Sophos Export Compliance

Sophos Compliance Overview

Sophos is committed to complying with the laws and regulations relating to export controls. As part of this compliance policy, Sophos agreements contain provisions requiring Sophos customers and partners to ensure compliance with these laws and regulations. In order to assist our customers and partners, Sophos uses this portion of its web site to communicate export control information specific to its products to our customers and partners. This information may be required for shipping documentation, record keeping, or post-shipment reporting.

Customers and partners are encouraged to familiarize themselves with the import regulations of their country to ensure compliance with their specific regulations and to ensure timely delivery of Sophos products they may purchase. As a Business Partner, customers and partners are also expected to abide by relevant laws and regulations, inclusive of all business transactions with Sophos. As such, Sophos requires that any party we conduct business with becomes familiar with, and ensure compliance with U.S. and EU export regulations, and applicable export/import regulations in the countries which it operates. Non-compliance with Global Trade regulations can subject Sophos, and its Business Partners to criminal and civil penalties, the seizure of assets, and the denial of import or export privileges.

Any person or entity exporting or re-exporting Sophos products directly or indirectly and via any means, including electronic transfer, is wholly responsible for doing so in accordance with the U.S. Export Administration Regulations and the laws of host countries.

When exporting, or re-exporting Sophos products (hardware, software & technology), U.S. export controls apply and it is your responsibility to ascertain your compliance obligations and ensure adherence to US export controls and the country of actual export / re-export whether they be tangible or in-tangible movements.

On occasion, Sophos will send communications to highlight important regulatory information to reinforce any related parties’ education on certain topics.

Sophos products may not be exported, in their entirety or in part, for (I) military purposes, or (ii) use in connection with the development, production, handling, operation, maintenance, storage, detection, identification or dissemination of chemical, biological or nuclear weapons, or other nuclear explosive devices, or the development, production, maintenance or storage of missiles capable of delivering such weapons.

Embargoes

An Embargo is a government order that restricts commerce or exchange with a specified country. An embargo is usually created as a result of unfavorable political or economic circumstances between nations. The restriction looks to isolate the country and create difficulties for its governing body, forcing it to act on the underlying issue.

Embargoes can take a number of forms, but the most relevant types of sanctions for businesses are financial sanctions and trade sanctions.

  • Financial sanctions generally involve asset-freeze measures affecting the provision of funds and economic resources to certain entities or individuals ('designated persons'). They may also include restrictions on the use of assets by designated persons, receipt and transfers of funds to particular types of persons - for example, Iranian nationals - and prohibitions on the provision of financing or financial assistance connected to designated persons and prohibited transactions.
  • Trade sanctions prohibit trade in certain goods from affected countries, usually arms and commodities such as oil, timber, gold and diamonds; and equipment for use in the nuclear, oil and gas or petrochemical sector. Activities related to such trade may be prohibited.

It is also prohibited to engage in any activities the object or effect of which is to circumvent sanctions. As a consequence, Sophos does not structure transactions to avoid international sanctions.

Breach of financial or trade sanctions law can result in the commission of a criminal offence punishable by imprisonment, a fine or both.

In order to avoid breaching embargoes, Sophos has a compliance program based around a robust policy on sanctions and comprehensive systems to implement the policy effectively.

This program includes

  • customer and transaction due diligence and screening against applicable financial sanctions target lists, including HM Treasury’s Consolidated List, and OFAC’s SDN List; along with other lists pre-defined by the business
  • assessing if equipment and products are on export control lists such as the UK's Strategic Export Control List and ensuring that all necessary licenses to export are obtained;
  • checking if goods are in any way restricted;
  • maintaining a list of countries which are subject to wider embargoes and ensuring that equipment, good and services are not supplied to persons and entities in those countries, including via a third party distributor or otherwise indirectly, unless an exemption applies;
  • contractual controls, including sanctions exclusions and warranties;
  • training in policies and procedures; and
  • regular monitoring of transactions and periodic audits of sanctions compliance.

