BIS Expands Controls on Biotechnology Software and Cybersecurity Items

Key Takeaways

• The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) recently amended the Export Administration Regulations (EAR) (effective October 5, 2021) to apply export controls to certain nucleic acid assembler and synthesizer software, and technology used to develop that software.
• On October 21, 2021, BIS also released an interim final rule establishing controls on export, re-export, and transfer (in-country) of certain items that can be used for malicious cyber activities, while also creating a new license exception to allow for the export of “cybersecurity items” to many destinations.
• These updates are part of continuing efforts to add emerging technologies to the Commerce Control List (CCL), pursuant to the Export Control Reform Act of 2018 (ECRA), as well as to align U.S. export controls with multi-lateral export control regimes.
• There are CFIUS filing implications for foreign entities seeking to invest in U.S. companies which produce, design, or develop these national-security sensitive technologies and products.

New Controls on Biotechnology Software and Technology

Effective October 5, 2021, BIS published a final rule which amended the EAR by adding new Export Control Classification Number (ECCN) 2D352, which controls “software” designed for nucleic acid assemblers and synthesizers that is capable of designing and building functional genetic elements from digital sequence data. The nucleic acid assemblers and synthesizers that utilize the subject software were already controlled by ECCN 2B352.j. This rule also amends existing ECCN 2E001 to extend control over “technology” for the “development” of this software.

Section 1758 of ECRA authorizes BIS to establish controls on the export, re-export, and transfer of emerging and foundational technologies, which are those technologies essential to the national security of the United States. An advance notice of public rulemaking published on November 19, 2018 identified biotechnology as one of the technology categories of concern to BIS. As discussed in the proposed rule released on November 6, 2020, BIS had determined that this biotechnology software is capable of being utilized in the production of toxins and pathogens and could be exploited for biological weapons purposes, therefore requiring export controls. The Australia Group, a multi-lateral forum consisting of 42 countries and the European Union, finalized a decision in August 2021 to add this type of software to its biological equipment control list, aligning U.S. and multilateral export controls.

This software, as controlled under new ECCN 2D352, requires export authorization for chemical and biological weapons (“CB”) reasons and anti-terrorism (“AT”) reasons, which places restrictions on export to many countries, with the exception of certain allied countries. It is important to note that this includes “deemed exports” or the release of controlled technology to a foreign person in the U.S. This new licensing requirement may impact companies, research institutions and universities which export this software and related development technology or have foreign national employees or students who have access to this software and technology.

The final rule included a “savings clause” whereby shipments of items removed from eligibility for export using a license exception or as “no license required” by the rule that were on route for export (i.e., on dock for loading, en route aboard a carrier to a port of export) on October 5, 2021 may proceed so long as they are exported, re-exported, or transferred (in-country) before December 6, 2021.

Control of Items that Could Be Used for Malicious Cyber Activities and New License Exception ACE

BIS published an interim final rule on October 21, 2021, creating new ECCNs and licensing requirements for “cybersecurity items” and “IP network communications surveillance systems or equipment.” BIS has determined these items warrant control as they could be used for “surveillance, espionage or other actions that disrupt, deny or degrade” networks and devices on networks. The rule also creates a new license exception, Authorized Cybersecurity Exports (ACE), which authorizes exports of these items to most destinations except in certain circumstances. This rule becomes effective on January 19, 2022.

This rule outlines the progress the U.S. has made in export controls related to cybersecurity items; the Wassenaar Arrangement (WA) added cybersecurity items to the WA list in 2013 and BIS published a proposed rule addressing these new controls in 2015. That proposed rule generated almost 300 comments raising concerns about the rule’s scope and impact, which prompted a return to the WA to renegotiate the controls. BIS views this new rule as implementing the WA’s previous decisions while also addressing industry concerns.

The EAR will now include new ECCNs covering “cybersecurity items,” which are defined in Part 740.22, and include systems, equipment, components (ECCN 4A005), software (ECCN 4D004) and technology (ECCN 4E001.c) that are “specially designed” or modified for the generation, command and control, or delivery of “intrusion software.” The existing definition of “intrusion software” located in Part 772 of the EAR applies to these new ECCNs. There are notes within these ECCNs that provide carve-outs for software specially designed and limited to providing basic upgrades and updates and for ‘‘vulnerability disclosure’’ or ‘‘cyber incident response,’’ and these terms have also been added to Part 772 of the EAR.

