GWU - Information Policy - Export presentation

GWU - Information Policy - Export presentation - Export...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Export Issues and Crypto CS 175 - Information Policy Randy V. Sabett, J.D., CISSP October 14, 2009 Topics To Be Covered • • • • • Overview of the basic regulations Differences between ITAR and EAR Determining the need for a license The cost of noncompliance Encryption export 2 Why Regulations Were Imposed • Prevent terrorism • Restrict exports of goods and technology that Restrict could help our enemies could • Restrict exports of goods and technology that Restrict could hamper U.S. economic vitality could • Prevent proliferation of weapons of mass Prevent destruction destruction 3 Overview • Export controls cover • Any item in U.S. trade (goods, technology, Any information) information) • U.S. items wherever located, even internationally • “Deemed exports” (access to controlled technology or Deemed defense service by a foreign national in the U.S.) defense • Excludes • • Items in the public domain Artistic or non-technical publications (maps, children’s Artistic books, sheet music, calendars, film) books, 4 Basic Regulations: ITAR • International Traffic in Arms Regulations (ITAR) International 22 CFR Parts 120 – 130 22 • U.S. Munitions List (USML) enumerates the defense U.S. articles and services (furnishing technical assistance includes design, engineering and use of defense articles) which are controlled articles) • Based primarily on whether an article or service is Based deemed to be inherently military in character deemed • Licensing handled by the Directorate of Defense Licensing Trade Controls (DDTC) Trade 5 6 Basic regulations: ITAR Basic U.S. Munitions List (USML) 22CFR 121.1 U.S. I. Firearms, Close Assault Weapons/Combat Shotguns II. Guns and Armament III.Ammunition IV.Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Launch Torpedoes, Bombs and Mines Torpedoes, V. Explosives, Propellants, Incendiary Agents Explosives, VI.Vessels of War and Special Naval Equipment VI. VII.Tanks and Military Vehicles 7 Basic regulations: ITAR Basic I. I. II. III. IV. V. Aircraft and Associated Equipment Military Training Equipment and Training Protective Personnel Equipment and Shelters Military Electronics Fire Control, Range Finder, Optical and Guidance and Fire Control Equipment Control VI. Auxiliary Military Equipment VII. Toxicological Agents including Chemical Agents, Toxicological Biological Agents, and Equipment Biological VIII. Space Systems and Associated Equipments 8 Basic Regulations: ITAR Basic I. I. II. Nuclear Weapons, Design and Testing Related Items Items Classified Articles, Technical Data and Defense Service not Otherwise Enumerated Enumerated Directed Energy Weapons Directed Reserved Submersible Vessels, Oceanographic and Associated Equipment III. IV. V. V. VI. VI. Miscellaneous Articles Miscellaneous 9 Basic Regulations - EAR Export Administration Regulations (EAR) 15 CFR Parts 730-774 15 • The Commerce Control List (CCL) contains The commodities, technology, and software subject to the EAR; identified by an Export Classification Control Number (ECCN) Number • Licensing handled by Bureau of Industry and Security Licensing (BIS) (BIS) • The inherent capabilities and design, not the end use, The inherent design not determines whether the item falls under the ITAR or the EAR the 10 Bureau of Industry & Security 11 Export Administration Regulations Export Database Database 12 Basic Regulations – EAR Commerce Control List (CCL) Categories: 0. 1. 2. 3. 4. 5. 6. 7. 8. 9. Nuclear Materials, Facilities & Equipment, and Miscellaneous Materials, Chemicals, Microorganisms & Toxins Materials Processing (i.e., making plastics, metals) Electronics Development Computer (development and programs) Telecommunications and Information Security Telecommunications Information Sensors and Lasers Navigation and Avionics Marine Propulsion Systems, Space Vehicles and Related Equipment 13 Basic Regulations - OFAC Department of Treasury Office of Foreign Assets Control (OFAC) – Economic sanctions focus on end-user or (OFAC) country and may limit transfer of technologies/assistance to OFAC’s list of embargoed countries to • In certain cases, OFAC regulations “trump” other In government agencies such as the BIS (for example, shipping items to Iran) shipping • OFAC has a “Specially Designated Nationals and Blocked OFAC Persons List” • Prohibits payments or providing “value” to nationals of Prohibits sanctioned countries and certain entities sanctioned 14 Dept. of the Treasury - OFAC 15 Differences Between ITAR/EAR ITAR: • Covers military items (munitions and defense articles) • Includes most space related technologies because of Includes application to missile technology application • Includes technical data related to defense articles and Includes services (furnishing assistance including design and use of defense articles) of • Not much latitude, few exemptions 16 Differences Between ITAR/EAR ITAR: • ITAR will deny a license for exports/sales of defense ITAR service or articles to certain countries service • Research must already be published Research • ITAR has stricter proprietary review concerns • Has exemption for foreign nationals if full-time Has regular employee of a university regular • No grad students, post-docs, or employees from No countries prohibited by 126.1 countries • Individual must be informed in writing technology Individual may not be transferred to other foreign persons may 17 Differences Between ITAR/EAR EAR: Covers dual use items (found on the CCL) Regulates items designed for commercial Regulates purposes but that can have military applications (computers, pathogens, civilian aircraft, etc.) (computers, • Covers goods, test equipment, materials and the Covers technology and software technology • • 18 Differences Between ITAR/EAR EAR: • Differs on “ordinarily publishable” (EAR) vs. Differs “published” (ITAR) “published” • Not as many license restrictions to certain Not countries • DOC easier to work with—more exemptions DOC available available 19 Key Issue: Software Key • Software development • Software that is provided to the public for free Software may not require licenses, but proprietary software of controlled technology could require licensing require • Encryption technology could require license or Encryption could be prohibited for transfers to certain foreign nationals and countries foreign 20 Key Issue: Travel • Taking equipment, laptops, etc., out of the Taking country may require a license may • License may be required for controlled License technology loaded on laptop even though license may not be required for laptop itself. license • OFAC has restrictions OFAC • The Departments of Commerce, State, OFAC, The and other government agencies have denied entities/persons lists entities/persons 21 Licensing the Technology Licensing and Goods and • EAR – not too complicated, can apply electronically, no EAR fee fee • Deemed Export license required for foreign national Deemed working with certain controlled proprietary technology working • License needed to ship certain goods/technologies License outside the U.S. outside • ITAR – very complicated and expensive • DSP-5/Technical Assistance Agreement required for DSP-5/Technical foreign nationals working with export controlled technology/defense service technology/defense • Technology Control Plan required 22 Federal Websites Apply promptly, licensing can take months!! Apply • BIS - http://www.bis.doc.gov BIS http:// • EAR database – Commerce Control List http://www.access.gpo.gov/bis/ear/ear_data.html • • ITAR - http://www.pmddtc.state.gov/itar_index.htm ITAR http:// OFAC - http://www.treas.gov/offices/enforcement/ofac/ OFAC http:// 23 The Cost of Noncompliance • ITAR • Criminal: Up to $1 million per violation and 10 Criminal: years imprisonment years • Civil: seizure and forfeiture of article, Civil: revocation of exporting privilege, up to $500,000 fine per violation $500,000 • • Raytheon fined $25M Hughes Electronics and Boeing Satellite Systems Hughes $32M $32M • Boeing - $4.2M • Lockheed Martin - $13M 24 The Cost of Noncompliance • EAR • Criminal: $50K to $1 million or 5 times value of export, Criminal: whichever is greater, per violation, 10 years imprisonment imprisonment • Civil: revocation of exporting privilege, fines $10K$120K per violation • Examples • Bass-Pro - $510K for shipping guns without a license • Dr. Thomas Butler, Texas Tech – 2 years in prison for making Dr. fraudulent claims and unauthorized exports (plague bacteria) fraudulent • ITT fined $100M for exporting night vision materials without license 25 The Cost of Noncompliance • OFAC • Criminal: $50k TO $10M per violation and 10 Criminal: to 30 years imprisonment to • Civil: $11K to $1M per violation • Example • Augsburg College, Minneapolis, MN fined $9,000 Augsburg for 4 trips to Cuba; attorney negotiated reduction in fine from $36,000 26 Range of Penalties in Recent Administrative Range Settlements Settlements • • • • • • • • • • Orbit/FR DirectTV/HNS/Hughes DirecTV (Hughes) ITT GM/Gen’l Dynamics Agilent Technologies EDO Corporation Hughes/Boeing Multigen-Paradigm Raytheon Company $500,000 $5,000,000 $1,500,000 $8,000,000 $20,000,000 $225,000 $2,500,000 $32,000,000 $2,000,000 $25,000,000 Charges 4 56 -95 248 3 47 123 24 26 27 Policy Debate Over Encryption • • • Export laws, FIPS, OECD, patents U.S. government position: • We need to thwart terrorists and other criminals Industry and civil libertarian position: • The cat is out of the bag • U.S. software industry is being harmed • Encryption is mainly used by law-abiding people to protect against criminals • We don’t want government snooping