Archive for the ‘Information Technology’ Category

BIS Extends Comment Period for Emerging Technologies

2018/12/23

The Bureau of Industry and Security issued a notice extending the comment period for the proposed rulemaking (ANPRM), “Review of Controls for Certain Emerging Technologies” until January 10, 2019 (recently the comment period would end on December 19, 2018).

You may submit comments through either of the following:

  • Federal eRulemaking Portal: http://www.regulations.gov. The identification number for this rulemaking is BIS 2018–0024.
  • Address: By mail or delivery to Regulatory Policy Division, Bureau of Industry and Security, U.S. Department of Commerce, Room 2099B, 14th Street and Pennsylvania Avenue NW, Washington, DC 20230. Refer to RIN 0694–AH61.

FOR FURTHER INFORMATION CONTACT: Kirsten Mortimer, Office of National Security and Technology Transfer Controls, Bureau of Industry and Security, Department of Commerce. Phone: (202) 482–0092; Fax (202) 482–3355; Email: Kirsten.Mortimer@bis.doc.gov.

Federal Register: https://www.govinfo.gov/content/pkg/FR-2018-12-14/pdf/2018-27148.pdf


Washington Must Wake Up to The Abuse of Software That Kills

2018/12/23

By: Josh Rogin (Josh.Rogin@washpost.com)

Dictators are using spyware to persecute dissidents and journalists at an alarming rate, while the foreign firms that sell these tools assure the public that everything is just fine. It’s time Washington policymakers and lawmakers rein in the proliferation and abuse of software that ends up killing innocent people. This isn’t just a human rights issue. It’s also a matter of U.S. national security.

Israel-based NSO Group is only one in a growing group of companies that has put powerful spyware tools previously available only to a few governments out on the open market. Its Pegasus software, according to human rights groups and independent investigators, has been used in as many as 45 countries, often by authoritarian leaders to aid the persecution of dissidents, journalists and other innocent civilians.

Read Full Article: https://www.washingtonpost.com/opinions/2018/12/12/washington-must-wake-up-abuse-software-that-kills/?noredirect=on&utm_term=.0a610535c165


Commerce Department Proposes Export Controls on Emerging Technologies

2018/12/23

By: George W. Thompson of Thompson & Associates, PLLC (gwt@gwthompsonlaw.com)

“It’s tough to make predictions, especially about the future.” Yogi Berra’s aphorism notwithstanding, the Commerce Department is attempting to do just that with its Review of Controls for Certain Emerging Technologiesand has enlisted all of us to help.

As provided by the Export Control Reform Act of 2018, Commerce seeks to identify “emerging and foundational technologies” that are “essential to the national security of the United States.” The goal is to restrict foreign access to designated technologies without hampering their development in the United States.

The end result will be an expansion of the Commerce Control List beyond its current coverage. Although the levels of control on such newly-designated items are open to discussion, the agency pointed out that “at a minimum it must require a license for the export of emerging and foundational technologies to countries subject to a U.S. embargo, including those subject to an arms embargo”.

That “arms embargo” language should catch your eye, since China is among the countries covered. This means that sharing of “emerging and foundational technologies” with China, as well as “deemed exports” to Chinese nationals, would become licensable transactions in place of their current license-free authorization.

Commerce has identified the following sectors to consider for designation as “emerging technologies”. (1) Biotechnology, (2) Artificial intelligence (AI) and machine learning technology, (3) Position, Navigation, and Timing (PNT) technology, (4) Microprocessor technology, (5) Advanced computing technology, (6) Data analytics technology,

(7) Quantum information and sensing technology, (8) Logistics technology, (9) Additive manufacturing (such as 3D printing), (10) Robotics, (11) Brain-computer interfaces, (12) Hypersonics, (13) Advanced materials and (14) Advanced surveillance technologies.

The agency seeks comments on such points as defining emerging technologies and their levels of development in the United States and abroad, identifying those important to national security, inclusion of other categories and the impact that “controls would have on U.S. technological leadership.” Although “foundational technologies” will be covered at a later date, Commerce also seeks comments “on treating emerging and foundational technologies as separate types of technology.”

Given that imported products from industry sectors within the “Made in China 2025” initiative have been covered by the Section 301 tariffs, the “emerging and foundational technologies” initiative seems like another full-bore effort to slow China’s technological development; in fact, there is some overlap between the two lists. The portents for U.S. companies and their foreign partners, of course, is that previously-unrestricted sharing of whatever technologies ultimately are designated is coming to a close.

Comments to the Department of Commerce, Bureau of Industry and Security are due by January 10, 2019.


Commerce Gives Industry 30 Days to Provide Comments Regarding Possible Export Controls over Emerging Technologies

2018/11/26

By: Kevin J. Wolf, Christian C. Davis, and Nicole M. D’Avanzo of Akin Gump

Key Points

  • The Bureau of Industry and Security published a notice today seeking public comments on how it should define and identify a wide variety of emerging technologies that are not now controlled for export, but should be because they are essential to the national security of the United States.
  • This request for comments is the public start to the most complex, intellectually challenging and economically significant effort to identify simultaneously multiple disparate categories of undefined emerging technologies for non-specific national security concerns that warrant (i) unilateral controls on their export to foreign countries, (ii) limitations on their release to foreign persons in the United States and (iii) additional mandatory filing requirements with CFIUS for non-controlling foreign investments of any size in U.S. businesses in a wide variety of sectors.
  • Comments are due on or before December 19, 2018—i.e., in 30 days.
  • “Representative general categories” of emerging technologies on which Commerce seeks comments “include” (i) “biotechnology”; (ii) “artificial intelligence”; (iii) “Position, Navigation, and Timing (PNT) technology”; (iv) “microprocessor technology”; (v) “advanced computing technology”; (vi) “data analytics technology”; (vii) “quantum information and sensing technology”; (viii) “logistics technology”; (ix) “additive manufacturing”; (x) “robotics”; (xi) “brain-computer interfaces”; (xii) “hypersonics”; (xiii) “advanced materials”; and (xiv) “advanced surveillance technologies.” The notice leaves open the possibility that other categories of technology will be captured in this process.
  1. The Request for Comments Is the Start of the Public Process to Address Concerns About Uncontrolled Transfers of Emerging Technologies

The Commerce Department’s Bureau of Industry and Security (BIS) notice is the administration’s first public step to comply with the requirements of Section 1758 of the Export Control Reform Act (ECRA), which became law on August 13, 2018. As described in previous alerts, Congress created the section to address concerns about a provision in the bills introduced in late 2017 that would have expanded the jurisdiction of the Committee on Foreign Investment in the United States (CFIUS) over investments by U.S. companies in foreign countries that could result in the release to foreign persons of uncontrolled critical technology, including emerging and foundational technologies. Section 1758 addresses the policy concerns of the original CFIUS outbound control provision, but through an ongoing, regular-order, interagency export control process that includes public notice and comment.

