On Nov. 4, the Commerce Department added four companies to the Entity List after concluding that their cyber
activities were harmful to the national security of the United
States. The action reflects the U.S. government’s accelerated
efforts to target companies and individuals that provide offensive
cyber services or exploits to certain foreign governments and
foreign companies for uses that violate human rights. The listings
also demonstrate the U.S. government’s willingness to adapt
existing national security tools to address new priorities and
highlight a key trend in the Biden administration-treating
intelligence collection operations as a potential national security
threat.
In explaining its listing decision, the Commerce Department cited “investigative information”
allegedly showing that Israeli companies NSO Group and Candiru
developed and supplied spyware to foreign governments that used the
tools to target government officials, journalists, activists and
academics. Third-party reports describe some of the malicious
activity, including one university laboratory group that concluded that foreign governments’ use of
Candiru’s spyware infrastructure harmed at least 100 people,
including human rights defenders, dissidents, journalists and
activists. Another group, a global consortium of news
organizations, determined that foreign governments misused
NSO’s Pegasus spyware to hack dozens of private smartphones
belonging to journalists, activists and persons close to Jamal
Khashoggi, the murdered Saudi journalist.
With respect to the other two listed entities, Positive
Technologies (a Russian company) and Computer Security Initiative
Consultancy (a Singaporean company), the Commerce Department
asserted that they had trafficked in cyber exploits used to gain
access to information systems, threatening the privacy and security
of individuals and organizations across the globe. Positive
Technologies was also recently sanctioned pursuant to an executive order to counter malicious cyber
activities by the Russian government.
Designating a company on the Entity List, which is administered
by the Commerce Department’s Bureau of Industry and Security,
can cripple a company because it empowers the U.S. government to
restrict parties from accessing U.S.-origin products or technology.
In effect, a company on the Entity List is banned from directly or
indirectly obtaining items subject to the Export Administration Regulations (such as
telecommunications equipment) without U.S. government approval. The
Entity List provides specific license requirements for
each listed entity, typically requiring that the entity obtain a
license to access every item subject to the Export Administration
Regulations. In addition, parties to transactions involving
companies on the Entity List cannot rely on general license exceptions.
Historically, the U.S. government viewed the Entity List
principally as an instrument to penalize parties that had violated
or were suspected of violating export control, proliferation or
sanctions authorities. However, the Entity List grants the U.S. government the authority to
list an entity for which there is “reasonable cause to believe
… that the entity has been involved … in activities that are
contrary to the national security or foreign policy interests of
the United States.” During the Obama administration, the U.S.
government leaned on the broad language in 15 CFR § 744 to
target an expanded range of companies for conduct it perceived as
threatening U.S. national security and foreign policy interests. In
2016, the Bureau of Industry and Security added ZTE Corporation and
affiliates to the Entity List, signaling a shift in the
government’s willingness to designate large, multinational
corporations to mitigate broader national security threats and
further policy goals. Although ZTE has since been removed from the
Entity List, this trend escalated in 2019 when the Bureau of
Industry and Security added Huawei Technologies and hundreds of its
affiliates to the Entity List, where they remain today.
More recently, the U……..