Cyber-Surveillance Export Control Reform in the United States

2019/01/31

By: Peter Lichtenbaum (plichtenbaum@cov.com), David W. Addis (daddis@cov.com), and Doron O. Hindin (dhindin@cov.com) are attorneys in the International Trade practice at Covington & Burling LLP. Mr. Lichtenbaum previously served as Assistant Secretary of Commerce for Export Administration.

Based on recent US agency actions and statements, the US government is likely to update soon its export controls on intrusion software (including exploit research), network surveillance systems, and intelligence collection tools.

Collectively, these items consist of equipment, software, and technologies designed to gain access to, surveil, and control third-party electronic devices. These highly effective tools are increasingly being used for nefarious purposes, such as by ‘black hat’ hackers to steal sensitive information and extort corporations and private individuals, and by authoritarian government regimes to repress dissidents. However, such products are also routinely used by ‘white hat’ cybersecurity specialists to protect systems and data as well as by legitimate government intelligence and law enforcement agencies to achieve critical national security objectives.

As background, and as discussed further below, the US Commerce Department sought in 2014-15 to limit the proliferation of these items through proposed export control regulations on ‘intrusion software’ and ‘IP network communications surveillance systems,’ but that regulatory endeavour lapsed in 2016 in the face of resolute opposition by industry and civil society.

However, the US government has maintained its overall objective of regulating cyber-surveillance and intelligence-gathering tools through export controls. To that end, the Commerce Department and State Department are working toward a series of regulatory changes that, in the aggregate, would significantly change export controls over cyber and intelligence products.

This article surveys these regulatory developments and evaluates what to expect from the US government in the months ahead.

Wassenaar cyber-surveillance controls and  US exceptionalism

In December 2013, the cyber industry result of proposals by France and the United Kingdom, the Wassenaar Arrangement’s List of Dual-Use Goods and Technologies and the Munitions List (collectively, the ‘Wassenaar List’) was amended to cover, for the first time, ‘intrusion software’ and “IP network communications surveillance’ systems. This proposal was made a result of concerns from non-government organisations that certain repressive governments were able to use such software and systems to eavesdrop on dissidents and reporters within their societies.

The new 2013 language covered commodities, software, and technology for the generation, operation, or delivery of, or communication with, ‘intrusion software,’ defined as:

Software specially designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures, of a computer or network-capable device, and performing any of the following:

(a) The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or

(b) The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

(Notes and quotation marks omitted)

In addition, the updated 2013 Wassenaar List covered communications surveillance systems, and related commodities, software, and technologies, specially designed to extract, index, search, and map metadata from carrier class IP networks, such as national grade IP backbones.3

The controls over intrusion software and IP network communications surveillance systems were immediately implemented by the export control authorities of a number of countries for which the Wassenaar List is self- executing. In other countries, the Wassenaar List requires subsequent implementing legislation, but is then generally adopted verbatim, such as in the European Union.

By contrast, the United States does not automatically adopt Wassenaar List amendments. Rather, after amendments are adopted at annual Wassenaar plenary meetings, the US government launches an interagency review process, which routinely involves seeking industry comments, to determine national security, foreign policy, and economic impacts of the Wassenaar amendments. Following that process, the US government typically adopts the amendments, but frequently modifies the language to reflect US-specific interests and so that it fits neatly within either the Commerce Control List (‘CCL’) – administered by the US Department of Commerce, Bureau of Industry and Security (‘BIS’) pursuant to the Export Administration Regulations (‘EAR’) – or the US Munitions List (‘USML’) – administered by the Department of State, Directorate of Defense Trade Controls (‘DDTC’) pursuant to the International Traffic in Arms Regulations (‘ITAR’).

The US government took this approach with respect to Wassenaar’s 2013 cyber-surveillance amendments. Ultimately, in May 2015, BIS published a proposed rule to incorporate the 2013 Wassenaar intrusion software controls into CCL category 4 and the controls over IP network communications surveillance systems into CCL category 5 part 1.

BIS’s proposed rule elicited a deluge of public comments from industry and civil society. Many of the commenters expressed serious concern that because the Wassenaar language was, in their view, overly broad, its incorporation into the CCL would chill global ‘white hat’ exploit and vulnerability research and would otherwise undermine US national security and economic interests.6 For example, commenters presented BIS with hypothetical scenarios in which exploit researchers uncover vulnerabilities in software platforms of foreign vendors but are then prevented from immediately notifying those vendors of the risks, due to a requirement to first obtain export controls licensing from BIS. Similarly, commenters argued that the proposed rule could unjustifiably require victims of rootkit or other malicious software attacks to obtain licensing prior to sharing their infected device with non-US forensic specialists.7  Others explained that adopting the Wassenaar language would be counterproductive to US national security and economic interests by imprudently controlling general purpose programming environments, such as integrated design environments, and commonly used defensive cyber tools, such as penetration testing products, adaptable end point detection and response tools, auto-updating antivirus and antimalware programs, and forensic exploit toolkits.

The industry concerns prompted BIS to publish 32 clarifying frequently asked questions (‘FAQs’), which in turn prompted yet further industry pushback.9 Ultimately, the force of the industry concern resulted in a 2016 letter by then-Secretary of Commerce Penny Pritzker to cyber industry representatives notifying them that in light of industry feedback and input from Congress, academia, and civil society, the United States would not implement the Wassenaar 2013 intrusion software controls.10 The letter further committed that the US government would advocate at upcoming Wassenaar plenary meetings for the Wassenaar List to be amended by deleting the intrusion software controls in their entirety.

To date, the intrusion software controls in the Wassenaar List have not been eliminated.11 However, as explained by BIS in a recent FAQ, US government efforts have been successful in negotiating limited changes to the Wassenaar List, ‘in order to minimize the negative impact the [intrusion software] entries would have.