Commerce has not proposed in the notice any new export controls or amendments to existing regulations. Rather, it seeks the public’s assistance in creating criteria for identifying specific emerging technologies that are “essential to the national security of the United States,” which is the statutory standard for imposing controls on emerging and foundational technologies. “National security” is not defined in the law or the notice. The notice’s examples of concerns to be addressed do not include the domestic economic policy concerns identified as national security issues in other administration actions, such as those pertaining to the importation of steel and aluminum. Rather, the examples provided are those with “potential conventional weapons, intelligence collection, weapons of mass destruction, or terrorist applications or could provide the United States with a qualitative military or intelligence advantage.”

The administration will review the public comments, along with its own analyses, as part of its plan to prepare a proposed rule to add emerging technologies to the Commerce Control List (CCL) of the Export Administration Regulations (EAR). The proposed rule will identify the countries, end uses or end users to which exports of the newly identified technologies would require a license. After interagency review of the comments on the proposed rule, Commerce plans to publish a final rule implementing the new controls. (If the final rule is consistent with the EAR’s “deemed export” rule, releases of the technology to foreign persons in the United States would require a license if a license was required to export the technology to that person’s home country.) The notice does not contain a schedule for when these events will occur. ECRA requires the administration to ask the relevant multilateral export control regimes to add the newly controlled emerging technologies to the multilateral export control lists. Until and unless that happens, however, the controls will be unilateral, meaning that only the United States will impose them.

The implications of this emerging technology effort are not just with respect to potentially new export controls. Any technologies identified in the export control regulations as “emerging” will also be “critical technologies” under the new CFIUS law, the Foreign Investment Risk Review Modernization Act (FIRRMA). As described in our earlier alert, this means that U.S. businesses that produce, design, test, manufacture, fabricate or develop such technologies and use them in or design them for targeted sectors would be subject to a CFIUS pilot program implementing FIRRMA. Consequently, controlling foreign investments, along with certain non-controlling foreign investments, would be subject to a mandatory filing requirement with CFIUS 45 days before closing.

  1. Standards for Determining What Emerging Technologies Should Become Controlled

In deciding whether to identify a technology as “emerging” and impose controls on its export, ECRA Section 1758 requires the administration to take into account:

  • the development of the technology in foreign countries
  • the effect that export controls imposed pursuant to this section may have on the development of the technology in the United States
  • whether export controls would be effective in limiting the technology’s proliferation to, or development in, foreign countries.

Section 1758 is an element of the broader ECRA statement of policy for export controls, which is that the United States should “use export controls only after full consideration of the impact on the economy of the United States and only to the extent necessary — (A) to restrict the export of items which would make a significant contribution to the military potential of any other country or combination of countries which would prove detrimental to the national security of the United States; and (B) to restrict the export of items if necessary to further significantly the foreign policy of the United States or to fulfill its declared international obligations.”

III. The Representative Emerging Technologies Identified

Neither the notice nor ECRA defines the term “emerging” technologies. To help inform the administration’s development of a proposed rule, the notice lists several broad categories of technologies that may meet the standard of “emerging” for public comment. The listed technologies are “representative” of only the types of technologies that might be considered “emerging” and warranting control. They include:

  • “Biotechnology, such as (i) nanobiology; (ii) synthetic biology; (iii) genomic and genetic editing; (iv) or neurotech”
  • “Artificial intelligence (AI) and machine learning technology, such as (i) neural networks and deep learning (e.g., brain modeling, time series prediction, classification); (ii) evolution and genetic computation (e.g., genetic algorithms, genetic programming); (iii) reinforcement learning; (iv) computer vision (e.g., object recognition, image understanding); (v) expert systems (e.g., decision support systems, teaching systems); (vi) speech and audio processing (e.g., speech recognition and production); (vii) natural language processing (e.g., machine translation); (viii) planning (e.g., scheduling, game playing); (ix) audio and video manipulation technologies (e.g., voice cloning, deepfakes); (x) AI cloud technologies; or (xi) AI chipsets”
  • “Position, Navigation, and Timing (PNT) technology”
  • “Microprocessor technology, such as (i) Systems-on-Chip (SoC) or (ii) Stacked Memory on Chip”
  • “Advanced computing technology, such as (i) “memory-centric logic”
  • “Data analytics technology, such as (i) visualization; (ii) automated analysis algorithms; or (iii) context-aware computing”
  • “Quantum information and sensing technology, such as (i) quantum computing; (ii) quantum encryption; or (iii) quantum sensing”
  • “Logistics technology, such as (i) mobile electric power; (ii) modeling and simulation; (iii) total asset visibility; or (iv) distribution-based logistics systems (DBLS)”
  • “Additive manufacturing (e.g. 3D printing)”
  • “Robotics such as (i) micro-drone and micro-robotic systems; (ii) swarming technology; (iii) self-assembling robots; (iv) molecular robotics; (v) robot compilers; or (vi) Smart Dust”
  • “Brain-computer interfaces, such as (i) neural-controlled interfaces; (ii) mind-machine interfaces; (iii) direct neural interfaces; or (iv) brain-machine interfaces”
  • “Hypersonics, such as (i) flight control algorithms; (ii) propulsion technologies; (iii) thermal protection systems; or (iv) specialized materials (for structures, sensors, etc.)”
  • “Advanced Materials, such as (i) adaptive camouflage; (ii) functional textiles (e.g., advanced fiber and fabric technology); or (iii) biomaterials”
  • “Advanced surveillance technologies, such as faceprint and voiceprint technologies.”

These are not the headings in the notice; they are the entirety of the topics listed for public comment. No additional details or definitions are provided about the meaning of these terms. The notice also does not contain any commentary or guidance on what the potential national security concerns are, or could be, with respect to such technologies, or why Commerce identified these technologies as examples.

  1. The Comments That Commerce Seeks

Commerce asks industry for comments—within the next 30 days—on:

  • how the administration should define emerging technologies
  • what the criteria should be for determining whether there are specific technologies within these general categories that are important to U.S. national security
  • what sources the administration can refer to in order to identify emerging technologies
  • what other general technology categories might be important to U.S. national security and warrant control
  • information about the status of development of the listed technologies in the United States and other countries
  • information about what impact the specific emerging technology controls would have on U.S. technological leadership
  • suggestions for other approaches to identifying emerging technologies warranting controls.

BIS’s first request for comment is about how the administration should define emerging technologies. Because this request is not for advice about abstract or generally applicable definitions, but rather about how the term should be defined in the context of export controls to address the policy concerns that motivated ECRA, a logical approach would be to bind the definition by the statements of policy in ECRA for why the export control system exists and what it is designed to accomplish. Also, given that ECRA Section 1758 is focused on identifying both emerging and foundational technologies, a definition should not include foundational technologies. Thus, an example of a definition that would be consistent with the ECRA standards could be something along the lines of:

“Emerging technologies” are specific, non-mature (i.e., developmental) core technologies essential to the national security of the United States that:

  1. are required for the development, production, use, operation, installation, maintenance, repair, overhaul or refurbishing of specific and identifiable potential conventional weapons, intelligence collection, weapons of mass destruction or terrorist applications;
    ii. could provide the United States with a specific and identifiable qualitative military or intelligence advantage;
    iii. are not available in or otherwise being developed in foreign countries; and
    iv. are not within the scope of any existing multilateral controls.

