New US rules on spyware exports try to limit surveillance tech like Pegasus

The Washington Post reports that the US Department of Commerce has announced a new rule to stop hacking tools being sold to Russia and China. In a press release, the Commerce Department explained Wednesday's changes. This requires US companies to obtain a license to sell spyware or other hacking software to countries that are of national security concern or have weapons of mass destruction.
This rule is complicated and deliberately so. A license is required for a US company to export spyware to any government that could pose a national security threat. A license is not required if the software is used for cyber defense only and not sold to government personnel. According to The Post, companies will require a license in order to export hacking equipment and software to China, Russia and other countries, regardless of whether they are using it for cyber defense.

The United States will work with multilateral partners to stop the spread of certain technologies.

Gina M. Raimondo (US Secretary of Commerce) stated that the United States is committed working with multilateral partners to prevent the spread of technologies that could be used to harm cybersecurity or human rights.

This rule will take effect in January and is intended to target tools and software such as Pegasus. The intrusive software was developed by NSO Group in Israel and used by governments to spy upon smartphones of journalists and human rights activists. It can steal data from mobile phones, and even turn a device mic, all without being noticed.

The US is a member the Wassenaar Arrangement which sets rules for the export of dual-use technology. However, it is the last participating country to impose restrictions on hacking tools sales. According to security officials speaking to The Post, the US took so much time to create the rule because of its complexity. If done incorrectly this could hinder cybersecurity experts from working with others.

The Department of Commerce will allow public comment for 45 days, and then 45 days to make any further changes before the official implementation.