Current Embargoes in operation that Sophos adheres to are:-

  • Iran, North Korea, Cuba, Sudan (including South Sudan) & Syria

Please note that even though Iran sanctions have been eased by the EU enforcement are still place from the USA. So even though Sophos is a UK limited company, as our products fall under the USA extra territorial reach we still cannot permit any such exports or re-exports to Iran.

Sanctions

A trade sanctions is a trade penalty imposed by one nation onto one or more other nations. Sanctions can be unilateral, imposed by only one country on one other country, or multilateral, imposed by one or more countries on a number of different countries. Often allies will impose multilateral sanctions on their foes.

Their principal purpose is usually to change the behavior of the target country’s regimes, individuals or groups in a direction which will improve the situation in that country. All recent UN and EU sanctions contain information as to why they have been imposed and specify what their aim is.

The ultimate objective of a sanction varies according to the situation. For instance, an arms embargo and a ban on the export of certain items or raw materials could be aimed at supporting a peace process and restricting the financing of weapons by the combatants. Sanctions may also be aimed at preventing weapons from falling into the wrong hands, disrupting terrorist operations, or trying to change the policies and actions of the ‘target’.

  • The EU imposes sanctions to further its Common Foreign and Security Policy (CFSP) objectives. EU measures can also be imposed to uphold respect for human rights, democracy and the rule of law.
  • In addition to UN and EU sanctions, sanctions may be put in place by the Organization for Security and Co-operation in Europe, who can also impose national arms embargoes.
  • The USA imposes sanctions through The Office of Foreign Assets Control ("OFAC") of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States.

USA Iran Sanctions

You may have heard in the news recently that sanctions have been lifted against Iran. What is less clear however, is that there were 2 categories of sanctions related to Iran and for all intents and purposes, despite the lifting, allowable interactions for those considered a “U.S. Person” remains essentially the same.

The lifted sanctions went into effect on January 16, 2016 under the Joint Comprehensive Plan of Action (JCPOA), which was an agreement created to ensure a peaceful nuclear program in Iran and was agreed to by the U.S., U.K., E.U., China, France, Germany, Russia, and Iran. Known as “Implementation Day,” it marked the International Atomic Energy Agency’s (IAEA) verification that Iran implemented its nuclear related commitments under the JCPOA.

The general prohibition to engage in transactions with Iran remains virtually the same. On Implementation Day the U.S. lifted what are known as “secondary sanctions” and not what are commonly referred to as the “primary sanctions” which arose from the Iranian trade embargo declared back in 1995.

The primary sanctions broadly prohibit U.S. Persons from engaging in transactions or dealings with Iran or its government, as do the U.S. controls on the exportation or re-exportation of goods, technology and services pursuant to the Export Administration Regulations, and others. These remain in effect

Crimea Sanctions

In response to the annexation of the Crimea region of the Ukraine, please be aware that the recent restrictions on transactions with the Crimea region imposed by the United States and European Union require Sophos and any related parties to cease transactions and communications with business partners and/or customers in the Crimea region.

Please click here for the Sophos business guidance note communicated to our Business Partners in this region in regard to this matter.

The following activities are expressly prohibited under the U.S. sanctions:

  • New investment in the Crimea region of Ukraine;
  • The importation, directly or indirectly, of any goods, services, or technology from the Crimea region of Ukraine;
  • The exportation, re-exportation, sale, or supply, directly or indirectly, of any goods, services, or technology to the Crimea region of Ukraine; and
  • Any approval, financing, facilitation, or guarantee of a transaction.

The scope of the restrictions includes the prohibition of any service or support for existing equipment in the Crimean region. Additionally, certain parties in Crimea have been added to the U.S. list of Specially Designated Nationals. U.S. license applications for exports, re-exports or transfers of U.S. EAR-regulated items will be subject to a presumption of denial, unless the item is included in the Office of Foreign Asset Control’s (OFAC) General License No. 4, which covers medical supplies and related replacement parts.