Note: A technology must not be identified or controlled as “emerging” unless it is within the scope of policy statements in ECRA for which technologies should be controlled for export. In particular, a technology must not be so identified if a unilateral export control over it would:

  1. harm domestic research into the identified technology;
    ii. not be effective at preventing countries of concern from developing it indigenously or otherwise acquiring comparable technology from third countries;
    iii. be imposed without full consideration of the impact on the economy of the United States of such a control; or
    iv. is of a type that is not likely to be considered acceptable by the multilateral regime allies, or that is inconsistent with the standards for the types of controls that are subject to the multilateral regimes.

Each commenter will likely have its own take on how to approach BIS’s first question. Nonetheless, this is an example of a definition that would be consistent with the standards in ECRA.

  1. Items to Which the Notice Does Not Apply

Both ECRA and the notice refer to only possible additional controls on emerging “technology.” ECRA defines “technology” as including “information, in tangible or intangible form, necessary for the development, production, or use of an item.” Thus, the scope of the notice is limited to possible new controls on information that is within the scope of the term “technology” and does not include possible new controls on commodities (i.e., physical items) or software.

The notice also does not apply to “foundational” technologies, which will be the subject of a similar process beginning in 2019. It also does not apply to technology the EAR already exempts from being “subject to the EAR,” such as information that results from “fundamental research” or that is “published” information. This does not mean that EAR99 technologies— technologies that are “subject to the EAR” but not identified on the EAR’s CCL—are exempt from the notice’s scope. To the contrary, the entire purpose of the effort is to identify EAR99 technologies that should be added to the CCL and controlled.

Finally, the notice does not apply to technology already identified on the CCL, the U.S. Munitions List (USML), or another of the U.S. government’s export control lists. Thus, for example, the notice does not seek comment on technology or technical data directly related to or required for the development or production of military items because they are already controlled on the CCL or the USML in specific and broad catch-all categories. Herein lies one of the significantly challenging aspects of the effort. The administration is asking industry to provide advice on which non-mature technologies not directly related to or required for military items are “essential to the national security of the United States.” This is, of course, better than not asking for comments and is an important effort required by ECRA, but it is nonetheless an inherently difficult one for those experts in the referenced technologies who have no national security experience.

  1. Who Should Prepare and File Comments, and What Should They Include?

The notice is open for comments from the public. In particular, any company that develops or produces the types of technologies described on the representative list, or individuals who are experts in the listed or other potentially emerging technologies, should consider submitting comments. Industry will often have more information than the government about their own technologies, including whether they qualify under the statutory standards, and how to describe most accurately the technologies at issue.

Industry will also generally have more information than the government on which technologies are already being developed outside the United States. If a technology is already available outside the United States, ECRA makes clear that it would generally not be a good candidate for a unilateral (i.e., U.S.-only) control because the United States will have no ability to curtail its transfer to destinations, end uses and end users of concern. For comments on foreign availability to be effective, they must be supported with evidence. Companies will, of course, not have proprietary information of their competitors. They will, however, often have a sense for comparable technologies that competitors and academics are already developing through sources such as academic publications, web sites, trade shows, customer comments and government reports.

Industry is also generally in a better position to describe whether, as both a legal and a psychological matter, the imposition of a unilateral export control (and increased foreign investment controls) on a particular technology would be harmful or helpful to domestic research into the identified technology, such as through loss or gain of investments, foreign markets or the availability of qualified professionals necessary to develop it. In particular, commenters should provide estimates in their comments on what the economic implications would be—good or bad—of a unilateral control on the technology and economic sector they know best. Similarly, if a company or individual has reason to believe that an uncontrolled emerging technology has specific application to a conventional weapon, intelligence collection capability, weapon of mass destruction or terrorist activities, or would help or harm a qualitative military or intelligence advantage for the United States, then the notice asks for such information.

All comments filed are made public. Some companies and individuals, however, may not want to publicly disclose what a particularly sensitive military application for their technology could be. Others may not want to describe publicly, and thus to their competitors, what novel commercially sensitive technologies they are developing. If one has such concerns, a common next step is to contact Commerce to discuss how or whether it would be possible for the government to nonetheless get the benefit of the insight.

VII. 30 Days Over the Holidays

Commerce is asking for a massive amount of difficult-to-assemble information on a wide variety of non-mature, hard-to-define technologies, and subsets thereof, and commentary on national security concerns known to only a few people outside of government within 30 days. This period is not only over the holiday season, but also in the heart of the fourth quarter when company engineers, researchers, sales staff, management and other professionals are focused on completing annual sales, shipments and other goals. Although responses to most BIS notices can be primarily handled by trade compliance professionals, quality responses to this notice largely depend upon time-consuming and thoughtful input from professionals not normally involved in export control issues.

BIS requests for information involving far less complex issues have had far longer comment periods. For example, BIS gave industry 60 days to submit comment on (i) possible changes to controls on a small number of specific infrared detection items, (ii) possible controls over spraying and fogging systems, and (iii) whether requirements should be imposed on the export of electronic waste.

ECRA does not impose a 30-day, or any other, time limit on this process or require that all emerging technologies of potential national security concern are of equal significance. Moreover, a core element of ECRA Section 1758 is that the identification process be informed by “multiple sources of information.” There will indeed be a proposed rule on which industry will have an opportunity to provide comments before any final controls are imposed. If, however, you do not believe that 30 days is sufficient to provide comments commensurate with the national and economic security significance, and technological complexity, of such a proposed rule, then you should make that comment, too, and ask for additional time, ideally before Thanksgiving.

Contact Information

For more information, please contact your Akin Gump lawyer, or:

Kevin J. Wolf
Email
Washington, D.C.
+1 202.887.4051

Christian C. Davis
Email
Washington, D.C.
+1 202.887.4529

Nicole M. D’Avanzo
Email
Washington, D.C.
+1 202.887.4557


The Export Control Reform Act and Possible New Controls on Emerging and Foundational Technologies

2018/09/27

By: Kevin Wolf, Partner, Akin Gump Strauss Hauer & Feld, kwolf@akingump.com

(Former) Assistant Secretary of Commerce for Export Administration (2010-2017)

Key Points

ECRA became law on August 13, 2018. It is the permanent statutory authority for the EAR, which is administered by the U.S. Department of Commerce’s BIS. The new law codifies long-standing BIS policies and does not require changes to the EAR, such as to its country-specific licensing requirements.

However, as part of the larger effort to reform the authorities governing CFIUS, the law effectively requires BIS to lead an interagency, regular order process to identify and add to the EAR controls on “emerging” and “foundational” technologies that are “essential to the national security of the United States.”

Although the types of emerging and foundational technologies to be identified are not yet publicly known, anyone involved in emerging and foundational technology areas, such as artificial intelligence, driverless vehicle technology, advanced computing, additive manufacturing or microelectronics, should begin preparing comments on possible new controls in line with the standards in the new law. Commerce will likely soon publish a notice seeking such comments, and the formal comment period will likely be short relative to the complexity and the significance of the issue. The submission of thoughtful and well-supported industry comments will be absolutely critical to the creation of properly scoped and clearly described controls that are consistent with the statutory standards.

