U.S. Government set to ban sale of hacking tools to China and Russia
Dina Temple-Raston October 20, 2021

U.S. Government set to ban sale of hacking tools to China and Russia

U.S. Government set to ban sale of hacking tools to China and Russia

The Commerce Department introduced a new export control rule on Wednesday aimed at curbing the export or resale of hacking tools to China and Russia. The regulation had been held up for years amid concern that attempting to curb such sales would inadvertently hobble defensive cyber efforts. 

The Department said in a statement that after taking hundreds of comments into account it now believes it has struck a balance that will allow researchers and cybersecurity companies to continue to work with overseas partners and clients on software bugs and malicious attacks while at the same time curbing adversaries’ ability to get their hands on the technology.

“The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities,” U.S. Secretary of Commerce Gina M. Raimondo said in a statement, adding that the new rule “is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities.”

The rule will take effect in 90 days and requires companies to secure a license from the department’s Bureau of Industry and Security (BIS) before selling hacking software and equipment China, Russia and a roster of other countries of concern. The idea is to make it more difficult for adversaries to use these cyber tools to trample on human rights, track dissidents, or to disrupt communications while still providing space for cybersecurity companies.

The move puts U.S. more in step with dozens of European allies who have signed onto the so-called Wassenaar Arrangement, a voluntary framework aimed at controlling the sale of a roster of technologies that can be used for both civilian and military purposes. China and Israel are not part of the Wassenaar Agreement, but Russia is. 

Israel has said in the past that it would voluntarily adopt its Wassenaar controls, but there is some question as to whether that has really happened. Researchers have discovered dozens of instances in which Pegasus spyware was placed on dissent phones. Pegasus was developed by the Israeli NSO Group. 

Back in August, the Citizen Lab at the Munk School of Public Affairs and Global Policy discovered that the iPhones of nine Bahraini activists were successfully hacked with NSO Group’s Pegasus spyware between June 2020 and February 2021. Pegasus is also thought to have been used to secretly target the smartphones of the two women closest to murdered Saudi columnist Jamal Khashoggi. NSO has denied its software is being used in this way.

The new Commerce Department rule builds on other technology-related export controls the Biden administration has put in place in recent months. Back in March, the administration restricted the export of advanced semiconductors and encryption software to China and Russia on national security grounds. Then a month later, the administration slapped seven Chinese firms and government labs with U.S. export controls for allegedly helping China build supercomputers needed to  develop nuclear and other advanced military weapons.

Commerce has given the public 45 days to comment on the rule announced Wednesday. The agency will have another 45 days to tinker with the new export regulations before they become final.

Dina Temple-Raston is a senior correspondent at The Record, and previously served on NPR's Investigations team focusing on breaking news stories about national security, technology, and social justice.