On October 1, 2020, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published an advisory that highlights the risk of potential U.S. sanctions law violations if U.S. individuals and businesses comply with ransomware payment demands.1
Ransomware attacks use malware, often injected through phishing schemes, to encrypt a victim’s data files or programs, followed by a ransom demand by the threat actor that offers the decryption key in exchange for payment. Payment is often demanded in bitcoin, and thus third-party services are often used to make such payments. Increasingly, ransomware attacks not only lock data up but steal data from the victim and threaten to publish sensitive files belonging to victims. According to OFAC, ransomware attacks have been increasing over the last two years and are a special risk during the COVID-19 pandemic, with cybercriminals targeting not only large corporations but also small to medium enterprises, hospitals, schools, and local government agencies.2
The U.S. Department of Commerce, Bureau of Industry and Security (BIS) published an advance notice of proposed rulemaking (ANPRM) soliciting comments to identify foundational technologies essential to U.S. national security by October 26, 2020 (the Foundational Technologies ANPRM). The ANPRM is only one step in a multiyear process through which the U.S. government transforms the regulations restricting the availability of U.S.-sourced technology in the global marketplace.
This long-awaited ANPRM launches an intra-agency review process required under Section 1758 of the Export Control Reform Act of 2018 (ECRA), which Congress passed in the National Defense Authorization Act for Fiscal Year 2019 (2019 NDAA). ECRA directed BIS to identify and establish controls on the export, reexport, or transfer (in country) of emerging and foundational technologies essential to the national security of the United States. On November 19, 2018, BIS issued an ANPRM on identification of emerging technologies (the Emerging Technologies ANPRM), indicating that a separate notice for foundational technologies was forthcoming.
Today’s Foundational Technologies ANPRM can be found here. Sidley’s prior updates on ECRA and the Emerging Technologies ANPRM can be found here.1 Here we summarize five key takeaways from today’s notice.