  1. Introduction

The Export Control Reform Act of 2018 (ECRA) and the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) became law on August 13, 2018, as part of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (NDAA). One of the primary policy motivations behind both acts was the need to enhance U.S. export and investment controls to address concerns regarding the release of critical technologies to end uses, end users and destinations of concern, primarily China. (FIRRMA is described in a prior alert.)

Another motive behind ECRA was the creation of permanent statutory authority for the Export Administration Regulations (EAR). The EAR primarily control the export, reexport, and transfer of commercial, dual-use and less sensitive military items to end users, end uses and destinations of concern. They also include the antiboycott regulations that the Bureau of Industry and Security (BIS) administers. Part I of ECRA is titled “Export Controls Act of 2018” (ECA) and is the authority for the administration of the export controls that BIS administers. Part II of ECRA is titled “Anti-Boycott Act of 2018” and is the authority for the antiboycott regulations that BIS administers.

For most of the last two decades, the statutory authority for the EAR—the Export Administration Act of 1979—has been defunct. The EAR have been kept in effect through Executive Orders and an emergency declaration issued under the authority of the International Emergency Economic Powers Act (IEEPA) that was renewed by annual presidential notices. (A description of this issue, the export control system generally and the issues motivating the introduction of the legislation can be found in the March 2018 testimony of Kevin Wolf before the House Foreign Affairs Committee.)

The new law essentially codifies existing written and unwritten BIS practices, policies and definitions as they have evolved since 1979. It also gives BIS enforcement officials more authority to investigate possible violations of the EAR. Because the new law essentially preserves the status quo from an exporter’s perspective and does not, for example, change any country-specific licensing policies, it is primarily of interest to export control practitioners. It, however, includes one section, Section 1758, that should be of particular interest to those who do not normally consider themselves affected by the EAR (i.e., those involved in the development or export of emerging and foundational technologies that are not now identified in the EAR or other export control regulations).

  1. ECA Section 1758 Requires the Administration to Identify and Control in the Export Control Regulations Emerging and Foundational Technologies of Concern

BIS has always had the authority to impose unilateral controls on items for national security and foreign policy reasons. (Unilateral controls are those that only the United States imposes, as opposed to controls that BIS publishes to implement agreements of the multilateral export control regimes.) In 2012, BIS provided more structure around the process of identifying and imposing unilateral controls when it created the “0Y521” series. As further described in this notice, BIS has the authority to impose controls over the export of any previously uncontrolled commodity, software or technology that provides the United States with at least a significant military or intelligence advantage, or for any foreign policy reason, so long as the government works to make the controls multilateral within three years (i.e., to get our regime allies to control the same item). The 2012 notice stated that such items are “typically emerging technologies.”

Section 1758 of the ECA essentially codifies this regulatory process and gives the administration a statutory mandate to make the effort a priority. This statutory instruction evolved in response to concerns about a key element of the Committee on Foreign Investment in the United States (CFIUS) reform legislation, FIRRMA, which, as introduced, would have given CFIUS jurisdiction over outbound investments, such as overseas joint ventures, by U.S. critical technology companies that would involve the transfer of intellectual property and associated support. The sponsors’ policy objective with this provision was to give the U.S. government the opportunity to determine and, if necessary, alter or block such outbound investments if they could result in the release of critical emerging or foundational technologies not controlled by the export control system. (More detail about this issue can be found here.)

Over the course of many congressional hearings and other discussions, a consensus emerged that addressing the concern through CFIUS would result in both over-controls and under-controls. The approach would have been an over-control because many benign outbound investments would become subject to CFIUS jurisdiction, which would have placed unnecessary burdens on CFIUS and U.S. industry, and would likely have discouraged welcome foreign investments. It would have been an under-control because it would have regulated only the transfer of the newly identified critical technologies in connection with a covered investment, meaning that the identical technologies could have been legally transferred without government oversight to a foreign person as part of any other type of transaction, such as a simple purchase-and-sale arrangement. The solution was to require the already existing dual-use export control system to put more effort into identifying emerging and foundational technologies of concern and to control their export to end uses, end users and destinations of concern regardless of the nature of the underlying investment.

  1. Technologies Likely to Be Considered “Emerging” or “Foundational”

Congress did not define the terms “emerging” or “foundational” technologies “essential to national security,” but the public debate over the legislation provided hints as to the general areas of concern. During the discussions about CFIUS and export control reform bills, and related public discussions about CFIUS cases and China’s plans to acquire technologies pursuant to its “Made in China 2025” plan, emerging and foundational technologies, such as the following, were informally cited as warranting consideration for possible new controls:

  • artificial intelligence and machine learning
  • augmented reality
  • automated machine tools
  • additive manufacturing
  • autonomous vehicles
  • advanced battery technology
  • “big data”
  • biotechnology
  • gene editing
  • high-temperature superconducting technology
  • hydrogen and fuel cells
  • integrated circuits, semiconductors and microelectronics
  • intelligent mobile terminals
  • nanotechnology
  • robotics

Neither Congress nor the administration has published any sort of list of technologies that are under review or that should be studied. BIS, however, is likely to publish a notice soon, seeking information from the public about broad categories of technologies that potentially warrant control and how the controls could be worded to satisfy the requirements of Section 1758. Consistent with past BIS practice, this notice would not be a proposed rule. Rather, it would be a formal tool for the government to solicit industry input as part of its efforts to identify what technologies should and should not be the subject of possible new controls in a proposed rule to be published later. Industry’s role in this process is critical. Thoughtful and well-supported comments will likely have a positive influence on the government’s efforts to identify which emerging and foundational technologies are and are not essential to our national security and otherwise within the scope of Section 1758.

  1. Questions to Answer for Comments to Be Provided to the Administration

Any formal comment period will be, or will seem, short relative to the complexity and the significance of the issues. Because, as discussed below, Section 1758 foreshadows the questions that will likely be asked in such a notice, those potentially affected by new controls do not need to wait for the notice to be published before internally answering the following questions:

  • Which of the company’s technologies that are not now identified on an export control list (a) are essential to national security or (b) might be deemed so by the administration, particularly in light of the debate over FIRRMA?

 

  • Which such technologies are and are not being developed outside the United States?

 

  • Would research on, and development of, such technologies in the United States be affected if the government were to impose unilateral export controls on such technologies, including on their release to foreign persons in the United States?

 

  • Would unilateral controls on the release of such technologies to foreign persons in the United States or to foreign countries be effective at deterring their transfer to countries of concern?

 

  • Would export control regime allies, such as those in Europe, likely eventually agree to impose controls on the release of such technologies from their countries?

Answers to these questions, and supporting documentation and analyses, will be vital to the preparation of quality comments filed in response to a notice.

