Biden administration has prohibited the supply of hacking tools to China and Russia

In an effort to combat human rights violations and other negative cyber activities, the US Department of Commerce has stated that it will prohibit the export of hacking tools to authoritarian countries.

The rule, first reported by The Washington Post and later confirmed by the Commerce Department, effectively prohibits the export or resale of hacking software and equipment to China, Russia, and other countries of concern without a licence from the Commerce Department’s Bureau of Industry and Security for national security reasons (BIS).

The move comes after the Biden administration restricted the export of U.S. technologies to China and Russia in March, as part of a hard-line national security approach toward the two countries. These technologies include advanced semiconductors and software that uses encryption for information security.

The new sanctions will take effect in 90 days and will cover software like Pegasus, which was developed by Israeli firm NSO Group and has been used by several authoritarian governments to hack into the phones of their most outspoken critics, including journalists, activists, politicians, and business executives.

Software designed for cyber defence is excluded from the need for an export licence, since the new regulation will not hinder U.S.-based cybersecurity experts from working with peers overseas or exposing defects to software producers. When the Bureau of Industry and Security originally published a draught regulation in 2015, it got almost 300 comments expressing “significant concerns” about the impact it would have on legitimate cybersecurity research and incident response efforts.

The regulation aligns the United States with the Wassenaar Arrangement, which establishes voluntary export control rules for military and dual-use technologies and includes 42 European states and allies.

“The US is committed to working with our multilateral partners to prevent the proliferation of certain technologies that can be exploited for harmful actions that endanger cybersecurity and human rights,” Commerce Secretary Gina M. Raimondo stated. “The Commerce Department’s interim final rule placing export limits on some cybersecurity products is a properly targeted approach that protects America’s national security while assuring lawful cybersecurity operations,” according to the statement.

The Commerce Department, which was one of the first victims of the Russia-linked SolarWinds breach last year, is allowing the public 45 days to comment on the regulation, asking for feedback on the possible cost of compliance as well as any potential implications on legitimate cybersecurity operations. Before the regulation becomes final, the government will have another 45 days to make modifications.