in our private communications 28 The “Crypto Wars” • Zimmermann – PGP launched 1991 • Karn – administrative/court appeals re Applied Cryptography (“Only Americans Can Type”) in 1994 • Bernstein – constitutional attack on ITAR in 1995; ultimately resulted in government backing down on regulations in 2002 • Key escrow – “Sink Clipper” • Junger – court review of inability to teach non-US students in 1996 29 Current status • Encryption technology still subject to the Export Administration Regulations (EAR) • Rules significantly relaxed • Licenses could still be possible, but numerous license exceptions available for most commercial products 30 Licenses for Encryption Products • Encryption products require technical review and notification • Encryption software, technology and hardware is tightly controlled • Generally listed in Category 5, Information Security, CCL • Generally subject to NS, EI, NP, MT controls • Generally require licenses depending upon functional characteristics and product robustness 31 Licenses (cont’d) • Of interest to NSA and the intelligence community due to U.S. national security interests • Process exists to permit exports of certain encryption software under license exception with a technical review • Technical Review: • Submission to BIS • Requests license exception • Provide description of functional characteristics of product and related encryption • Requires submission, in some circumstances, of encryption source code 32 Encryption license exception • § 740.17 Encryption Commodities and Software (ENC) • applies to items subject to the EAR • obtained through submission of technical review request for release from Encryption Items (“EI”) controls • 30-day waiting period applies for certain exports • BIS may hold the review request without action • once issued, remains valid until product functionality changes 33 No Restrictions On: • • • Authentication cryptography Import of cryptography Use of cryptography within U.S. 34 “Retail” Encryption Software And Commodities Can export freely except: • • Not to restricted individuals Not to T-7, Serbia, or Taliban • • • • Prior review and classification Key length and type of encryption irrelevant Post-export reporting requirements 35 Definition Of “Retail” • • • • • Generally available to the public The cryptographic functionality cannot be easily changed by the user Does not require substantial support for installation and use The cryptographic functionality has not been modified or customized to customer specification Not a network infrastructure product 36 What If Encryption Commodity Or What Software Is Not “Retail”? Software • • Can export to (almost) any non-government end user Definition of “government” is limited: • Any foreign central, regional, or local government department, agency, or other entity performing governmental functions • International governmental organizations If exporting to a government end user, a license is required U.S. sees more risk from governments than from corporations and individuals • • 37 Publicly Available Source Code • • • • • Can export to (almost) everywhere No prior review or classification required Must give BXA copy of source code or Internet location General posting does not per se constitute export to terrorist country Post of non-publicly available source code subject to address checking, notice, and acknowledgment requirements 38 New changes (October 3, 2008) • • • Further relaxation of the regulations New class of “ancillary cryptography” No review required for items that are “not primarily useful for computing (including the operation of "digital computers"), communications, networking (includes operation, administration, management and provisioning) or "information security".” Examples include: Piracy and theft prevention for software, music, etc.; Games and gaming; Household utilities and appliances; Printing, reproduction, imaging and video recording or playback; Business process modeling and automation (e.g., supply chain management, inventory, scheduling and delivery); Industrial, manufacturing or mechanical systems (e.g., robotics, heavy equipment, facilities systems such as fire alarm, HVAC); Automotive, aviation, and other transportation systems 39 • Other Issues • • • • Foreign subsidiary of U.S. company – no restrictions Deemed export rule Upgrades of key length Time limits imposed on government 40 Questions? ? ? ? ? ? 41 Contact info Randy V. Sabett, J.D., CISSP Sonnenschein Nath & Rosenthal LLP 1301 K Street, NW Suite 600 Washington, DC 20005 202.408.6830 rsabett@sonnenschein.com 42 Export Issues and Crypto CS 175 - Information Policy Randy V. Sabett, J.D., CISSP October 8, 2008 ...
View Full Document

This note was uploaded on 12/05/2009 for the course CS 175 taught by Professor C.martin during the Spring '09 term at GWU.

Ask a homework question - tutors are online