source ： The new intellectual yuan

See a piece of news , Involving the network security industry , Share it with you .

In recent days, , Department of Commerce, bureau of industry and security （BIS） The latest export control regulations in the field of network security have been officially released .

Yes , That's the release 「 List of entities 」、「 Trade blacklist 」 Of BIS！ Speaking of these years , It's kind of 「 An old friend of Chinese netizens 」 了 .

What is this time ？ It is mainly about the control of network security and vulnerability information .

Simply speaking , That is, when U.S. entities cooperate with organizations and individuals related to the Chinese government , If security vulnerabilities and information are found , It cannot be published directly , It should be reviewed by the Ministry of Commerce first .

The reason , It's not good to try again 「 National security 」, as well as 「 Counter terrorism needs 」.

actually , The new regulations announced this time are 2021 year 10 Provisional Regulations for the month of （ Solicitation draft ） The final confirmation of . This provision divides the global countries into A、B、D、E Four types of , The restrictive measures and strictness are gradually increasing .

China is divided into D class , namely 「 Restricted countries and regions 」,E Class is 「 Comprehensive embargo countries 」.

This Regulation establishes a new control method for some network security projects , The purpose is to 「 National security and counter-terrorism considerations 」.

meanwhile ,BIS A new exception to authorize cyber security exits has also been added . The core content is to authorize these network security projects to export to most destinations , However, the exceptions mentioned above are not allowed .

BIS Think , These controlled items may be used to monitor 、 Espionage , Or other acts aimed at destruction, etc .

Besides , The regulation also amended the export control classification number in the commercial control list .

BIS The new rules divide the world into A、B、D、E Four types of , among D Class is the most concerned 、 Restricted countries and regions .

As shown in the figure above , China is divided into D In class .

According to the requirements of the new regulations , Each entity is associated with D When relevant government departments or individuals of countries and regions like China cooperate , You must apply in advance , After obtaining permission, potential network vulnerability information can be sent across the border .

Of course , There are exceptions to the clause , If for legitimate network security purposes , Such as public disclosure of vulnerabilities or incident response , No need to apply in advance .

You can see , China is in national security 、 biochemical 、 Missile technology 、 All four items of the US arms embargo have been drawn ×.

The document states , Permission requirements for individuals acting on behalf of the government are necessary , To prevent representation D A person who acts in the government of a group of countries gains from engaging in activities that violate the national security and foreign policy interests of the United States 「 Network security project 」.

Without this requirement , It may lead to D Governments of such countries visit these projects .

BIS This requirement passed , This means that in some cases exporters must check the government affiliation of the individuals and companies they cooperate with .

However , Due to the limited scope and applicability of licensing requirements ,BIS That this requirement will protect the national security and foreign policy interests of the United States , And will not unduly affect legitimate network security activities .

meanwhile ,BIS The clause has also been amended § 740.22(c)(2)(i), This actually widens the scope of the exception .

The present terms allow for D Group of countries exporting digital products , Or export any cyber security project to the police or the judiciary D Group countries .

however ,BIS In fact, it is only intended to allow for the purpose of criminal or civil investigation or prosecution , Export digital products to D The police or judiciary of a group of countries .

so to speak , These changes reflect the expected comments .

Microsoft opposes , Invalid ！

about BIS This new regulation of , The domestic technology giants in the United States are not monolithic , Microsoft, the software giant, has made clear its objection .

As early as last year , After the release of the draft for comment on this provision , Microsoft submitted its objection to this document in the comments section in the form of written comments .

Microsoft said , If individuals and entities involved in cyber security activities are restricted due to their association with the government , It will greatly suppress the ability of conventional cyber security activities currently deployed in the global cyber security market .

A lot of times , When it is impossible to determine whether the other party is related to the government , Enterprises can only give up cooperation in the face of compliance pressure .

Microsoft's opposition is not surprising .

The current vulnerability sharing mechanism , It is very important for Microsoft's software development ecosystem . A lot of times , Microsoft needs to analyze the vulnerability through reverse engineering and other technologies , To release relevant patches and upgrades , Once the vulnerability sharing mechanism is broken , It will directly reduce the speed of Microsoft's discovery and repair of vulnerabilities .

Microsoft put forward ,BIS It should be further defined 「 Government end users 」, Or at least clarify which individuals or entities may be covered under this definition .

BIS When the final decision of this regulation is issued , Mentioned Microsoft's objections , But there was no roll call , And said 「BIS Disagree with this opinion 」.

BIS Mention in the document ：

「 Some companies said , Yes, it means ' Government end users ' Human limitations , It will hinder cross-border cooperation with cyber security personnel , Because before communicating with these people , To check whether it has contact with the government . The company proposes to cancel this requirement or modify it .BIS Disagree with this proposal .」

The final decision released last week , Last year 10 Compared with the draft for comments released in January , The content has not changed significantly .

however , The regulation adopts some opinions of the research community , The scope of security vulnerabilities to be verified has been further narrowed , A temporary exception clause has been added .

namely ： If it is for legitimate network security purposes , Such as disclosure of public vulnerabilities or response to security incidents , No need to audit .

This exception is to a large extent to create the necessary conditions for the normal operation of the open source community .

Microsoft is thanking BIS While modifying the rules , Also said , It is uncertain whether such an exception will solve the practical problem .

「 What allows direct disclosure , What is not allowed to be disclosed directly , It is still in a state of chaos . Which behaviors require permission , At this stage, it is still uncertain . We are worried. , For those technologies that cannot be completely classified into specific use categories , Permission applications can be very cumbersome .」 

BIS Acknowledge Microsoft's concerns , But at the same time insist that , This regulation has more advantages than disadvantages for the national security of the United States .

And 「 Wassenaar Arrangement 」 different approaches but equally satisfactory results

actually , As early as 2021 year 10 month ,BIS Was released 「 Prohibit the export of offensive network tools 」 The provisions of the , Prevent U.S. entities from moving toward the center 、 Russia sells offensive network tools .

U.S. Secretary of Commerce Gina · Ramondo said ,「 Implement export controls on certain cyber security projects , Is a suitable method , It can protect the national security of the United States from malicious network acts , And ensure legal network security activities .」

BIS To further express , The current rules are also 「 Wassenaar agreement 」 Within the framework of , namely 《 Wassenaar agreement on export control of conventional arms and dual-use goods and technologies 》.

《 Wassenaar agreement 》 Regulations , Member States, at their discretion, issue export licenses for dual-use items of sensitive products and technologies , And, on a voluntary basis, inform other members of the agreement of relevant information .

actually , The agreement is actually controlled by the United States to a large extent , It also affects the export control regulations of other member states , It has become an important tool for the west to implement high-tech monopoly on China .

Agreement control 「 Military and dual-use technologies 」 Export policy , share 42 Agreement countries , Including beauty 、 Britain 、 Law 、 Virtue , Japan and other major developed countries . Although Russia is also an agreement country , But it is still one of the targets of the embargo .

End

My new book 《 In depth understanding of Java The core technology 》 It's on the market , After listing, it has been ranked in Jingdong best seller list for several times , At present 6 In the discount , If you want to start, don't miss it ~ Long press the QR code to buy ~

Long press to scan code and enjoy 6 A discount

 Previous recommendation 

These old system codes , Was it written by a pig ？

The art of code annotation , Does good code really need no comments ？

I'm stupid , A bunch of them will only “ Google ” The programmer ！

If you enjoyed this article ,

Please hold on to the QR code , Focus on  Hollis.

Forward to circle of friends , It was my greatest support .

Order one   Looking at  

Like is a feeling

Looking is a kind of support