A particularly significant development that the FAQ attributes to US negotiation efforts is that as of 7 December 2017, the Wassenaar List now clarifies that the technology controls on intrusion software ‘do not apply to “vulnerability disclosure” or “cyber incident response”, new terms of art in the Wassenaar List with corresponding definitions. This important clarification provides welcome relief to vendors worldwide, who are often mandated by contract or by prevailing regulation to respond without delay to data breaches. The change also offers a needed safe- harbour for exploit researchers and cybersecurity   specialists   worldwide who can now receive, analyse, and remediate vulnerabilities without delay.

A second change to the Wassenaar List discussed in the BIS FAQ is that the list now clarifies that software that provides updates or upgrades that are authorised by the owner or operator of the target system would not be controlled as intrusion software, as long as the software itself was not specially designed to update intrusion software  or  command  and  delivery platforms for intrusion software.14 That clarification was necessary to avoid unnecessarily controlling general purpose design environments, auto- updating anti-virus tools, and other pervasive and commercially available software tools, while focusing controls only on more aggressive command and delivery platforms for intrusion software, such as exploit toolkits and penetration testing tools.

Shortly after these Wassenaar changes were agreed to, Rob Joyce, the White House cybersecurity coordinator at the time, praised the US negotiating achievements: ‘We applaud the hard work of the US interagency and our partners in industry, the research community, and foreign governments to clarify software and technology controls that could have had a negative impact on legitimate cybersecurity.’

However, notwithstanding these negotiation successes, BIS has acknowledged that they are only an initial step towards addressing the concerns raised in response to its 2015 rulemaking proposal, and that a number of alternative next steps remain possible:

‘We have not decided on a next step yet [concerning intrusion software]. There are a range of possible actions we could take, including returning to Wassenaar in 2018 to negotiate further changes to the text, publishing a rule to implement the text, or publishing a notice of inquiry or proposed rule for further comment.’17

Subsequently, on 24 October 2018, BIS finalised implementation of the

2017 Wassenaar List. To the continued relief of the cybersecurity industry, neither Wassenaar’s category 4 intrusion software nor its category 5 part 1 IP network communications surveillance entries were incorporated in the CCL.

However, BIS’s recent CCL update, which implements the most current Wassenaar List but continues to exclude that list’s controls over cyber- surveillance tools, by no means signals a retreat by the US government from asserting control over those tools. In fact, other regulatory developments, surveyed below, signal the opposite: cyber-surveillance applications, including exploit research, may be the subject of a broad regulatory reform.

ECRA foundational technologies– comment period

On 13 August 2018, Congress enacted the Export Control Reform Act of 2018 (‘ECRA’), which established a formal interagency process to identify and regulate emerging and foundational technologies that are deemed ‘essential to the US national security’ and are not otherwise controlled for export purposes.

The interagency process established under ECRA has already led to a 19 November 2018 publication in the Federal Register of an advance notice of proposed rulemaking for the ‘Review of Controls for Emerging Technologies. As described in the notice’s preamble, BIS‘ seeks   public   comment [by 10 January 2019] on criteria for identifying emerging technologies that are essential to US national security, for example because they have potential conventional weapons, intelligence collection, weapons of mass destruction, or terrorist applications or could provide the United States with a qualitative military or intelligence advantage. (Emphases added)

In addition, a specific category of representative emerging technologies proposed in the notice is: ‘Advanced surveillance  technologies,  such  as: Faceprint and voiceprint technologies.’ Commerce will publish a separate notice of proposed rulemaking related to ‘foundational’ technologies, which could   also   potentially   encompass cyber-surveillance tools and technologies.

The emphasis in the November notice’s preamble on intelligence collection and the US intelligence advantage, and the inclusion of a dedicated emerging technology category of ‘[a]dvanced surveillance technologies,’ relates directly to the government’s ongoing efforts at leveraging export controls to curtail the proliferation of intrusion software and surveillance technologies.

As discussed above, the 2013 Wassenaar cyber-surveillance amendments originated from proposals by European governments and the US government yielded to the barrage of public disapproval that they generated. By contrast, under ECRA, the US Congress has explicitly directed the US administration to identify, and impose export controls on, emerging and foundational technologies, which the government has in turn interpreted to include advanced surveillance technologies, including for intelligence collection purposes. With ECRA as its tailwind, the US government might be more determined to impose controls on cyber-surveillance items, particularly if these controls are limited based on the Wassenaar amendments discussed above.

Human rights export controls for the 21st Century

On 9 May 2018, and in parallel to ECRA developments, Senator Marco Rubio and Representative Chris Smith, on behalf of the Congressional- Executive Commission on China (‘CECC’), transmitted a letter to Secretary of Commerce Wilbur Ross identifying that compelling evidence indicates that, notwithstanding current US export controls, US companies are selling Chinese authorities advanced products used for ‘surveillance, detection, and censorship’.20 The congressmen in the letter explicitly asked the Secretary to explain what new legislation or new authorities [are] needed to revisit/revise export control regulations so they are consistent with the rapid evolution of technology,’ and whether any ‘software or technology which could be used for the purpose of domestic repression, [is] subject to export controls with respect to Chinese end-users of concern?

These concerns and the need to ‘revisit/reform export control regulations’ were echoed in CECC’s 2018 annual report, published on 10 October 2018, which recommends that the US administration ‘Revamp Export Controls,’ including by amending the USML to include ‘new technologies… [that] enhance surveillance and the ability of security forces to repress universally recognized human rights.’21

In response, the Secretary of Commerce reportedly informed CECC by letter that by the autumn of 2018, the Department of Commerce would propose new ‘human rights controls for the 21st century’. The concept would be to update the Commerce Department’s so-called ‘Crime Controls’, under which the department regulates items of traditional human rights concerns such as leg shackles, thumbscrews and police batons. The new proposal would focus on high-technology items that can facilitate human rights abuses. It is unclear how this development would relate to the ECRA rulemaking discussed above, but it may provide a more expedited vehicle for Commerce to control intrusion software platforms or surveillance tools, compared with the ECRA process. In particular, this could be the case with respect to software items that are long- established technologies, since the ECRA      process      for      identifying

‘foundational’ technologies has not yet even started. Even the ECRA ‘emerging’ technologies process will probably not result in an actual proposed rule until sometime in 2019. By contrast, the ‘human rights’ rulemaking is expected to involve publication of a proposed rule in December 2018.