The U.S. Department of Commerce known as the Bureau of Industry and Security (BIS) also amended the U.S. EAR to restrict the availability of License Exceptions for exports and re-exports to the Crimea region. U.S. license exception “ENC”, which is used for many Sophos products, may no longer be used for exports to Crimea.

Although the E.U. has not imposed a comprehensive embargo on Crimea and Sevastopol, trade and investment is severely curtailed, details on regulatory compliance are found here:

USA - http://www.treasury.gov/resource-center/sanctions/Programs/Pages/ukraine.aspx
EU - http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:JOL_2015_040_R_0003

Restricted Party Screening

Restricted party screening is a compliance control that prevents doing business with sanctioned governments, entities or individuals. Governments of various countries, as well as international organizations, e.g., United Nations, maintain a variety of lists of these types of entities. Screening means checking to see if an entity of interest to the organization appears on one or more of these lists. Depending on the nature of the list and transaction, it may be legally prohibited to engage in certain activities with listed entities.

Prohibited activities could include contracting with, selling to, shipping to, allowing download or software from a network, receiving payment from, making payment to, or conveying technology to prohibited/restricted parties. Additionally, as a matter of reputation and policy.

Sophos may choose not to engage in certain transactions with listed entities, even if not legally prohibited.

In general, ‘denied persons’ do not have the privilege of making or participating in exports because they have violated export laws or regulations. Companies are prohibited from selling products/services to, or otherwise dealing with, a denied person in a transaction involving export or re-export of US-origin items.

The specific restrictions imposed on a ‘denied person’ vary.

EU Export Controls

Sophos products are subject the EU Dual Use export control regime is governed by Regulation (EC) No 428/2009 (hereunder "the Regulation"), which provides for common EU control rules, a common EU control list and harmonized policies that as a business Sophos must adhere to.

Under the EU regime, the export of dual-use items is subject to control and dual-use items may not leave the EU customs territory without an export authorization. The requirement for an export authorization applies to: - dual-use items listed in the EU Control List, in Annex I to the Regulation.

The EU Control List is based on decisions adopted by the following international export control regimes:

  • Australia Group (AG),
  • Nuclear Suppliers Group (NSG)
  • Wassenaar Arrangement and the Missile Technology Control Regime (MTCR).

Non-listed items may also be controlled under the so-called catch-all clause, under certain conditions, when there is reason to believe such items are intended for use in connection with a biological, chemical, nuclear weapons or ballistic missile weapons program, or for use in violation of an arms embargo

EU Member States may exceptionally impose additional controls on non-listed dual-use items for reasons of public security or human rights consideration.

In specific cases, the export of dual-use items may be subject to additional EU restrictive measures (sanctions). Such restrictive measures currently apply with respect to trade of dual-use items with DPRK, Iran, and Syria.

The EU Regulation is binding and directly applicable throughout the EU.

Dual-Use products within the EU may be traded freely within the EU.

There are four types of export authorizations in place in the EU export control regime:

EU General Export Authorizations (EU GEAs) allow for the export of dual-use items to certain destinations under certain conditions. There are currently 6 EU GEAs in place:

  • Exports to Australia, Canada, Japan, New Zealand, Norway, Switzerland (including Liechtenstein) and United States of America
  • Export of certain dual-use items to certain destinations
  • Export after repair/replacement
  • Temporary export for exhibition or fair
  • Telecommunications
  • Chemicals

Global export control licenses are granted by national authorities to one exporter and may cover multiple items to multiple countries of destination or end users. Individual licenses are granted by national authorities to one exporter and cover exports of one or more dual-use items to one end-user or consignee in a third country.

UK Export Controls

Certain products have also been classified in accordance with UK export controls, and may be exported in accordance with the Community General Export Authorization (CGEA) and Open Individual Export Licenses (OIEL). Such restrictions apply when Sophos products are exported from the UK or by the Sophos UK entity or agreed EU Sophos entity as stated in the export license conditions.