III. Elements of Section 1758 – the ECA’s Emerging and Foundational Technologies Provision

  1. The process for identifying technologies must be an interagency process.

Some of the ideas floated during the FIRRMA debate would have given CFIUS or individual agencies, such as the Department of Defense, the authority to nominate and have controlled emerging and foundational technologies. The ECA requires the President to establish an interagency process to do so that involves the departments of Commerce, Defense, Energy and State, and any other necessary department or agency. The motive behind this provision was to ensure that the equities and expertise of all relevant agencies would be considered when identifying such technologies. Because BIS’s mission includes coordinating such interagency efforts, and because any new controls would be published in the EAR, which BIS administers, BIS has the lead role in the identification effort.

  1. The interagency emerging and foundational technology identification process must be a “regular, ongoing” effort.

This reference in the provision makes it clear that the identification and addition of new controls over emerging and foundational technologies is not just a one-time event. It is now, as a statutory matter, rather than just a standard interagency practice, a regular part of the U.S. export control system. The technologies at issue are, by definition, emerging. They are not what the export control system has a history of controlling and analyzing. They are not technologies that have been specially designed for military or intelligence applications because such technologies are already controlled by either the EAR or the International Traffic in Arms Regulations (ITAR). Thus, BIS and the other agencies are likely setting up more formal processes to regularly search for and, as needed, amend the export controls over commercial technologies of concern as they emerge.

  1. The emerging and foundational technologies to be identified are limited to those “essential to the national security of the United States.”

During the debates over the CFIUS and export control reform bills, there was some discussion about whether controls should be imposed on such technologies for purely economic reasons, such as for use as part of protectionist or industrial policy efforts. Export control statutes dating back to the Export Control Act of 1949 have expressly limited the reasons for control to national security, foreign policy and short supply. Although an administration has broad authority to define what constitutes a national security concern, the law conspicuously limits the scope of any new controls to not only those that would address “national security” concerns, but also to those that are “essential” to our national security.

  1. The emerging and foundational technologies to be identified must not include technologies that are already subject to export controls or that become subject to controls under other authorities.

This means that any technologies that are already identified in the export control regulations, primarily the EAR and the ITAR, or that would be added to such regulations later under other authorities, must not be part of the process described in Section 1758. The government thus still has extraordinary discretion to identify items for control, and none of that discretion is affected by this provision, which is focused on resolving a specific policy issue raised during the debate over FIRRMA. If Section 1758 were not included in the law, the administration would have the same authority to do what is required under Section 1758. The only difference is that Congress is requiring the administration to conduct the special effort and setting standards for how to do so.

  1. The interagency process must be informed by multiple sources of information, including (i) publicly available information, (ii) classified information, (iii) information developed during the CFIUS process and (iv) information developed by BIS’s technical advisory committees.

The export control system has always drawn upon such information sources when considering which technologies to control, but not always as part of a formal process. The provision is also a subtle congressional reminder to export control officials to ensure that they expand their technology review horizons over what are, by definition, novel, emerging technologies to get the benefit of those who may have contact with such technologies before they do. Thus, for example, it effectively requires export control officials to reach out to industry and academic experts who may not otherwise interact with the government. It also indirectly emphasizes the need for the intelligence community to commit resources to analyzing emerging technology issues and to provide its work product to export control officials for consideration.

The provision requires that technology issues generated during the review of CFIUS fillings be formally fed back into the export control system for broader consideration. The export control agencies are core members of CFIUS, and there is a long history of their considering whether issues developed during CFIUS cases warrant changes to export controls. The only difference now is that this practice is a formal, statutory requirement. Finally, the provision reconfirms the need for industry experts on BIS’s multiple technical advisory committees to provide their input to export control officials about emerging and foundational technologies. Indeed, BIS is in the process of creating an additional technical advisory committee to focus on such issues, as described here. For those with significant expertise in the emerging and foundational technologies at issue, participating in the new, or in any of the existing, technical advisory committees is a significantly important way to contribute to the quality of the controls.

  1. Before imposing new controls on an emerging or foundational technology, the government must consider whether comparable technologies are being developed outside the United States.

This provision does not prohibit the imposition of controls on technologies being developed outside the United States. When read with other parts of Section 1758, however, foreign availability is clearly an important variable the government must consider when deciding whether technologies should become subject to the new controls. Thus, when responding to BIS’s notices asking for comments on new technologies to control, those potentially affected should provide information about which comparable technologies are and are not being developed outside the United States. Such commercial information, which often is not available to the government, should be as specific as possible if it is to be effective. That is, conclusory comments, such as “This technology is widely available in many countries outside the United States” will not be helpful. Comments such as “This technology is available from Company A in Country X (brochures and specifications attached),” on the other hand, are what the government needs to see in order to make a sensible judgment about whether to impose new controls.

  1. Before imposing new controls on an emerging or foundational technology, the government must consider the effect that the imposition of a unilateral export control “may have on the development of such technologies in the United States.”

As a matter of logic, expectations and history, unilateral controls tend to discourage research and investment in the United States in the affected technologies. Indeed, the ECA states that “[e]xport controls applied unilaterally to items widely available from foreign sources generally are less effective in preventing end-users from acquiring those items. Application of unilateral export controls should be limited for purposes of protecting specific United States national security and foreign policy interests.” This does not mean that unilateral controls are per se prohibited or ineffective, only that this standard is a high bar for the government when deciding whether to propose a new unilateral control. Those in potentially affected industries will thus want to provide in their public comments a thoughtful analysis of whether—and how—a unilateral control over a specific emerging or foundational technology is or is not likely to harm the domestic development of such technologies.

  1. Before imposing new controls on an emerging or foundational technology, the government must consider whether they would be effective in “limiting the proliferation of emerging and foundational technologies to foreign countries.”

This standard is basically a corollary to the other provisions above, but it nonetheless emphasizes the point that imposing controls on technologies being developed outside the United States or with the substantial assistance in the U.S. of foreign scientists and engineers will not likely accomplish the objectives of this section. If commenters have any other reasons that a proposed new control would or would not be effective, then this is the statutory provision to cite in support of why it should or should not be imposed.

  1. Before any new controls may be imposed, the government must provide the public with a notice and an opportunity to comment.

This is the most critical step for industry to comment formally on actual regulatory text and whether the proposed controls do or do not meet the standards in Section 1758. Based on the experience of the Obama administration’s export control reform effort, which involved the publication of dozens of proposed rules for public comment, career staff at the agencies are likely to take well-supported, thoughtful comments seriously.

  1. The new controls will be published as amendments to the EAR.

Earlier versions of the CFIUS and the export control reform bills were unclear about whether or, if so, where new investment or export controls on emerging and foundational technologies would be published. Section 1758 effectively requires that they will be identified in the EAR’s Commerce Control List (CCL).

  1. BIS has broad authority to decide when, and under what circumstances, licenses or other types of authorizations will be required to export identified emerging and foundational technology.

Criteria that BIS, in coordination with the other agencies, must consider when imposing controls include whether the destination is subject to U.S. arms and other embargoes, as well as the potential end uses and end users of such technology. The group of countries subject to such embargoes includes China, Russia and Iran.

