The U.S. Department of Commerce announced a new rule on Wednesday, placing controls on exports of items that could be used for surveillance, espionage or other actions. The rule will go into effect in 90 days and is intended to stymie the sale of hacking tools to China, Russia and other countries.
According to the Washington Post, these tools would include software like Pegasus, the military-grade spyware sold by the Israel firm NSO Group to governments around the world, which the Washington Post and a consortium of media partners reported on for The Pegasus Project.
Once the rule is enacted, organizations would need a license from the Bureau of Industry and Security in order to sell software or equipment that could be used for hacking purposes in China or Russia.
But Commerce did try to strike a balance so as not to inhibit cybersecurity efforts in some countries. For instance, according to the Post, licenses would be required for so-called "intrusion software" sold to governments in Israel, the United Arab Emirates or Saudi Arabia. But software intended for cyber defense sold to non-governmental actors in those places would not require a license. However, sending any such software to China or Russia, whether the purchaser is a government entity or not, would require a license.
The ultimate goal of the rule is to balance the need for software and equipment globally with the protections necessary to prevent malicious activity.
According to one senior official interviewed by the Washington Post, the Department is "trying to walk the line between not impairing legitimate cybersecurity collaboration across borders, but trying to make sure these pieces of hardware and software technology aren't obtained and used by repressive governments."