All granted Sophos Open Individual Export Licenses are Dual Use which permits the export to commercial & government end users for controlled products per the agreed countries.
https://www.gov.uk/open-individual-export-licences

Click here to view the End User declaration that Sophos would request, for any tangible exports on controlled Sophos products from an EU jurisdiction.

Any orders for Sophos Hardware as defined in the list below are controlled products, and the below mentioned Sophos products are controlled as per the UK strategic export control lists and in accordance with EU Council Regulation 428/2009.

Sophos controlled hardware 5A002 that can include loaded controlled software 5D002 are included on this strategic export control list, and when shipping from the EU will be export held until this form is completed to ensure Sophos corporate compliance policy is adhered to.

  • Sophos Unified Threat Management Systems
  • Sophos Remote Ethernet Devices

Without preparation and submission of these forms, Sophos Ltd could lose its bulk or by country export license privileges, resulting in all future orders of encryption products requiring individual export licenses.

German Export Controls

The Sophos products are also classified in accordance with German export controls and may only be exported in accordance with the AGG16 and EU001 general licenses.

USA Export Controls

Sophos products are subject to US export regulations. In the United States, a branch of the U.S. Department of Commerce known as the Bureau of Industry and Security regulates exports through the Export Administration Regulations (EAR).

These regulations spell out the export restrictions on a wide variety of goods, software, and technologies. Sophos products may not be exported to Cuba, Iran, North Korea, Syria, or Sudan, but most products may be exported to other countries subject to the applicable import regulations of such country.

Some Sophos products are subject to export restrictions because they include encryption technology and are defined as ENC/Restricted. In the case of Sophos products containing encryption, a one-time government technical review is usually required prior to export. Once a review has been completed, products may become eligible for a particular license exception, such as ENC. This exception may then be used by other exporters, as provided by the U.S. EAR.

Civilian / Commercial End Users

ENC/Restricted products may be exported or re-exported to most civilian and commercial end users located in all territories, except embargoed destinations and countries designated as supporting terrorist activities. Countries listed in Part 746 of the EAR as embargoed destinations requiring a license are Cuba, Iran, North Korea, Sudan, and Syria.

Other specific government entities are also permitted under ENC/Restricted license exemption and are listed below: -

  • Census and Statistics Services;
  • Civil Public Works Infrastructure Services (Construction, Maintenance, Repair, Regulation and Administration) as follows: Buildings, Public Transportation, Roads and Highways, Trucking;
  • Civil Service Administration and Regulation, including Human Resources and Personnel/Labor Management;
  • Clean Water Infrastructure Services (Treatment, Supply and Testing);
  • Economic (Trade/Commerce/Investment), Business and Industrial Development, Promotion, Regulation and Administration; excluding the following end-users/end-uses:
    • Agencies, Departments, Boards and Councils for Science and Technology,
    • Research, Development and National Laboratories (other than as authorized in paragraphs (K) (Measurements and Standards) and (L) (Meteorology / Weather / Atmospheric Services) below)
    • National Telecommunications and Information Technology Agencies, Boards, Councils and Development Authorities (including National Information Center, and Information Communications Technology (ICT) / Telecommunications Infrastructure / Spectrum Planning, Policy, Regulations and Testing);
  • Elections, Balloting and Polling Services;
  • Energy Regulation and Administration, including Oil, Gas and Mining Sectors;
  • Environmental/ Natural Resources Regulation, Administration and Protection, including Wildlife, Fisheries and National Parks;
  • Food/ Agriculture Regulation and Administration;
  • Labor/Community/Social Services Planning, Regulation and Administration, including: Housing and Urban Development, Municipality and Rural Affairs;
  • Measurements and Standards Services;
  • Meteorology (Weather, Atmospheric) Services;
  • National Archives/Museums;
  • Patents;
  • Pilgrimage and Religious Affairs;
  • Postal Services;
  • Public and Higher Education (Excluding Government Research Institutions and any agency, institution or affiliate engaged in the manufacture or distribution of items or services controlled on the Wassenaar Munitions List);
  • Public Health and Medicine/Pharmaceutical Regulation and Administration;
  • Public Libraries;
  • Sports/Culture (Includes Film, Commercial Broadcasting and the Arts) Promotion, Regulation and Administration;
  • Travel/Tourism Promotion, Regulation and Administration.