USML category XI(b)

A further indication of forthcoming controls on intrusion software and surveillance technologies was DDTC’s announcement on 30 August 2018, of a 12-month extension of the application of USML category XI(b), in order to provide DDTC with the opportunity to complete a ‘wholesale revision of USML category XI.’

Category XI(b) – the scope of which has been the subject of ongoing interagency debate and numerous rulemaking processes23 – is the principal USML entry intended to capture national-level intelligence collection tools:

* [XI](b) Electronic systems, equipment or software, not elsewhere enumerated in this subchapter, specially designed for intelligence purposes that collect, survey, monitor, or exploit, or analyze and produce information from, the electromagnetic spectrum (regardless of transmission medium), or for counteracting such activities.

Currently, the broad formulation of category XI(b) serves as a strong hook for the US government to control sensitive intrusion software platforms or IP network surveillance technologies. At the same time, category XI(b)’s fairly abstract language has also historically provided exporters with tenable arguments to justify self-classifications of intelligence collection items under BIS jurisdiction, to the extent those items are more accurately described in the CCL. A discussion of the numerous surveillance- and intelligence-related export control classification numbers on the CCL, as well as BIS’s policies governing surreptitious listening and cryptographic or cryptanalytic items, is beyond the scope of this article. Nonetheless, it is worth noting that these Commerce Department controls and policies, and attendant licence exceptions, have proven relevant for various vulnerability software and surveillance tools that may routinely be sold to local law enforcement or private security firms and that are more precisely captured under the EAR, and not under the ITAR’s USML category XI(b) controls.

However, that all may change with the as-yet-unknown ramifications of DDTC’s ‘wholesale revision of USML Category XI’. The DDTC’s undertaking with respect to category XI should be viewed in conjunction with the Wassenaar, ECRA, and China Commission developments discussed above, which collectively signal forthcoming export controls over intrusion software and surveillance technologies.

Conclusion

The confluence of efforts by the US delegation at Wassenaar; pending ECRA rulemaking on emerging technologies, and the expected similar ECRA rulemaking on foundational technologies; encouragement by Congress for revised Commerce Department ‘human rights controls for the 21st century’; and impending revisions of USML category XI(b) by the State Department, collectively signal a forthcoming reform in US export controls over intrusion software (including potentially exploit research), network communications surveillance systems, and intelligence-collection tools.

Those likely to be most affected by such reforms should closely monitor the concurrent agency processes discussed above. Stakeholders should also consider proffering feedback and insights to government, so that the emerging rules appropriately reflect values of human rights, national security, foreign policy and economic interests.

More Information: https://www.cov.com/-/media/files/corporate/publications/2018/12/cybersurveillance_reform_in_the_united_states.pdf

Links and notes

1    The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Technologies is a multilateral organisation with 42 member states, and several other non-member observers, that collaborate on export controls.

2    Wassenaar List (2013), Category 4.A.5.

3    Wassenaar Category 5.A.1.j.

4    The European Union, for example, adopted the 2013 Wassenaar List controls on 22 October 2014. See: Commission delegated regulation, (EU) No. 7567/2014 (Oct. 22, 2014), at http://ec.europa.eu/transparency/regdoc/rep/3/2014/ EN/3-2014-7567-EN-F1-1.PDF, entering into force on December 31, 2014, pursuant to Commission delegated regulation (EU) No. 1382/2014, OJ L 371/1, (30 December 2014).

5    Department of Commerce, Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items, Proposed Rule with Request for Comments, 80 Fed. Reg. 28553 (20 May 2015).

6    See e.g., Comments to the US Department of Commerce on Implementation of 2013 Wassenaar Arrangement Plenary Agreements (RIN 0694-AG49) On Behalf Of Access, Center for Democracy & Technology, Collin Anderson, Electronic Frontier Foundation, Human Rights Watch, and New America’s Open Technology Institute (20 July 2015), available at https://www.eff.org/files/2015/07/21/jointwassenaarc omments-final-1.pdf.

7    See https://www.cs.dartmouth.edu/~sergey/drafts/ wassenaar-public-comment.pdf http://trade.ec.europa.eu/doclib/docs/2017/december /tradoc_156502.pdf

8    See e.g., BIS 2015 ‘Intrusion and Surveillance Items Frequently Asked Questions (‘FAQ’),’ at FAQs 8, 12, 16, and 29, available as an archived webpage at: https://web.archive.org/web/20150908025350/https://www.bis.doc.gov/index.php/policy- guidance/faqs?view=category&id=114#subcat200.

9    Id; See Mailyn Fidler, Proposed US Export Controls: Implications for Zero-Day Vulnerabilities and Exploits at Lawfareblog.com (10 June 2015), available at, https://www.lawfareblog.com/proposed-us-export- controls-implications-zero-day-vulnerabilities-and-exploits

10   Letter From The Honorable Secretary of Commerce, Ms. Penny Pritzker, To American Petroleum Alliance (API), et. al. (1 March 2016), available at https://www.bis.doc.gov/index.php/forms- documents/about-bis/newsroom/1434-letter-from-secre tary-pritzker-to-several-associations-on-the- implementation-of-the-wassenaar-arrang/file.

11   Tami Abdollah, US fails to renegotiate arms control rule for hacking tools, Associated Press (19 December 2016), available at https://apnews.com/c0e437b2e24c4b68bb7063f03ce892b5 (noting that initial attempts in 2016 at renegotiating the controls were unsuccessful); Garett Hinck, Wassenaar Export Controls on Surveillance Tools: New Exemptions for Vulnerability Research (5 January

2018), available at https://www.lawfareblog.com/wassenaar-export-controls-surveillance-tools-new-exemptions-vulnerability-r esear (surveying the US negotiating efforts to date and resultant changes in December 2017 to the Wassenaar List).

