Menu Home

Another arrow in the quiver: Entity List gets additions for cyber activities

From the State Department:

The United States Adds Foreign Companies to Entity List for Malicious Cyber Activities

MEDIA NOTE

OFFICE OF THE SPOKESPERSON

NOVEMBER 3, 2021Share

Today, the U.S. Government added four foreign companies to the Entity List for engaging in activities contrary to the national security or foreign policy interests of the United States. The four entities are Candiru, NSO Group, Computer Security Initiative Consultancy PTE (COSEINC), and Positive Technologies.

We are not taking action against countries or governments where these entities are located.

These additions follow an October 2021 interim final rule published by the Department of Commerce establishing controls of certain items that can be used for malicious cyber activities; that rule implements decisions taken by the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.

NSO Group and Candiru were added to the Entity List based on a determination that they developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.

Positive Technologies and COSEINC were added to the Entity List based on a determination that they misuse and traffic cyber tools that are used to gain unauthorized access to information systems in ways that are contrary to the national security or foreign policy of the United States, threatening the privacy and security of individuals and organizations worldwide.

As part of its commitment to put human rights at the center of U.S. foreign policy, the Biden-Harris Administration is working to stop the proliferation and misuse of digital tools used for repression. This effort is aimed at improving citizens’ digital security, combating cyber threats, and mitigating unlawful surveillance.

The Entity List is a tool used by the Department of Commerce Bureau of Industry and Security (BIS) to restrict the export, re-export, and in-country transfer of items subject to the Export Administration Regulations (EAR) to persons – individuals, organizations, and/or companies – reasonably believed to be involved, have been involved, or pose a significant risk to being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States.

And from Commerce (who actually made the designations):

Commerce Adds NSO Group and Other Foreign Companies to Entity List for Malicious Cyber Activities

FOR IMMEDIATE RELEASEWednesday, November 3, 2021

Office of Public Affairs

publicaffairs@doc.gov

The Commerce Department’s Bureau of Industry and Security (BIS) has released a final rule adding four foreign companies to the Entity List for engaging in activities that are contrary to the national security or foreign policy interests of the United States. The four entities are located in Israel, Russia, and Singapore.

NSO Group and Candiru (Israel) were added to the Entity List based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.  These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent.  Such practices threaten the rules-based international order.  

Positive Technologies (Russia), and Computer Security Initiative Consultancy PTE. LTD. (Singapore) were added to the Entity List based on a determination that they traffic in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organizations worldwide. 

U.S. Secretary of Commerce Gina M. Raimondo released the following statement: “The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad.”

The End-User Review Committee (ERC) which is chaired by the Department of Commerce and includes the Departments of Defense, State, Energy, and where appropriate, Treasury, determined that the conduct of these four entities raises sufficient concerns to place them on the Entity List pursuant to § 744.11(b) of the Export Administration Regulations (EAR).

The Entity List is a tool utilized by BIS to restrict the export, reexport, and in-country transfer of items subject to the EAR to persons (individuals, organizations, companies) reasonably believed to be involved, have been involved, or pose a significant risk of being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States. For the four entities added to the Entity List in this final rule, BIS imposes a license requirement that applies to all items subject to the EAR.  In addition, no license exceptions are available for exports, reexports, or transfers (in-country) to the entities being added to the Entity List in this rule.  BIS imposes a license review policy of a presumption of denial for these entities. 

Today’s action is a part of the Biden-Harris Administration’s efforts to put human rights at the center of U.S. foreign policy, including by working to stem the proliferation of digital tools used for repression. This effort is aimed at improving citizens’ digital security, combatting cyber threats, and mitigating unlawful surveillance and follows a recent interim final rule released by the Commerce Department establishing controls on the export, reexport, or in-country transfer of certain items that can be used for malicious cyber activities.

Links:

State Department Press Release

Commerce Department Press Release

Categories: Bureau of Industry and Security (BIS) Updates Cyber sanctions Entity List Export Control

eric9to5

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: