Back in April Rep Lawler (R, NY) introduced HR 2683, the Remote Access Security Act. The bill would authorize the DOC’s Bureau of Industry and Security (BIS) to regulate the use of remote access by a foreign person of items subject to the jurisdiction of the United States under the export control regulations. No new funding is authorized by this bill.
Definitions
Section 2(1) would add a new term to the list of definitions in 50 USC 4801. It would define ‘remote access’ as “access to an item subject to the jurisdiction of the United States by a foreign person through a network connection, including the internet or a cloud computing service, from a location other than where the item is physically located”. It would also allow DOC to expand on that definition in its regulations.
Export Controls Amendments
Section 2 of the bill would amend various provisions of the Export Control Reform Act of 2018 (50 USC 4800 et seq), adding the term ‘or remote access’ to existing text. The changes would include:
Revise §4811(1)(A) to read: “to restrict the export of items or remote access of such items which would make a significant contribution to the military potential of any other country or combination of countries which would prove detrimental to the national security of the United States; and"
Revise §4811(1)(B) to read: “to restrict the export of items or remote access of such items if necessary to further significantly the foreign policy of the United States or to fulfill its declared international obligations.”
Add paragraph (3) to §4812(a) to read: “the remote access of items subject to the jurisdiction of the United States by a foreign person.”
Add paragraph (8) to §4812(b) to read: “regulate the remote access of items described in (a)(3).”
Revise §4812(c) to read: “The President shall impose controls over the export, reexport, or in-country transfer, or remote access of items for purposes of the objectives described in subsections (b)(1) or (b)(2) without regard to the nature of the underlying transaction or any circumstances pertaining to the activity, including whether such export, reexport, or in-country transfer, or remote access occurs pursuant to a purchase order or other contract requirement, voluntary decision, inter-company arrangement, marketing effort, or during a joint venture, joint development agreement, or similar collaborative agreement.”
Revise §4813(a)(3) to read: “prohibit unauthorized exports, reexports, and in-country transfers, and remote access of controlled items, including to foreign persons in the United States or outside the United States;”
Revise §4813(a)(4) to read: “restrict exports, reexports, and in-country transfers, and remote access of any controlled items to any foreign person or end-use listed under paragraph (2);”
Revise §4813(a)(5) to read: “require licenses or other authorizations, as appropriate, for exports, reexports, and in-country transfers, and remote access of controlled items, including—"
Revise §4813(a)(6) to read: “establish a process for an assessment to determine whether a foreign item is comparable in quality to an item controlled under this subchapter, and is available in sufficient quantities to render the United States
exportcontrol of that item or the denial of a license ineffective, including a mechanism to address that disparity;”Revise §4813(a)(7) to read: “require measures for compliance with the
exportcontrols established under this subchapter;”Revise §4813(a)(10) to read: “inspect, search, detain, or seize, or impose temporary denial orders with respect to items, in any form, that are subject to controls under this subchapter, or conveyances on which it is believed that there are items that have been, are being, or are about to be exported, reexported, or in-country transferred or accessed remotely in violation of this subchapter;”
Revise §4813(a)(11) to read: “monitor shipments and other means of transfer or remote access;”
Revise §4813(a)(15) to read: “establish and maintain processes to inform persons, either individually by specific notice or through amendment to any regulation or order issued under this subchapter, that a license from the Bureau of Industry and Security of the Department of Commerce is required to export or remotely access (including the provision thereof); and”
Revise §4813(b) to read: “The authority under this subchapter may not be used to regulate or prohibit under this subchapter the export, reexport, in-country transfer, or remote access of any item that may not be regulated or prohibited under section 203(b) of the International Emergency Economic Powers Act (50 U.S.C. 1702(b))….”
Revise §4813(d)(1)(A) to read: “the export, reexport, in-country transfer, or remote access (including the provision thereof) of items described in paragraph (2), including items that are not subject to control under this subchapter; and”
Revise §4814(b)(2)(C) to read: “criteria for including a person on a list of persons to whom exports, reexports, in-country transfers, and remote access (including the provision thereof) of items are prohibited or restricted under this subchapter;”
Revise §4814(b)(2)(E) to read: “policies and procedures for the end-use monitoring of exports, reexports, in-country transfers, and remote access (including the provision thereof) controlled under this subchapter; and
Revise §4814(c) to read: “It is the sense of Congress that the administration of
exportcontrols under this subchapter should be consistent with the procedures relating to export license applications described in Executive Order 12981 (1995).
Similar changes would also be made in §4815, §4816, §4819, and §4820.
Committee Action
The House Foreign Affairs Committee held a business meeting on April 19th, 2025, where nine bills were considered, including HR 2683. The Committee adopted substitute language offered by Lawler and ordered it reported favorably by a vote of 57 to 0.
The substitute language:
Revises the definition of the term ‘remote access’, and
Adds a new Section 3 that requires congressional updates on the status of regulations implementing the provisions of this bill.
The revised definition inserts the phrase “on a purposeful, knowing, reckless, or negligent basis” describing the type of access to be regulated. It also adds the phrase “if the Secretary determines that the use of the item could pose a serious risk to the national security or foreign policy of the United States” to provide a political limit on the type of access to be included. Finally, it adds a second sentence to the definition:
“Nothing in this paragraph may be construed to lower the requisite mens rea [Latin for guilty mindrequired to be proven for criminal liability under section 1760 [50 USC 4819].’’
This refers to the “willfully” requirements in §4819(b) for the application of criminal penalties (up to $1 million in fines and/or up to 20 years in prison). That mens rea standard is not part of the requirements for application of a civil penalty under §4819(c)
Moving Forward
The unanimous vote to adopt the bill in Committee suggests that the bill will be considered by the House under the suspension of the rules process. The problem, as with most legislation, will be in how this bill is considered in the Senate. It does not appear that this bill would be politically important enough to be considered under regular order. Again, the unanimous vote in Committee suggests that this bill could be considered under the unanimous consent process, but that is far from a sure thing.
Commentary
This is a broadly written bill that would give the DOC’s Bureau of Industry and Security (BIS) comprehensive authority to regulate the control of remote access to most devices on the export control list. Just how the Committee expects BIS to accomplish this regulatory task is not made clear.
What is most concerning about the bill is the new “access on a purposeful, knowing, reckless, or negligent basis” standard. While the ‘reckless or negligent’ standard would not meet the mens rea requirements for a criminal conviction, it would still allow for the application of a civil penalty if poorly constructed controls allowed for the hacking of an item on the export control list. And the way this bill is written, there would not even be a requirement that a foreign entity was the one hacking the item, or even that the item was accessed in the wild; a simple report by a white hat hacker about a hackable vulnerability could leave the exporter (not necessarily the original equipment vendor) vulnerable to a civil penalty.