12   BIS, ‘Intrusion and Surveillance Items,’ FAQ No. 1, at, https://www.bis.doc.gov/index.php/policy- guidance/faqs#faq_62 (visited 20 November 2018).

13   Wassenaar List Category 4.E.1. (defining a ‘vulnerability disclosure’ as ‘the process of identifying, reporting, or communicating a vulnerability to, or analysing a vulnerability with, individuals or organizations responsible for conducting or coordinating remediation for the purpose of resolving the vulnerability’ and defining a ‘cyber incident response’ as ‘the process of exchanging necessary information on a cybersecurity incident with individuals or organizations responsible for conducting or coordinating remediation to address the cyber security incident’).

14   BIS, ‘Intrusion and Surveillance Items,’ FAQ No. 1, at, https://www.bis.doc.gov/index.php/policy- guidance/faqs#faq_62 (visited 20 November 2018).

15   See e.g., BIS 2015 ‘Intrusion and Surveillance Items Frequently Asked Questions (‘FAQ’),’ at FAQs 8, 12, 16, and 29, available as an archived webpage at: https://web.archive.org/web/20150908025350/https://www.bis.doc.gov/index.php/policy- guidance/faqs?view=category&id=114#subcat200.

16   Shaun Waterman, The Wassenaar Arrangement’s latest language is making security researchers very happy in cyberscoop.com (20 December 2017), available at, https://www.cyberscoop.com/wassenaar-arrangement- cybersecurity-katie-moussouris/.

17   BIS, ‘Intrusion and Surveillance Items,’ FAQ No. 1, at, https://www.bis.doc.gov/index.php/policy- guidance/faqs#faq_62 (visited 20 November 2018).

18   Department of Commerce, Review of Controls for Certain Emerging Technologies; Advance notice of proposed rulemaking (ANPRM), 83 Fed. Reg. 58201 (19 November, 2018).19   The comment period was initially scheduled to close on December 19, 2018, but was extended by three weeks in response to requests by leading technology companies that they be allotted additional time for drafting comments

20   See Letter From Senator Marco Rubio and Representative Chris Smith, Co-Chairs of the Congressional-Executive Commission on China, To The Honorable Wilbur Ross, Secretary of Commerce (9 May 2018), available at https://www.cecc.gov/media- center/press-releases/chairs-ask-commerce-secretary-ro ss-about-sale-of-surveillance-technology.

21   CECC, Annual Report, 2018, p. 16, available at https://www.cecc.gov/sites/chinacommission.house.gov/files/Annual%20Report%202018.pdf.

22   Department of State, Continued Temporary Modification of Category XI of the United States Munitions List; Final rule; notice of temporary modification, 83 Fed. Reg. 44224 (30 August 2018).

23   Department of State, Amendment to the ITAR: USML Category XI (Military Electronics), and Other Changes; Final Rule, 79 Fed. Reg. 37536, 37544 (1 July 2014) (proposing XI(b) controls that excluded the phrase

‘analyze and produce information from’ and that controlled only ‘systems or equipment,’ but not software); Department of State, Temporary Modification of Category XI of the USML; Final rule; notice of temporary modification, 80 Fed. Reg. 37974, 37975 (2 July 2015) (explaining that as a result of the 2014 version of XI(b), DDTC grew concerned ‘that exporters may read the revised control language [in Category XI(b)] to exclude certain intelligence analytics software that has been and remains controlled on the USML.’).

24   Department of State, Continued Temporary Modification of Category XI of the United States Munitions List; Final rule; notice of temporary modification, 83 Fed. Reg. 44224 (30 August 2018).


Export News: The Rules Are about to Change, What You Can Expect?

2019/01/31

By: Johanna Reeves, Esq., jreeves@reevesdola.com, +1 202-715-9941; and Katherine Heubert, Esq., kheubert@reevesdola.com, +1 202-715-9940. Both of Reeves & Dola, LLP. (Source: R/D Report)

Earlier this year, the U.S. Department of State, Directorate of Defense Trade Controls (DDTC) published a proposed rule in the Federal Register to amend the International Traffic in Arms Regulations (ITAR) and revise U.S. Munitions List (USML) Categories I, II, and III to better identify the articles the U.S. government believes warrants export and temporary import control on the USML. Those items deemed not to require control under the ITAR are proposed to be removed from the USML and would become subject to the U.S. Department of Commerce, Bureau of Industry and Security’s (BIS) Export Administration Regulations (EAR). BIS published a companion proposed rule at the same time to identify where those items removed from the USML will be controlled on the Commerce Control List (CCL). We covered the proposed transition rules in our alerts, dated May 23, June 1, June 8, and June 13, 2018, all of which can be accessed at reevesdola.com.

Soon the highly anticipated rules containing the final rewrites of U.S. Munitions List Categories I, II, and III should be published. In advance of their publication, companies should begin to prepare now in order to be best positioned to take advantage of the change in regulations as soon as they become effective. In this alert we seek to answer some basic questions about the transition and walk through the review process that companies will need to undertake to determine which set of controls will now apply to their goods and services.

What Will the Rewrites Do?

As many of you already know, USML Categories I, II, and III are the last USML categories to go through the revision process. All other USML Categories have been revised, some multiple times already as part of the previous Administration’s Export Control Reform (ECR) effort. What the upcoming final rules will do is to remove from the USML those items the U.S. government has determined to be of less military significance or of a more commercial nature. As explained in the proposed rule, DDTC’s intent is to revise these categories so that the scope of the respective USML Category is limited to those defense articles that provide the United States with a “critical military or intelligence advantage or are inherently for military end use.” (83 FR 24198). DDTC further explains in the proposed rule that the articles that would be removed from the USML do not meet this standard, and notes that many items are widely available in retail outlets in the United States and abroad. Those items removed from the USML will be subject to the EAR in new Export Control Classification Numbers (ECCNs) on the CCL.

Despite what many have claimed, this is not a decontrol of the items identified for removal from the USML. Rather, it is a right-sizing of U.S. export controls. Items that have historically required a license from DDTC will now be subject to the export licensing requirements of the EAR. However, this does not mean that companies will be able to ship firearms and ammunition throughout the world without a license. To the contrary, many items moving to the CCL will require an export license from BIS, even to Canada. It is also important to remember that the revisions to the USML have no impact on how the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) controls firearms and ammunition for permanent import into the United States under its regulations at 27 C.F.R. Part 447.

Has the Transition Already Taken Effect?

No! As of today, the revisions have not yet been published as a final rule and the USML currently remains unchanged for Categories I, II, and III. When the final rules are published in the Federal Register, they will provide an effective date for the implementation of the changes. If the previous USML Category rewrites are any indication, the rules will likely become effective 180 days after the final rule publishes, though the agencies could decide to provide a shorter implementation period. A delayed effective date, which has been provided in all the previous USML Category revisions, is intended to give impacted industry members the time to implement the revisions by reclassifying their inventory, making changes to internal processes and procedures, train employees on the new controls, update databases, notify customers, and other necessary compliance actions.

Is There Anything to do to Prepare for this?

Yes! Companies now can begin reviewing their inventory and internal procedures to identify those items and functions that may be impacted. While the proposed rules aren’t set in stone, they do provide a good roadmap of what is likely going to move off the USML and onto the CCL. Companies can use that to redline processes and procedures and identify any necessary changes to databases and systems that house jurisdictional determinations for products. The proposed rules can also help companies start walking through the jurisdictional review analysis to determine what export control regime will likely apply to their products after the revisions become effective. For a refresher on the proposed rules, please review our previous alerts.

The process for walking through this jurisdictional review is called the Order of Review. The Order of Review is the process by which one makes a jurisdiction and classification decision with respect to the export control regulation applicable to any piece of hardware, software, technology, or service. The Order of Review is completed by first reviewing the USML, followed by the CCL, and essentially asking a series of yes/no questions. The following outline is designed to walk you through the basic decision process for an Order of Review analysis.

Step 1: Review the ITAR

* If your item is enumerated by name or capability in a USML control paragraph, your review has ended. The item is ITAR controlled.

* If your item is described in a control paragraph that contains the “specially designed” modifier, you must perform the specially designed analysis in 22 C.F.R. §120.41 to determine whether your item is captured.

– If after performing the “specially designed” analysis the item is determined to be “specially designed,” then the item is controlled in that subparagraph of the USML. Your review has ended.

– If after performing the “specially designed” analysis the item is released (i.e., determined not to meet the “specially designed” criteria), then the item is not controlled on the USML and a review of the EAR is required. Proceed to Step 2 below.

* If the item is not described in any control paragraph on the USML, then the item is not captured by the ITAR and a review of the EAR is required. Proceed to Step 2 below.

Note: if an item appears to be listed in multiple paragraphs, any paragraph that is designated Significant Military Equipment (SME) takes precedence over a non-SME paragraph. In other words, always follow the highest applicable level of control.

Step 2: Review the EAR

Note: the EAR does not have a “see through” rule like the ITAR, so do not consider the individual parts inside of an item when classifying it. Instead, consider overall functions and characteristics to classify the item under review. Compare the characteristics of the item to the 10 CCL categories and then determine the applicable product group A-E.

* Start your CCL review with the “500-series” and “600-series” ECCNs. If your item is enumerated by name or capability in a “500-series” or “600-series” ECCN on the CCL, your review has ended. The item is controlled in that control paragraph of the CCL.

* If your item is described in a control paragraph that contain the “specially designed” modifier, then perform the “specially designed” analysis, described in Part 772 of the EAR.

– If after performing the “specially designed” analysis the item is determined to be “specially designed” then the item is controlled in that control paragraph of the CCL. Your review has ended.

– If after performing the “specially designed” analysis the item is released, then a review of the rest of the CCL is required.

* If you have reviewed the “500-series” and “600-series” ECCNs and your item is not captured, then proceed to review the rest of the CCL. If your item is enumerated by name or capability in a “non-600/500 series” ECCN on the CCL, then your item is controlled in that paragraph of the CCL. Your review has ended.

* If your item is described in a control paragraph that contains the “specially designed” modifier, then perform the “specially designed” analysis, described in Part 772 of the EAR.

– If after performing the “specially designed” analysis the item is determined to be “specially designed” then the item is controlled by the that paragraph of the CCL. Your review has ended.

– If after performing the “specially designed” analysis the item is released, proceed to Step 3.

* If your item is not described in any ECCN on the CCL, then proceed to Step 3 below.

Step 3: Item Not Captured by Specific ECCN

If the Order of Review is performed and the item is not captured by the USML and is not captured by any ECCN on the CCL, then the item is classified as ECCN EAR99. The Order of Review analysis has ended.

If, after performing the Order of Review, questions remain as to the proper jurisdiction and classification of an item, consider submitting a Commodity Jurisdiction (CJ) request to DDTC for an official jurisdictional determination for a product. When submitting a CJ request to DDTC, it is recommended to include a description of the Order of Review analysis that was conducted and a clear explanation as to why confusion remains. Also, indicate the USML Category(ies) or ECCN(s) that you believe is/are most likely applicable to the item under review. DDTC provides step-by-step instructions for preparing and submitting Commodity Jurisdiction requests on its website.

Additionally, both DDTC and BIS have developed Order of Review tools to aid industry in making a jurisdiction and classification analysis.

DDTC’s web-based decision tools:

* Order of Review: Use this tool to help you figure out where your item(s) is controlled on the USML.

* Specially Designed: Use this tool to help you determine if a particular item is “specially designed” or meets one of the five carve-outs. This tool applies ONLY to commodities and software related to USML Categories that have been revised in accordance with the President’s Export Control Reform initiative. DO NOT USE if your USML category has not yet been revised.

