US Dept. Of Commerce Clamps Down On Sales Of Commercial Hacking Tools

It’s not only criminal hacking enterprises people have to worry about these days. After all, threat actors aren’t all made from the same mold. So, let’s rehash what a threat actor is.


It’s defined as a malicious actor, which can be a person or entity responsible for causing an incident that impairs or has the ability to impair the safety or security of another entity. The definition leaves room for a broader interpretation, and for good reasons.


For instance, earlier this year, scandals arose revolving around the NSO Group, an Israeli-based cybersecurity company, due to the scope of the usage of their private spyware, Pegasus.


This sophisticated piece of malware is capable of viewing text messages, call tracking, password grabbing, GPS tracking, enabling the device’s microphone and camera functions, as well as collecting data from other apps on iOS and Android devices.


According to an investigation conducted by The Washington Post together with 16 other news agencies, the military-grade malware was found to have been used to gain unauthorized access to 37 smartphones belonging to human rights activists, reporters, and business executives.


This wasn’t the only private surveillance company making waves in headline news because of its abusive practices, and it apparently won’t be the last.


Because the private spyware industry is largely unregulated with little to no consequences for their unethical and sometimes criminal business ventures, the US Commerce Department announced in October that it will be placing restrictions on the sales of “certain items that can be used for malicious cyber activities.”

Authorities, as well as members of the cybersecurity industry, aren’t only having to contend with the sophisticated malware being churned out by cybercriminals. Not when private surveillance firms have found themselves on the proverbial list of actors selling their powerful military-grade hacking spyware to foreign powers who use it for wanton abuse.


Regulation In The Age Of Digital Surveillance


The rule is set to be in effect within 90 days and will affect American firms seeking to sell military-grade hacking software to foreign nations, specifically Russia and China. It will change how private US companies engage in commercial sales of any kind of hacking tools designed to penetrate digital devices for the purpose of conducting surveillance.


The new restrictions don’t only subject private companies to certain restrictions, but also include what is described as a "government end-user." Namely, those of foreign powers that pose a threat to national security or those that are subject to arms sanctions.


Additionally, the Bureau of Industry and Security (BIS) published an interim finale rule, which establishes commercial control over exports, reexports, or in-country transfers of certain items that have the ability to be used for malicious purposes.


This new rule establishes what is called the License Exception Authorized Cybersecurity Exports (ACE). The BIS also asks public comments to open discussion on the possible impact caused by the new regulatory controls on US industries and the cybersecurity community.


End-Use Restrictions


The legalese involved is a bit dense, but it can be broken down a bit. The License Exception ACE would enforce an end-use restriction in the event where the entity transferring the software to the purchaser knows or has reason to know at the time of the transfer that the "cybersecurity item" is going to be used in a malicious way.

The language involved is very specific to what constitutes violations of confidentiality and unauthorized access to information systems, as well as the impairment of information stored on those systems.


The terms involved directly challenge the overreaching scope of the usage of cybersecurity products like Pegasus. US Companies seeking to engage in the sales of products of this nature to foreign powers will have to meet certain criteria to ensure they are not knowingly selling a product that is going to be turned against the United States.


According to the announcement, in order to sell hacking software to countries “of national security or weapons of mass destruction concern,” as well as to “countries subject to a US arms embargo,” private companies will be required to acquire a license from the BIS, a sector of the Department of Commerce. Requests for a license will be reviewed and decided on an individual basis.


It is no surprise that the spy business is a highly profitable economy. However, checks and balances systems must exist to ensure such technology isn’t abused, especially when sold or exported to foreign powers that may use it to harm US infrastructure.


An article by

Jesse McGraw


Edited by

Ana Alexandre


Like this content? Subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!


22 views0 comments