Note that the applicable definition of “government partner or end user” covers certain government organizations at the central, regional, and local levels, which are departments, agencies, or entities performing government functions, including governmental corporations that manufacture or distribute items or services controlled on the Wassenaar Munitions List, governmental research institutions and international governmental organizations. However, the definition of government end-users for US export purposes does not include:

  • Utility providers (such as providers of gas, electricity, telecommunications and internet service);
  • Transport agencies and entities (such as bus, train, and airport authorities);
  • Entertainment or broadcast entities (such as radio or television organizations);
  • Education organizations (such as schools, colleges and universities or other organizations that have direct contact with students);
  • Health and medical organizations (such as hospitals and clinics);
  • Retail & Manufacturing entities (such as retail or wholesale firms; and manufacturers or industrial entities that do not manufacture or distribute Wassenaar Munitions List items or services).

Restricted Government End Users

Certain government entities not located in the member countries of the EU, Australia, Canada, Japan, New Zealand, or the United States require a U.S. export license in order to obtain the noted Sophos restricted encryption products.

Other specific government entities are deemed as restricted and export licensing would need to be in place with an additional 15 calendar day’s pre-notification to the US government prior to any export taking place.

The government sectors that fall under this remit are listed below: -

  • Agencies, Departments, Boards and Councils for SCIENCE AND TECHNOLOGY (including research, development and state/national laboratories, but not including measurements and standards)
  • CURRENCY AND MONETARY authorities (including departments and offices of the national/federal/royal reserve)
  • EXECUTIVE AGENTS OF STATE (including offices of President/Vice President/Prime Minister, Royal Courts, National Security Councils, Cabinet/Council of Ministers/Supreme Councils/Executive Councils, Crown Princes and other deputies of the rulers, departments and offices of political/constitutional/mainland affairs
  • LEGISLATIVE BODIES responsible for the enactment of laws
  • IMPORT/EXPORT CONTROL, CUSTOMS AND IMMIGRATION agencies and entities
  • INTELLIGENCE agencies and entities
  • JUDICIARY (including Supreme Courts and other national/federal/regional/Royal High Courts and tribunals
  • MARITIME, PORT, RAILWAY AND AIRPORT authorities
  • MILITARY AND ARMED SERVICES (including national guard, coast guard, security bureaus and paramilitary)
  • Ministries, Departments and Garrisons of DEFENSE (including defense technology agencies)
  • Ministries and Departments of FINANCE AND TAXATION (including national/federal/royal budget and revenue authorities)
  • Ministries and Departments of FOREIGN AFFAIRS/FOREIGN RELATIONS/CONSULATES/EMBASSIES
  • Ministries of INTERIOR/HOME/MAINLAND AFFAIRS AND HOMELAND SECURITY
  • State/national TELECOMMUNICATIONS AND INFORMATION TECHNOLOGY agencies, boards, councils and development authorities (including national information/critical infrastructure data centers and information and communications technology (ICT)/telecommunications infrastructure/spectrum planning, policy, regulation and testing
  • POLICE, INVESTIGATION AND OTHER LAW ENFORCEMENT agencies and entities (including digital crime/computer forensics/counter narcotics/counter terrorism/counter proliferation agencies)
  • PRISONS
  • PUBLIC SAFETY agencies and entities (including national/federal/royal agencies and departments of civil defense, emergency management and first responders)

It must be noted that due to the current situation within Ukraine, the USA require additional validation on any transactions with Ukrainian or Russian businesses. As part of this process is the screening of not only the company itself, but all its Directors & Shareholders.