BIS web-based decision tools:

* CCL Order of Review: This tool will assist in understanding the steps to follow in reviewing the Commerce Control List when determining the classification of their item. (See Supplement No. 4 to part 774 of the EAR).

* Specially Designed: This tool will assist users in determining if an item is “specially designed” under the Export Administration Regulations. (See § 772.1 of the EAR).

Closing Thoughts

Of course, each jurisdictional determination is unique, with some being more complex than others. Additionally, the “specially designed” review is its own separate catch-and-release analysis. We will address the “specially designed” review in an upcoming alert. Please note that the “specially designed” analysis is slightly different between the two regulations, so do not assume that if an item is released from the ITAR, it is automatically classified as EAR99.

Even though the transition is not a decontrol of firearms and ammunition exports, the process will be radically different from what many are already accustomed. The rules of the game are about to change, and so it is vitally important that companies get ready. Many will need to learn a new set of export controls regulations (the EAR) that may never have applied to their products before. Whether it’s reclassifying products or retooling corporate policies and procedures, businesses must be prepared to adapt to the new rules to ensure export transactions remain compliant.


Iran: The Battle Between US Sanctions and the EU Blocking Regulation

2019/01/31

By: Danielle Hatch

In 2018 the US withdrew from the Joint Comprehensive Plan of Action (JCPOA) causing the US government to reimpose trade sanctions on Iran. This not only impacted US entities, but it imposed “secondary sanctions” on non-US entities who continue to trade with Iran.

The US applies its trade sanctions on an extra-territorial basis, requiring not only US entities, but also foreign entities involved in US dollar-denomination transactions, the US financial system, or inclusion of more than de minimus amounts of US goods or technology to abide by US sanctions, even if they aren’t in the US.

In response to the newly imposed Iran sanctions, The European Commission amended a 22-year old “Blocking Regulation” that prohibits an EU entity from complying with any requirement or prohibition under listed US sanctions against Cuba, Libya, and Iran. The Blocking Regulation provides that EU persons can recover any damages caused by application of blocked sanctions from the person or other entity causing such injury (e.g. from entity who refused to complete a transaction due to the applicability of US sanctions). It should be noted that there have only been a handful of instances where the Blocking Regulation was used in practice and it doesn’t look like there have been any entities penalized for noncompliance of the 22-year old rule.

At the moment, no one knows if the EU will ramp up the age-old Block Regulation and start enforcing it in an attempt to discourage EU entities from complying with the newest US sanctions. Unfortunately, EU entities are stuck in the middle and must weigh the pro and cons with current trade with Iran.

More Details: https://www.dwt.com/EU-Companies-Face-Tough-Choice-Violate-US-Secondary-Sanctions-on-Iran-or-Amended-EU-Blocking-Regulations-01-08-2019/


Exporters and the Shutdown

2019/01/31

The US Government was shutdown for 35 days and it affected approximately 800,000 federal workers, nine departments and several agencies. As many export compliance professionals may have noticed, The US Department of Treasury’s Office of Foreign Assets Control (OFAC), the US Department of Commerce’s Bureau of Industry and Security (BIS) and The US Department of State’s Directorate of Defense Trade Controls (DDTC) were all affected by the shutdown.

All guidance from these departments was very limited, meaning questions went unanswered as most compliance officers received out of office replies citing the shutdown. The Department of Commerce’s free Consolidated Screening List tool was even shutdown for a few days, leaving exporters to find alternate ways to screen their customers. The BIS licensing portal, Simplified Application Process-Redesign (SNAP-R) was also unavailable. DDTC’s DTrade portal which is used for requesting and receiving license requests, was automatically rejecting new submissions, and the DDTC’s daily pick-up and drop-off service was cancelled.

With the government now funded for a short period of time (3 weeks to be exact), OFAC, BIS and DDTC will resume operations as usual.

DDTC issued the following statement: Priority will be placed on issuance of licenses in the system at the time of implementation of lapse of funding operations on December 22, 2019. New licenses will be accepted; however, industry is advised of the likelihood of longer than normal processing times due to the high volume of licenses DDTC expects to receive. The “Emergency License” process described in DDTC’s December 22, 2019 announcement below is hereby suspended.

DDTC Full Notice: https://www.pmddtc.state.gov/?id=ddtc_public_portal_news_and_events


BIS Extends Comment Period for Emerging Technologies

2018/12/23

The Bureau of Industry and Security issued a notice extending the comment period for the proposed rulemaking (ANPRM), “Review of Controls for Certain Emerging Technologies” until January 10, 2019 (recently the comment period would end on December 19, 2018).

You may submit comments through either of the following:

  • Federal eRulemaking Portal: http://www.regulations.gov. The identification number for this rulemaking is BIS 2018–0024.
  • Address: By mail or delivery to Regulatory Policy Division, Bureau of Industry and Security, U.S. Department of Commerce, Room 2099B, 14th Street and Pennsylvania Avenue NW, Washington, DC 20230. Refer to RIN 0694–AH61.

FOR FURTHER INFORMATION CONTACT: Kirsten Mortimer, Office of National Security and Technology Transfer Controls, Bureau of Industry and Security, Department of Commerce. Phone: (202) 482–0092; Fax (202) 482–3355; Email: Kirsten.Mortimer@bis.doc.gov.

Federal Register: https://www.govinfo.gov/content/pkg/FR-2018-12-14/pdf/2018-27148.pdf


CEO Pleads Guilty to Export Violations and Agrees to Pay $17 Million

2018/12/23

By: Danielle Hatch

Eric Baird, former owner and CEO of Access USA Shipping, LLC d/b/a MyUS.com (Access USA), had his criminal plea accepted by the Bureau of Industry and Security (BIS) on December 12, 2018. BIS imposed a civil penalty of $17 million, with $7 million suspended, along with a 5-year denial of export privileges with one year being suspended. This is historically the largest penalty to be paid to BIS by an individual.

