The U.S. Department of Commerce announced today that it will begin tightening controls on the sale of hacking tools and surveillance software to countries that might pose a national security threat.

The Bureau of Industry and Security issued an interim rule which will put “controls on the export, re-export or transfer (in-country) of certain items that can be used for malicious cyber activities.” The department said such tools can lead to human rights abuses when in the hands of authoritarian governments.

This will mean U.S. companies will require a license to export such items to countries that pose a “national security” threat or have “weapons of mass destruction” – including Russia and China. It will go into effect in the next 90 days.

The government has been working for years on implementing such a rule. Concerns have been aired in the past regarding if such a rule might negatively effective legitimate cybersecurity research, although the Commerce Department said it has now been finalized after it “conducted extensive outreach with the security industry, financial institutions, and government agencies that manage cybersecurity.” Nonetheless, there will be a 45-day period in which it will accept comments.

“We’re trying to walk the line between not impairing legitimate cybersecurity collaboration across borders, but trying to make sure these pieces of hardware and software technology aren’t obtained and used by repressive governments,” an official at the department told the Washington Post.

An example of such software is the “Pegasus” malware created by Israel’s NSO Group Technologies Ltd. and later sold to governments all over the world. Called by some the most powerful piece of spyware ever created, it was used to hack journalists, politicians, lawyers, and pretty much anyone a shady government deemed a threat. The U.S. doesn’t want its own software falling into the wrong hands and causing a mess like that.

“The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights,” Secretary of Commerce Gina Raimondo said in a statement. “The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities.”

Photo: U.S. Department of Commerce/Facebook