If any individual or company owning 51% or above of this company is highlighted on the Sectorial Sanctions list, then the transaction isn’t permitted to proceed.

For any further information in regard to the Sectorial Sanctions in place by the U.S. Department of Commerce known as the Bureau of Industry and Security (BIS) please see the following link:
http://www.treasury.gov/resource-center/sanctions/SDN-List/Pages/ssi_list.aspx

Sophos Product Classifications

All Sophos products will have rating reviews in all countries where a tangible or in-tangible export / re-export is completed through a Sophos entity.

In the EU this is done through licensing rating request with the relevant export control authority.

In the USA BIS uses the Commodity Classification Automated Tracking System (CCATS) to assign code numbers to products it has classified against the Commerce Control List (CCL). The CCL contains items subject to BIS export license requirements. Please refer to the Sophos Product Classification Matrix as that lists Sophos CCATS numbers on our product matrix.

Sophos Distribution Centers

Sophos hardware products can be distributed from the United Kingdom, United States of America, Singapore, Taiwan, India, Netherlands and Ireland require in-country export permits. For additional information on these requirements, please visit the appropriate government websites.

Sophos Product Classification Matrix

The following Sophos product matrix provides information as related to the relevant Strategic Lists, EAR and the CCL.

This information is suitable for use by Sophos customers in conjunction with appropriate independent legal advice. Sophos makes no representation as to the accuracy or reliability of the classifications listed in the Sophos Product Matrix is done at the user’s own risk.

Sophos Product Classifications including USA license citations can be accessed here

Sophos contact

If you have any queries or require further clarification please contact export@sophos.com

Important Notice & Disclaimer

Bundled Products

From time-to-time, Sophos may rename or re-bundle various products. If you are unsure which of the product names below reflect your purchase, please contact your Sophos Account Manager and they will review your purchase and, upon consultation with the Sophos Legal Department, provide you with the relevant information.

Products Appearing in More Than One Table

If a product appears in multiple tables, the applicable export controls of all such countries must be complied with in regards to the exportation of such product.

As noted above, exportation of restricted goods is a complex area and you are responsible for seeking your own legal advice and ensuring your compliance in relation to such matters in the context of your specific export scenario. Sophos is providing this information as a general guidance to our customers and business partners and makes no representations as to its accuracy. All export authorities require that each company / individual exporting products be familiar with and comply with the legislative set forth for the exporting jurisdiction.

Please note that export licensing regulations are subject to change, and should be monitored accordingly. We recommend that customers and partners obtain legal advice when attempting to export to ensure adherence with local jurisdictional licensing & controls in place.

Intrusion software

By way of background, many products (hardware, software and technology) are subject to export licensing under UK and EU law (which will be copied into UK law when the UK leaves the EU; the UK will then be free to amend it, but major changes are considered unlikely at least in the short term).

The list of products considered to be ‘dual use’ (i.e. commercial goods that have potential military or security uses), and therefore need to be subject to export controls, is agreed in an international group known as the Wassenaar Arrangement. In 2013 the group decided to add ‘intrusion software tools’ to the list and in December 2014 these were implemented within the EU and most other countries who are members of the Wassenaar Arrangement, with the notable exception of the US.

Controls on ‘intrusion software tools’ were introduced because of real concerns that such tools could be used to breach human rights along with the risks that they pose to national security.

These rules are not designed to prevent the export of such products or limit their use for legitimate law enforcement purposes; or to inhibit or restrict research into, or the sharing of information about, software vulnerabilities, bugs or malware.

However, companies in the US lobbied strongly against the proposed new controls, arguing that they could have the unintended consequence of restricting much legitimate commercial cyber security work, such as the deployment of penetration testing tools, even to test internal company networks, and other research on malware. As a result, the US has not adopted the new controls and is understood to have proposed in the Wassenaar Arrangement revisions to narrow the scope of the controls (particularly the definition of ‘intrusion software’).