The rule also adds new ECCN 5A001.j for certain IP network communications surveillance systems or equipment and “specially designed” components for those systems or equipment. “Cybersecurity items” also include related telecommunications equipment under ECCN 5B001.a.

The interim rule recognizes that there is overlap between the new controls and existing Category 5 – Part 2 of the EAR (“Information Security”). Specifically, when a “cybersecurity item” incorporates functionality specified in ECCNs 5A002.a, 5A004.a, 5A004.b, 5D002.c.1, or 5D002.c.3, under the new rule these existing Category 5 ECCNs will prevail provided the controlled “information security” functionality is present and usable within the end item or software. Items subject to the EAR which are currently controlled for Surreptitious Listening (“SL”) reasons under another ECCN not added by this rule will remain under the SL controls.

New license exception ACE will appear in section 740.22 of the EAR and will allow the export, re-export, and transfer (in-country) of “cybersecurity items” to most destinations except those listed in Country Groups E:1 and E:2 of Supplement 1 to Part 740. The license exception does include end user restrictions; restricted end users include “government end users” (as defined in 740.22) of any country listed in Country Group D:1, D:2, D:3, D:4 or D:5, or non-government end users located in a country listed in Country Group D:1 or D:5. There are exceptions to the government end user restrictions; for example, for Cyprus, Israel, and Taiwan the restriction would not apply to “digital artifacts” related to cybersecurity incidents involving information systems owned or operated by certain defined end users, or to police or judicial bodies listed in certain country groups for purposes of investigations or prosecutions of such cybersecurity incidents. Any entity applying ACE to a transaction should closely review the end user restrictions and available carve-outs.

License Exception ACE also includes an end-use restriction, where use of the exception is not authorized if the exporter knows or has reason to know, at the time of export, that the “cybersecurity item” will be used to affect the integrity, availability or confidentiality of information or information systems, without authorization by the owner, operator, or administrator of the system.

BIS has published a set of cyber rules Frequently Asked Questions, to address questions related to cybersecurity items, exploits, application of License Exception ACE and other related topics.

Relationship with CFIUS Requirements

Under the Foreign Investment Risk Review Modernization Act (FIRRMA), the jurisdiction of the Committee on Foreign Investment in the United States (CFIUS) was expanded to include review of certain investments in U.S. businesses engaged in “critical technologies.” A CFIUS filing is mandatory for certain transactions involving investment by foreign persons in U.S. businesses that produce, design, test, manufacture, fabricate or develop one or more of these critical technologies, for which a “U.S. regulatory authorization” is required to export, re-export, transfer (in-country) or retransfer that technology. Essentially, the determination of whether a CFIUS filing is required in connection with a foreign investment in a U.S. business engaged in “critical technologies” is dependent on whether a U.S. export authorization would be required to export that critical technology to the foreign persons involved in the investment.

The addition of ECCN 2D352 and the “cybersecurity items” ECCNs creates a mandatory CFIUS filing requirement for certain investments by foreign persons in a U.S. business engaged in the production, design, and/or development of the items controlled in these new ECCNs. These regulatory changes reflect a broader initiative by the U.S. Government to scrutinize exports and foreign investment relating to national security-sensitive technologies.

How Ankura Can Help

• Build and Enhance Export Compliance Programs – We are recognized thought leaders who have helped numerous clients design and successfully implement tailored, effective, data-driven export control compliance programs, as well as review and validate existing export control programs to ensure such programs are functioning effectively and efficiently in light of dynamic business and regulatory requirements. Our unique, multidisciplinary perspective and expertise was earned through decades of cumulative experience in law firms, large and small companies, and in the US government. This allows us to design and deploy efficient, right-sized compliance programs in strategic stages.
• Provide Export Classification and Licensing Assistance – The Ankura team routinely advises clients on specific export jurisdiction, classification, and licensing matters. We have helped our clients efficiently classify large catalogs of products and technology and understand associated export restrictions and licensing implications. Our experts also help clients engage the U.S. government on “bet the company” classification and licensing matters.
• Assist Companies and Counsel Review Cross-Border Investment and Acquisition Transactions for Potential CFIUS Implications - Ankura’s experts are uniquely positioned to assist transaction parties and counsel to quickly conduct diligence on transaction parties and the target’s business activities to facilitate analysis and decisions regarding CFIUS and FIRRMA regulatory requirements. Ankura has particular technical expertise assisting clients and counsel to determine whether a proposed transaction is subject to FIRRMA critical technologies controls.

© Copyright 2021. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.