  1. Commerce is not required to impose licensing requirements on finished items that are destined to regular customers or on technology when the acquisition would not give the foreign recipient the ability to produce critical technologies.

This exception reflects the provision’s emphasis on emerging and foundational technologies, rather than finished products, that can be used to enhance the indigenous manufacturing capability outside the United States of items essential to U.S. national security.

  1. The Secretary of State, in coordination with the other export control agencies, is required to propose each year for three years any new controls to the relevant multilateral export control regimes for control.

This element of the control reflects Congress’ view that multilateral controls are more effective than unilateral controls. If the regimes do not accept a new control, then Commerce must decide whether national security concerns warrant the continuation of unilateral controls with respect to the technology at issue. Another part of ECA commits the U.S. government to “carry out obligations and commitments under international agreements and arrangements, including multilateral export control regimes.” The most relevant such regime to this issue is the Wassenaar Arrangement, which was “established in order to contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations. The aim is also to prevent the acquisition of these items by terrorists. Participating States seek, through their national policies, to ensure that transfers of these items do not contribute to the development or enhancement of military capabilities which undermine these goals, and are not diverted to support such capabilities.” Thus, to remain consistent with its obligations under ECA, the administration should propose only new controls on emerging or foundational technologies that meet this standard or one of the corresponding standards in the other multilateral regimes (i.e., those pertaining to controlling the proliferation of missiles, nuclear items, and chemical or biological weapons, and related items).

  1. Commerce must report to CFIUS and Congress every 180 days of the actions that it and the other agencies have taken to implement this section.

Normally, congressional reporting requirements do not get much public attention, but this regular obligation to show progress likely will keep the process for identifying and controlling emerging and foundational technologies high on the list of priorities for this and subsequent administrations. This fact further reinforces the need for industry to stay engaged with the government with respect to identifying emerging and foundational technologies that are and are not essential to the national security of the United States.

  1. BIS has broad authority to impose “interim controls” on exports and reexports of emerging or foundational technologies by specific persons.

The EAR contain multiple “is informed” provisions allowing BIS to inform parties that, to address a specific national security or foreign policy concern, a license is required to export an item that would not normally require a license. Section 1758 explicitly gives BIS the authority to create any form of interim controls, such as through the use of similar “is informed” actions imposing licensing requirements on the export by specific persons of specific technologies in a particular transaction, before regulations controlling such technologies are promulgated and made generally effective.

Used properly, this new authority could be a way for BIS to surgically address policy concerns about the transfer of specific kinds of technology in unique circumstances without imposing controls on entire types of technologies or destinations. Thus, for example, if BIS has information that a specific foreign entity plans to use a specific type of EAR99 technology deemed to be “emerging” or “foundational” that would be released during a joint venture for an activity contrary to U.S. national security interests, BIS could prohibit the technology transfer without having to sanction the foreign entity (such as by using the entity list process) or imposing an across-the-board control on the same technology for all exports. In a way, this new omnibus “is informed” authority, which is tucked into a parenthetical in Section 1758, is the broad authority that the proponents of the original FIRRMA bill contemplated when they sought to give CFIUS jurisdiction over outbound investments by critical technology companies. They wanted the U.S. government to have the authority to block otherwise uncontrolled technology transfers in specific circumstances on case-by-cases bases. Such authority now exists, but within BIS (rather than CFIUS) pursuant to Section 1758.

  1. The Statement of Policy Codifies Long-Standing BIS Policies—and Provides the Administration with Considerable Discretion in Administering the System

Section 1752 contains a lengthy statement of policy that may seem new to some, but fairly accurately reflects the written and unwritten licensing and other export control policies that have evolved within BIS since the Export Administration Act was passed in 1979. Some provisions may seem contradictory, but they are examples of the difficult choices that BIS and its interagency colleagues make daily when deciding which dual-use and other items to control, how to control them and when to approve, condition or deny their export.

For example, the section states that export controls should be used only after consideration of their impact on the U.S. economy and only to the extent necessary to advance the national security and foreign policy interests of the United States. These interests require regulations to control the proliferation of items for use in weapons of mass destruction; acts of terrorism; or military programs that could threaten the United States or its allies, or that could disrupt critical infrastructure. They must also, for example, simultaneously (i) preserve the military superiority of the United States; (ii) promote human rights; (iii) carry out our commitments to the multilateral regimes; (iv) facilitate interoperability with our NATO and other close allies; (v) be focused on core technologies of concern; (vi) maintain U.S. leadership in science, engineering, manufacturing and technology, including foundational technologies; (vii) be enforced aggressively and consistently; (viii) be administered in a way that is able to be easily understood; and (ix) be transparent, predictable, timely and flexible.

  1. The Authority to Control Activities by U.S. Persons Is Codified and Slightly Expanded

Unlike the ITAR, the EAR does not have general controls over services provided by U.S. persons, except in connection with violations of the EAR—“General Prohibition 10.” Most of the EAR are focused on regulating the export, reexport and transfer by U.S. and foreign persons of commodities, software and technology subject to the EAR. EAR Part 744 has long regulated the activities of U.S. persons, regardless of whether any technology is transferred, if they relate to weapons of mass destruction or foreign maritime nuclear projects. Section 1753 adds specific authority for the EAR to regulate services by U.S. persons, wherever located, if they are related to “specific foreign military intelligence services.” It remains to be seen how, or whether, BIS will implement this new authority in the EAR.

  1. Licensing Considerations Regarding the Defense Industrial Base

Section 1756(d) requires BIS to deny an application if the proposed export would have a “significant negative impact” on the defense industrial base, which is defined as including (i) a reduction in the availability of an item produced in the United States that is likely to be acquired by the U.S. government for the advancement of U.S. national security, (ii) a reduction in the production in the United States of an item that is the result of federally funded research and development, or (iii) a reduction in the employment of U.S. persons whose knowledge and skills are necessary for the continued production in the United States of an item that is likely to be acquired by the U.S. government for the advancement of U.S. national security. To help make this determination, BIS may seek information from the applicant regarding, for example, why the proposed export would be in the national interest and what the impact would be on the relative capabilities of U.S. and foreign militaries. Although previous administrations took such considerations into account when making licensing decisions, this section describes the standard in a novel, formal way consistent with the underlying policy motivations behind FIRRMA.

VII. Required Review of Licensing Policies Regarding Exports to Countries Subject to Arms Embargoes, Such as China

Although the ECA does not change any country-specific licensing policies, it does require BIS, in coordination with the other export control agencies, to “review license requirements relating to countries subject to a comprehensive arms embargo.” The section does not refer expressly to China or any other country, but it is clearly focused on requiring an evaluation of whether (i) the EAR’s China “Military End Use” rule should be expanded to also apply to “military end users” in China or additional items on the control list not now captured by the rule, and (ii) additional low-end items controlled for “anti-terrorism” reasons to only Iran and other comprehensively embargoed destinations should also be controlled for export to China. BIS must implement any recommended changes before early May 2019. Such changes are likely to occur.

VIII. Penalties and Enforcement

Section 1760 of the ECA codifies civil and criminal penalties that were established under the International Emergency Economic Powers Act (IEEPA). The maximum criminal penalties for willful violations will continue to be $1 million and, for individuals, imprisonment of up to 20 years. Maximum civil penalties will be slightly higher than the current inflation-adjusted penalties under IEEPA—$300,000 or twice the value of the applicable transaction, whichever is greater. Other penalties, such as denying a party the ability to export, remain the same.

Section 1761 of the ECA enhances BIS’s enforcement authorities, which are now on par with other enforcement agencies, such as the Department of Homeland Security and the Federal Bureau of Investigation. For example, a violation of ECRA, which includes both the export control and antiboycott provisions, is now a predicate offense that can be cited to justify a wiretap. ECA also gives BIS enforcement officials the authority to conduct investigations “outside the United States consistent with applicable law.” There are broader issues about the authority of the U.S. government to conduct investigations abroad that are beyond the scope of this alert, but ECA, unlike previous authorities, does not limit BIS to conducting investigations in only the United States. In addition, ECA gives BIS the authority to spend funds or engage in other financial transactions (such as leasing space) to conduct undercover investigations. Finally, ECA expands the bases upon which BIS enforcement can impose denial orders. Previously, BIS’s authority to impose denial orders was limited to situations where the person was convicted of a criminal violation of export control and other national security statutes. ECA expands the authority for BIS to issue denial orders when someone is convicted of criminal violations of conspiracy, smuggling or false-statements laws.

  1. Industry-Friendly Provisions

Consistent with long-standing BIS policies and practices, ECA requires that “licensing decisions are to be made in an expeditious manner [ideally, within 30 days of a request], with transparency to applicants on the status of license and other authorization processing and the reason for denying any license or request for authorization.” As under the Export Administration Act of 1979, no fees may be charged in connection with any license or other request made in connection with the EAR. In addition, BIS is required to continue helping U.S. persons, particularly including small- and medium-sized companies, comply with the EAR through training and other outreach.

  1. Coordination of Export Control and Sanctions Authorities

One of the key unrealized aspirations of the Obama administration’s export control officials was the creation of a single export control licensing agency that administered a single set of export control regulations in order to accomplish the national security and foreign policy objectives of the controls with significantly fewer regulatory burdens. Although the ECA does not suggest or require any organizational changes within the export control system, it does require the President to coordinate the export controls and sanctions administered by the departments of Commerce, State, Treasury and Energy. The ECA goes on to state that, in order to achieve such effective coordination, Congress believes that these agencies:

“should regularly work to reduce complexity in the system, including complexity caused merely by the existence of structural, definitional, and other non-policy based differences between and among different export control and sanctions systems” and

“should coordinate controls on items exported, reexported, or in-country transferred in connection with a foreign military sale [administered by the Department of State’s Office of Regional Stability and Arms Transfers (RSAT)]. . . or a commercial sale [of defense articles administered by the Department of State’s Directorate of Defense Trade Controls (DDTC)] to reduce as much unnecessary administrative burden as possible that is a result of differences between the exercise of those two authorities.”

Examples of how such coordination could be enhanced (but that are not described in ECA) include (i) continued efforts to harmonize definitions of terms in, and organizational structures of, the EAR, the ITAR and the sanctions regulations; (ii) the creation of a single online portal with a single common license application for submissions to BIS, DDTC, and the Office of Foreign Assets Control (OFAC), (iii) combined BIS, DDTC and OFAC training, outreach and enforcement efforts; (iv) regularly scheduled rotations of licensing officers among the agencies for cross training; and (v) delegations of authority making it so that the reexport of military items subject to the EAR have the same requirements and prohibitions, regardless of whether the item was originally exported under a foreign military sale or a direct commercial sale.

  1. Definitions in the EAR Are Unchanged

The definitions of key terms in ECRA, such as “export” and “technology,” are consistent with the definitions revised during the Obama administration’s Export Control Reform initiative. (The definition of “U.S. Person” as proposed would have inadvertently dramatically increased the extraterritorial scope of the regulations. That issue was fixed in the final version of ECRA.) Also, ECRA does not require BIS to change EAR definitions or core concepts, such as the de minimis carveout, or the meaning of “published” information or “fundamental research.” BIS continues to have discretion to amend most of the EAR’s definitions as necessary and to create new definitions.

During the early public discussion about ECRA and the “emerging” and “foundational” technology topic, some in industry expressed concerns that the statutory definition of “technology” would sweep more information within the scope of the EAR than the EAR did. Part of the discussion revolved around the words “required” and “necessary.” Another part revolved the words “development” and “know-how.” ECRA uses the same essential elements of the definition as does the EAR. That is, it defines the term as including information “necessary” for the “development,” “production” or “use” of an “item,” which is defined the same way as the EAR in that it means “commodities,” “software” and “technology.” The main difference is that ECRA uses the word “includes” rather than “means.” This gives BIS authority to expand the scope of covered “technology.” Given this discretion, that “necessary” information is vastly broader in scope than “required” technology, and that the concepts of “emerging” and “foundational” technologies are inherently broad, industry should follow closely the evolution of the proposed new controls. Subtle differences in terminology—such as between the use of “necessary” or “required” as control parameters—can have extraordinarily large impacts on the scope of information subject to licensing or other obligations.


DDTC Posts IT Modernization Webinar: Commodity Jurisdiction

2016/11/15

(Source: State/DDTC)

The webinar presented October 14, 2016 regarding the upcoming deployment of Defense Export Control and Compliance System (DECCS) Release 1 is available for review. The webinar provided a brief overview of the status of the IT Modernization effort and a demonstration of the new Commodity Jurisdiction (CJ) (DS-4076) interface.

Click here to read
Recorded webinar
Presentation slides


Electronics Retailer Pays $275,000 for Illegal Exports of Optical Sighting Devices

2015/02/04

By: John Black

Well-known electronics retailer, B&H Electronics Corp. of New York, most likely lost money on 50 exports of 0A987 optical sighting devices after it agreed to pay $275,000 for 50 illegal export between 2009 and 2012.  In fact, if B&H paid the standard hefty legal fees normally involved in reaching settlement agreements and paid to implement corrective, remedial actions to prevent future illegal exports, its losses could easily exceed double the $275k settlement payment.

Ever the auditor, I couldn’t stop myself from making a quick check-up on the B&H website to see what happens if I pretended to be outside the United States and order some optical sites.  When I indicated I was in Australia, the B&H website would not accept my order and cited US export controls as the reason.  I tried again using the UK, Pitcairn Island, and Canada and B&H refused each one, even for Canada.  I then ordered an Audio Technica turntable pretending to be in the same countries and the system did not refuse my order.

I pulled my audit’s cap tighter onto my head and I entered a fake order from Canada using the name of a person on an export prohibited parties list.  Unfortunately, in order to see if it would accept my order, I would have had to enter a credit card number, and, well I stopped my spot check at that point.  Not only did I not want my credit card charged, I did not want to participate in an export involving a prohibited party.