It is notable that there has not been a similar reaction from industry in the EU. They have now been living with the new controls for several years without serious difficulties. A Definition of intrusion software from Wassenaar Arrangement:

"Intrusion software"; "Software" specially designed or modified to avoid detection by 'monitoring tools', or to defeat 'protective countermeasures', of a computer or network capable device, and performing any of the following:

a. The extraction of data or information, from a computer or network capable device, or the modification of system or user data; or

b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

Excluded from the definition are: hypervisors, debuggers, software reverse engineering tools and Digital Rights Management or software designed to be installed by administrators or users for asset tracking or recovery.

As you can see from the definition above this could have a very real impact on Sophos products.

Interestingly there is also a note in the Wassenaar Arrangement called the ‘Information Security Note’. This is in essence an override where encryption is used to protect information security and is as follows:

"Information security" items or functions should be considered against the provisions in Category 5 ‑ Part 2, even if they are components, "software" or functions of other items.

In the UK, the Export Control Joint Unit (ECJU) and the National Cyber Security Centre (NCSC) have issued advice, and picking out the parts of potential relevance to Sophos guidance is essentially as follows:

Intrusion Software itself

This is not controlled. The controls apply only to systems, equipment and components that are specially designed or modified for the generation, operation or delivery of, or communication with, intrusion software, and to related software and technology.

Commercial Malware Toolkit for Law Enforcement

Consider a piece of custom malware designed to assist investigations by extracting data from a suspect’s computer, undetected by any anti-virus.

The toolkit for such malware would likely meet the control text of being specially designed for the generation of "intrusion software" and be controlled.

Associated manuals and any training course materials would also be potentially subject to a technology control.

Open Source Penetration Testing Software

This would be "in the public domain" and would not be controlled as an "intrusion software" tool due to the General Software Note (GSN).

Commercial Off-The-Shelf Penetration Testing Software

If covered by the GSN, as you would expect for commercial off-the-shelf software, then it would not be controlled as an "intrusion software" tool.

If sales restrictions or support requirements mean the GSN does not apply and if, as is likely, it interacts with "intrusion software", then it would likely attract control.

Bug Reports to Vendors

A bug report written in terms of what a bug is – rather than how to write an exploit for it – should not meet the "technology" control, as describing a bug should not require explicitly describing how to provide external instructions, or how to defeat 'protective countermeasures' or how to avoid detection by 'monitoring tools'.

A bug report that describes a defeat for 'protective countermeasures' and a modification to the standard execution path of a program would be controlled as "technology" if it allowed the execution of external instructions. If instead the only outcome described was to launch a calculator process then this is unlikely to be controlled.

Bug Bounties

Bug bounties are paid by software vendors or third parties for the private reporting of verified software bugs. The conditions for payment vary between bug bounty programmes.

Reporting a bug by describing just the bug is unlikely to be controlled nor would be providing a proof of concept be controlled.

If the terms of payment require a description of how such a proof of concept works then that description could well meet the technology control if the proof of concept met the definition of "intrusion software".

Malware Samples

A sample of end malware will not be controlled as "intrusion software" and is not itself controlled.

Analysis of malware samples should not in general be controlled, but if, for example, the analysis describes how to re-implement the aspects of the malware that meet the "intrusion software" definition then the analysis may be controlled as "technology".

The exchange of samples of malware command and control components, or of exploit kits, could attract control as the components / kits are likely to meet the control text.

Export of any malware sample that is not "in the public domain" and that incorporates cryptography meeting the control definitions in Category 5 Part 2 would likely already require a licence, so little additional licensing burden is anticipated on malware researchers through the "intrusion software" tools controls.

Transfers within Companies

In common with other Categories of controls, multinational companies whose day-to-day business requires collaboration by transferring items that meet control entries relating to "intrusion software" tools will require a licence.

