U.S. moves to control sales of hacking tools abroad

By Christopher Bing

(Reuters) - The U.S. Commerce Department on Wednesday announced new rules intended to curb the sale of offensive cybersecurity products to some countries with "authoritarian" practices, according to a Federal Register submission.

U.S. companies and any company that sells U.S.-made cyber software will need a license when selling hacking tools to certain foreign governments or any buyers, including middlemen, located in Russia or China.

"The United States Government opposes the misuse of technology to abuse human rights or conduct other malicious cyber activities, and these new rules will help ensure that U.S. companies are not fueling authoritarian practices," the Commerce Department said in a statement.

A license would be required for sales to foreign governments that are categorized as "countries of national security or weapons of mass destruction concern," or which are already subject to an arms embargo.

Historically, U.S. companies were already required to seek a license from the federal government when selling sensitive encryption technologies or communication interception systems abroad.

"These items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it," a summary of the new rules in the Federal Register states.

Experts say it is difficult to regulate this market because of how the industry categorizes offensive and defensive cybersecurity products.

Depending on how a certain defensive tool is deployed or re-engineered, it can be potentially transformed into a surveillance capability.

The United States is a leader in the sale of cybersecurity products, alongside Israel.

"The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights," U.S. Secretary of Commerce Gina Raimondo said in a statement.

The rules will become final in 90 days, following a public comment period.

The announcement follows charges by the U.S. Justice Department against three former U.S. intelligence community officials who offered hacking services to the United Arab Emirates government, helping it spy on dissidents and geopolitical rivals. The three men worked for a Maryland defense contractor before joining a local Emirati company.

The Biden administration has instituted a series of new cybersecurity regulations to help protect critical infrastructure, like gas pipelines and transportation hubs, from being attacked by hackers. But the rules announced on Wednesday are among the most consequential concerning the export of American cyber technologies abroad.

(Reporting by Christopher Bing; Editing by Paul Simao)