Are you wondering what this guy must have done to get the largest personal penalty? He went out of his way to hide illegal exports from the government…something they really frown upon. Baird founded Access USA and developed the business model of providing foreign customers with a US address so that they could acquire US origin items for export without alerting US merchants of the item’s ultimate destinations. Baird created policies and practices where it was normal for the values and descriptions of items on export documentation to be falsely identified. At one point, laser sights for firearms were described as “tools and hardware,” and rifle scopes were described as “sporting goods” or “tools, hand tools.” Baird even created a personal shopper program where Access USA employees purchased items for foreign customers from a shopping list and presented themselves as the domestic end users. At one point, Baird and Access USA employees were personally paying for the items and being reimbursed later by their foreign customers.

Access USA’s Chief Technology Officer emailed Baird in 2011 saying, “I know we are WILLINGLY AND INTENTIONALLY breaking the law.” In the same email thread Baird said, “if warned by the government,” then the company “can stop ASAP.”

Access USA settled with BIS in 2017 and agreed to a penalty of $27 million with $17 million suspended. You can read an article outlining the charges at: https://www.learnexportcompliance.com/blog/2017/03/30/florida-company-fined-27-million-for-150-intentional-ear-violations/

Department of Justice: https://www.justice.gov/usao-mdfl/pr/former-florida-ceo-pleads-guilty-export-violations-and-agrees-pay-record-17-million


OFAC Dings U.S. Defense Contractor for Sanctions Violations, Inadequate Screening

2018/12/23

By: Thad McBride on December 12, 2018

POSTED IN INTERNATIONAL TRADESANCTIONS (OFAC)

  • Penalties imposed for violations of U.S. sanctions on Russia and Ukraine
  • Violations identified during pre-acquisition due diligence on contractor
  • Denied persons screening was conducted but missed prohibited parties

In late November 2018, the U.S. Treasury Department, Office of Foreign Assets Control (OFAC) announced that Cobham Holdings, Inc. agreed to pay $87,507 to settle violations of U.S. sanctions on Ukraine and Russia.

Violations Identified During Pre-acquisition Due Diligence

According to OFAC, the violations were committed by Cobham’s former subsidiary, Metelics, prior to the sale of Metelics to MACOM. It was MACOM that identified the violations during due diligence related to its acquisition of Metelics. And it was presumably MACOM that required Cobham to make the voluntary disclosure to OFAC that led to the penalty in this matter.

The penalty is small by recent OFAC standards. (For example, it is about 620 times less than Societe Generale paid to OFAC as part of its global settlement of sanctions violations.)

But as a cautionary tale, the Cobham matter is important to any exporter.

Products Sold to Entity Blocked Under U.S. Sanctions

According to OFAC, during a six-month period in 2014 and 2015, Metelics sold products through distributors in Canada and Russia to a blocked entity under U.S. sanctions. That entity – Almaz Antey Telecommunications LLC (AAT) – was not explicitly named as a blocked party on the OFAC List of Specially Designated Nationals and Blocked Persons (the SDN List).

Yet AAT was nonetheless a blocked person because it was 51 percent-owned by a party – JSC Almaz-Antey – that was named on the SDN List. As OFAC has made abundantly clear, any entity that is owned 50 percent or more by one or more blocked persons is a blocked entity itself.

Any blocked person, whether named on the SDN List or not, is effectively off limits to U.S. companies and individuals.

Screening Challenges Lead to Violations

The chronology of this matter demonstrates the challenges exporters face when screening third party business parties.

According to OFAC, on June 18, 2014, Metelics agreed to sell products to AAT through a Canadian distributor. On June 19, Metelics screened AAT against its prohibited parties screening software. At that time, JSC Almaz-Antey was not a prohibited party – and thus neither was AAT.

On June 27, Metelics shipped products to AAT. In connection with that shipment, Metelics again conducted denied parties screening and identified no match for AAT.

None of this is surprising or problematic from OFAC’s standpoint because JSC Almaz-Antey was not designated as an SDN until July 16, 2014. That is when things get more interesting.

On July 31, 2014, Metelics made another shipment to AAT. In connection with this shipment, Metelics again conducted denied parties screening for AAT and again did not identify any matches – even though JSC Almaz-Antey, the majority owner of AAT, was now named on the SDN List.

Based on this, OFAC deemed the screening effort to be insufficient. OFAC emphasized that Metelics proceeded with shipment to AAT “despite the inclusion of two uncommon terms [‘Almaz’ and ‘Antey’] in the names of both the SDN and [AAT].” OFAC’s statement suggests that the screening software should have identified at least a potential match, which Metelics would presumably have reviewed further before continuing with the transaction.

Notably, there is no indication that Metelics somehow set the software or screening mechanism to avoid identifying a match with AAT. In fact, in its press release, OFAC states that the screening software was set-up to identify “fuzzy” search criteria yet missed the similarities between AAT and JSC Almaz-Antey.

It thus appears that Metelic was not entirely to blame for these apparent violations. Yet in explaining the penalty in this case, OFAC also notes that Metelics “was subject to a consent agreement for violations of the International Traffic in Arms Regulations [ITAR]… resulting from recurring compliance failures.” Arguably those ITAR compliance failures should have made Metelics particularly vigilant about protecting against failures with its screening system.

While OFAC does not name the provider of the screening software in this case, the agency does state that “[p]ersons employing sanctions screening software should take steps to ensure it is sufficiently robust.” In other words, simply because a company uses software to conduct screening does not mean that software is adequate to protect against violations.

Analysis

This may be a tough lesson for exporters to absorb.  It’s not clear that many exporters conduct quality control checks of their screening software. The raison d’etre for such software is to identify actual or potentially prohibited parties based on name similarities. That is exactly what Metelics expected its software to do.

The proliferation of prohibited and restricted parties – and the lists of such parties – makes it impossible for most companies to keep up-to-date with those lists on their own. That’s the reason so many companies seek software solutions to help meet their compliance obligations. It is the responsible thing to do.

