After a slew of hacking scandals involving private surveillance companies, the U.S. is looking to impose new restrictions on the sale of commercial hacking tools—in the hopes of clamping down on abuse perpetuated by the industry.
On Wednesday, the Commerce Department announced a rule change that will put new limitations on the resale or export of “certain items that can be used for malicious cyber activities.” This applies to tools used to infiltrate digital systems and conduct surveillance—such as the notorious commercial spyware, Pegasus—as well as other hacking and “intrusion” software, the Washington Post first reported. The rule, which has reportedly been in development for years, will be put into effect in 90 days.
While the intricacies of the new 65-page rule are somewhat thorny, the biggest result is a new license requirement for American companies that want to sell hacking tools to countries “of national security or weapons of mass destruction concern,” as well as to “countries subject to a U.S. arms embargo,” the Commerce Department’s announcement says. Roughly translated, this means that America’s biggest geopolitical rivals—namely, Russia and China—are on that list, along with a few others. Firms that wish to sell hacking tools to those countries will now have to acquire a special license from the Commerce Department’s Bureau of Industry and Security. Requests for such licenses will be reviewed on an individual basis to determine whether they are appropriate.
“The United States Government opposes the misuse of technology to abuse human rights or conduct other malicious cyber activities, and these new rules will help ensure that U.S. companies are not fueling authoritarian practices,” the announcement states.
The new changes, while apparently long percolating, come on the heels of multiple, high-profile hacking scandals that have threatened human rights and involve malicious cyber activities. Most prominently, the spyware firm NSO Group has been at the center of ongoing controversy, spurred by the publication of a large journalistic investigation detailing the extent to which its malware has been used to hack journalists, politicians, and human rights activists throughout the globe. NSO has reportedly sold its services to governments all over the world—a number of which have poor human rights records and use the firm’s malware to spy on dissidents and critics.
In September, another scandal arose after three former U.S. intelligence operatives admitted to hacking U.S. computer systems at the behest of DarkMatter, a Middle Eastern cybersecurity company working for the United Arab Emirates government. The incident inspired proposed rule changes that would make it harder for former intelligence operatives to work for foreign governments.
U.S. Secretary of Commerce Gina Raimondo said in a statement that the rule was designed to limit “malicious” cyber activity while protecting “legitimate” uses of the technology.
“The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights,” Raimondo said. “The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities.”