repressive governments,” a senior official told The Washington Post.