Which makes it a little jarring to read the following exhortation from OFAC:

It is essential that companies engaging in international transactions maintain a culture of compliance where front line staff are encouraged to follow up on sanctions issues, including by promptly reporting to compliance personnel transactions suspected to involve sanctioned parties.

That is surely good advice but it is not clear how it pertains to the facts in the Cobham matter. There is no indication that any Metelics employee was aware of a transaction suspected to involve sanctioned parties – or that any employee ducked their head in the sand.

Nevertheless, it is useful to remember the value of periodic risk assessments during which compliance policies, procedures, and processes are reviewed. Potential weaknesses can be identified and addressed before they lead to violations.

The Bass, Berry & Sims trade lawyers work closely with clients to assist in risk assessments and other compliance exercises. Our targeted, efficient approach to such matters leads to practical, effective solutions. Feel free to contact us anytime if we can assist you.

Article: https://www.bassberrygovcontrade.com/ofac-dings-u-s-defense-contractor-for-sanctions-violations-inadequate-screening/


BIS Denies Export Privileges and OFAC Announces $2,774,972 Settlement with Jereh Group

2018/12/23

By: Danielle Hatch

The Bureau of Industry and Security (BIS) announced a settlement with Yantai Jereh Oilfield Services Group Co., Ltd., of Yantai Shandong Province, China (“Yantai Jereh”) in conjunction with the Office of Foreign Assets Control (OFAC).

BIS alleges that the company committed four violations of the EAR (Acting with knowledge of a violation and making false statements to BIS during the course of an investigation. Yantai Jereh has agreed to pay $600,000 to BIS and the company’s 5-year denial period will be suspended if the company pays the BIS fine, in addition to the penalty under their OFAC Settlement Agreement (details below). If at any time, the company commits any violations of the Regulations or fails to pay its penalties on time, BIS can revoke the denial suspension.

The settlement between the OFAC and Yantai Jereh is concurrent with the BIS settlement. The main difference is that the company had 11 violations of the Iranian Transactions and Sanctions Regulations causing a much larger fine of $2,774,972. All 11 violations involved exportation or rexxeportation or the attempted exportation or reexportation of US goods to Iran by way of China. Two of the 11 shipments of oilfield equipment spare parts (coiled tubing strings and pump sets) were seized by US Customs and Border Protection before they left the US.

OFAC determined that the violations constituted an egregious case and the company did not voluntarily disclose their violations.

BIS Charging Letter: https://efoia.bis.doc.gov/index.php/documents/export-violations/export-violations-2018/1206-e2573/file

OFAC Settlement: https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20181212.aspx


Washington Must Wake Up to The Abuse of Software That Kills

2018/12/23

By: Josh Rogin (Josh.Rogin@washpost.com)

Dictators are using spyware to persecute dissidents and journalists at an alarming rate, while the foreign firms that sell these tools assure the public that everything is just fine. It’s time Washington policymakers and lawmakers rein in the proliferation and abuse of software that ends up killing innocent people. This isn’t just a human rights issue. It’s also a matter of U.S. national security.

Israel-based NSO Group is only one in a growing group of companies that has put powerful spyware tools previously available only to a few governments out on the open market. Its Pegasus software, according to human rights groups and independent investigators, has been used in as many as 45 countries, often by authoritarian leaders to aid the persecution of dissidents, journalists and other innocent civilians.

Read Full Article: https://www.washingtonpost.com/opinions/2018/12/12/washington-must-wake-up-abuse-software-that-kills/?noredirect=on&utm_term=.0a610535c165


Commerce Department Proposes Export Controls on Emerging Technologies

2018/12/23

By: George W. Thompson of Thompson & Associates, PLLC (gwt@gwthompsonlaw.com)

“It’s tough to make predictions, especially about the future.” Yogi Berra’s aphorism notwithstanding, the Commerce Department is attempting to do just that with its Review of Controls for Certain Emerging Technologiesand has enlisted all of us to help.

As provided by the Export Control Reform Act of 2018, Commerce seeks to identify “emerging and foundational technologies” that are “essential to the national security of the United States.” The goal is to restrict foreign access to designated technologies without hampering their development in the United States.

The end result will be an expansion of the Commerce Control List beyond its current coverage. Although the levels of control on such newly-designated items are open to discussion, the agency pointed out that “at a minimum it must require a license for the export of emerging and foundational technologies to countries subject to a U.S. embargo, including those subject to an arms embargo”.

That “arms embargo” language should catch your eye, since China is among the countries covered. This means that sharing of “emerging and foundational technologies” with China, as well as “deemed exports” to Chinese nationals, would become licensable transactions in place of their current license-free authorization.

Commerce has identified the following sectors to consider for designation as “emerging technologies”. (1) Biotechnology, (2) Artificial intelligence (AI) and machine learning technology, (3) Position, Navigation, and Timing (PNT) technology, (4) Microprocessor technology, (5) Advanced computing technology, (6) Data analytics technology,

(7) Quantum information and sensing technology, (8) Logistics technology, (9) Additive manufacturing (such as 3D printing), (10) Robotics, (11) Brain-computer interfaces, (12) Hypersonics, (13) Advanced materials and (14) Advanced surveillance technologies.

The agency seeks comments on such points as defining emerging technologies and their levels of development in the United States and abroad, identifying those important to national security, inclusion of other categories and the impact that “controls would have on U.S. technological leadership.” Although “foundational technologies” will be covered at a later date, Commerce also seeks comments “on treating emerging and foundational technologies as separate types of technology.”

Given that imported products from industry sectors within the “Made in China 2025” initiative have been covered by the Section 301 tariffs, the “emerging and foundational technologies” initiative seems like another full-bore effort to slow China’s technological development; in fact, there is some overlap between the two lists. The portents for U.S. companies and their foreign partners, of course, is that previously-unrestricted sharing of whatever technologies ultimately are designated is coming to a close.

Comments to the Department of Commerce, Bureau of Industry and Security are due by January 10, 2019.