Public Domain InfoSec Journals / Magazine

Public domain InfoSec journals, even those that contain descriptions of proof of concepts for "intrusion software", and are not controlled by virtue of being "in the public domain". These examples only consider "intrusion software" related controls. Exporters should be aware that other controls, including Category 5 Part 2 controls on cryptography, may apply too. Interestingly under the Wassenaar Arrangement rules where ‘Information Security Note’ is applicable then Category 5 Part 2 of the control list, takes precedence over Category 4. However, the application of either of these controls could mean that a license is required to export such tools. However it is not and should not be considered a prohibition on export.

In summary:

Current Sophos products related to intrusion software are controlled under Category 5 Part 2 rather than Category 4, since the encryption capabilities they contain take precedence owing to the ‘Information Security Note’. Some products then become de-controlled due to the ‘General Software Note’ and other decontrols in Category 5 Part 2 such as those for retail items intended only for the general public (in the US these are termed ‘Mass Market’ items but the UK authorities do not recognize this term and interpret the rules differently).

International implementation of the ‘intrusion software’ controls is fragmented, with most countries accepting the Wassenaar controls but others interpreting them differently and the US not incorporating the controls into the ‘Export Administration Regulations’ (EAR) (this is an unprecedented position for a published Wassenaar regulation).

For Sophos in the UK/EU, our current Open licenses to all users cover us for the export of products related to ‘intrusion software’ as the ‘Information Security Note’ moves our products to Category 5 part 2 controls. We have had this confirmed during conversations with the NCSC and we consider that the policy is unlikely to change. This includes the export of technology to other parts of the Sophos Group under the Cryptographic Development Open license.

The US has yet to act on the Wassenaar controls but, if/when they do, it seems most likely that they will follow the EU’s example and treat the encryption as the primary basis for control, so the current ‘License Exceptions’ will be valid. It is most likely that any changes that are acceptable to the US will have to be agreed in the Wassenaar group before the US will be prepared to adopt controls on intrusion software. Again the ‘Information Security Note’ should take precedence on control of Sophos products and we will continue to use the current License Exceptions and ‘sensitive’ destination licenses, and this would include those transactions subject to the US ‘deemed export’ and extra-territorial reach controls.

India have relatively recently started to introduce export controls by adopting and adapting the Wassenaar controls. The SCOMET (Special Chemicals, Organism, Material, Equipment and Technologies) control list is a very new list introduced in April 2017, and export controls are not as mature as many western nations. ‘Intrusion software’ controls do appear in the listing and we will work to make sure that the controls have a minimal impact on Sophos business. The Trade Compliance team are currently working with Director General Foreign Trade (DGFT) to understand exactly how these controls are to be applied and to try to influence the direction taken. The understanding from conversations with other export compliance practitioners is that India does not have a unified approach to the new directives yet, and they are looking to benchmark best practices from around the world.

Taiwan have adopted in broad terms the EU control list for dual use goods. Our trade partner in Taiwan is based in a Free Trade Zone and, as such, the usual national controls do not apply for shipments from the Free Trade Zone with all consignments treated as no license required.

Japan is a single entity market serviced by a trade partner who imports on behalf of Sophos KK. The partner services the market and provisions within the METHI regulations allow for the export to the original supplier without a license; therefore, there should be no impact on Sophos trade.

Sophos China business is local - there are no exports of products by Sophos. China has a broader control on the import and registration of cyber products than for exports - this is likely to change but not in the short term.

Finally, within the EU, the European Commission has proposed revisions to the EU’s controls on dual-use items. These include creating an EU unilateral control list of cyber-surveillance items that have not been agreed internationally by the Wassenaar group (e.g. monitoring centers for lawful interception systems) and introducing ‘end-use controls’ for any item (i.e. not included on the list of dual-use goods) if it might be used for serious violations of human rights or international humanitarian law - it would become the responsibility of exporters to make this judgement with respect to their own exports. These proposals are contested by industry groups and some Member States, and their adoption, at least in their current form, is far from certain.

For further information please contact export@sophos.com and the Sophos Trade Compliance Team will be able to assist further.