BIS Adds New Controls in the CCL on Integrated Circuits, Helicopter Landing Systems Radars, Seismic Detection Systems and Technology for IR Up-Conversion Devices

2014/11/24

By: Brooke Driver

Source: Federal Register

The Bureau of Industry and Security (BIS) amended the Export Administration Regulations (EAR) to impose foreign policy controls on read-out integrated circuits and related “software” and “technology,” radar for helicopter autonomous landing systems, seismic intrusion detection systems and related “software” and “technology”, and “technology” “required” for the “development” or “production” of specified infrared up-conversion devices.

The read-out integrated circuits and related “technology” are controlled under new Export Control Classification Numbers (ECCNs) on the Commerce Control List. An existing ECCN has been amended to control the related “software” for those items.

New paragraphs have been added to certain existing ECCNs to control radar for helicopter autonomous landing systems, seismic intrusion detection systems, and the “technology,” as mentioned, for specified infrared up-conversion devices. Specified existing “software” and “technology” ECCNs have been amended to apply to helicopter autonomous landing systems and seismic intrusion detection systems.

The items are controlled for regional stability reasons Column 1 (RS Column 1) and Column 2 (RS Column 2), and antiterrorism reasons Column 1 (AT Column 1).  For more information, go to http://www.bis.doc.gov/index.php/regulations/federal-register-notices#79fr66288.

 


BIS Imposes $750,000 Fine on Intel Sub Wind River Inc. for Violations of Encryption Export Rules—Really?

2014/11/24

By: Felice Laird

I must admit to a shudder of excitement and disbelief when I visited the BIS homepage recently and noticed a banner ad announcing a fine against an “Intel subsidiary for violations of encryption export regulations.”  I am one of the original crypto export geeks, having followed the tortured evolution of the controls from the late 1990’s through the creation and mutations of License Exception ENC, to today’s largely self-policing paradigm.  And I had never heard of a company being investigated or fined for violations in connection with an encryption export–until now.  And so, I wonder, why this, why now?

First, let me give the standard disclaimer;  I have no knowledge of this case other than what I have read in the documents released by BIS, namely, the Press Release, the Proposed Charging Letter, the Settlement Agreement and the Order.  These documents were prepared and issued by BIS, and they reflect only Commerce’s side of the story.  In fact, BIS has ordered the companies involved not to say anything publicly about the case, especially not to deny any of the charges, so we will never get the other side of the story.  The documents give clues as to what the violations were, when they occurred, how the Department found out about them and what the specific punishment is.  What is not clear is why, for the first time in 15 years, BIS came out with a public and painful punishment of a large U.S. company for encryption software exports.

For the export compliance professional, there are several really important things to note when reading the documents.  Here are some of them:

  • Wind River Systems is a subsidiary of Intel that was formed after Intel bought Wind River’s assets (and liabilities!) in 2009.  So, the important take away is that there is “successor liability,” and the government will go after a company for an acquisition’s export violations.  So, ask to be at the table in M&A talks.
  • The statute of limitations for the early violations had run out, but BIS made the company waive the statute somewhere along the line, so that the violations count.
  • The company submitted a Voluntary Self Disclosure that up until now (when done in connection with an encryption violation) usually leads to a nasty gram from BIS but no fines.
  • BIS issued a gag order in the Settlement Agreement prohibiting Wind River from saying anything about the case.
  • The Settlement agreement states that Wind River has to pay up in 30 days, or else they won’t be allowed to use any licenses or exceptions.

From my perspective, enforcement actions are useful training tools.  It is always a “better sell” when I am talking to companies about the risks involved in non-compliance when I have a good enforcement case to present as an example.  And indeed, I have had more than one awkward moment when talking with tech executives and developers who ask me to come up with evidence that the encryption controls are worth compliance measures.  Sometimes, I have to appeal to their patriotism as a last resort.  It is good to know that BIS cares enough about encryption export controls to go after non-compliant companies.

Lately though, I have been seriously questioning the rationale for maintaining export controls on commercial products that use encryption, since the disclosures made regarding NSA surveillance by Edward Snowden last year.  If NSA can intercept and decipher 99 percent of data transmissions, how can the USG continue to maintain that the encryption regs are necessary to support the intelligence community?

The better answer is that Category 5 Part II is synced in most respects to the Wassenaar list and the U.S. is obligated to maintain controls to honor commitments made to the Wassenaar member states.  And it is clear that efforts have been made by at least three of the most powerful delegations (U.S., France and the UK) to shore up controls on “cyber security” products, as they actively considered this at the December 2013 Plenary. (BIS deferred publication of CCL changes, affecting “cyber security” products, agreed to at the December 2013 plenary – indicating that these would be published in September, which has come and gone with no reg in sight.)

So, Wassenaar member states have had controls on encryption too.  But no country has a byzantine regulatory scheme comparable to that maintained by the U.S.  Over the years, License Exception ENC has morphed into a virtually inexplicable licensing loophole.  And so we wonder–should companies really have to continue funneling information to BIS and NSA by way of Classification Requests and Classification reports?  Does NSA really use any of the information?  Does anyone actually read the self-classification reports? ENC shipping reports?

In the few cases over the years that someone from NSA has shown up in daylight to an industry meeting, I always ask the question and get the answer that, yes, the information it gleans from the classification requests and reporting process is still necessary.  I must admit, I have never really bought that story, but that remains part of the answer to the why question.

That brings us back to the timing issue.  The press has widely reported the steps that the information technology industry has been taking to harden products and networks using cryptography and other security technologies to protect customer information from access by government agents.  Perhaps the Wind River case was meant to be a reminder to the industry that the U.S. Government still has the power to regulate which technologies are deployed internationally.


BIS Imposes $750,000 Fine on Intel Sub Wind River Inc. for Violations of Encryption Export Rules–Really?

2014/10/24

By: Felice Laird

I must admit to a shudder of excitement and disbelief when I visited the BIS homepage recently and noticed a banner ad announcing a fine against an “Intel subsidiary for violations of encryption export regulations.”  I am one of the original crypto export geeks, having followed the tortured evolution of the controls from the late 1990’s through the creation and mutations of License Exception ENC, to today’s largely self-policing paradigm.  And I had never heard of a company being investigated or fined for violations in connection with an encryption export–until now.  And so, I wonder, why this, why now?

First, let me give the standard disclaimer;  I have no knowledge of this case other than what I have read in the documents released by BIS last week, namely, the Press Release, the Proposed Charging Letter, the Settlement Agreement and the Order.  These documents were prepared and issued by BIS, and they reflect only Commerce’s side of the story.  In fact, BIS has ordered the companies involved not to say anything publicly about the case, especially not to deny any of the charges, so we will never get the other side of the story.  The documents give clues as to what the violations were, when they occurred, how the Department found out about them and what the specific punishment is.  What is not clear is why, for the first time in 15 years, BIS came out with a public and painful punishment of a large US company for encryption software exports.

For the export compliance professional, there are several really important things to note when reading the documents.  Here are some of them:

*    Wind River Systems is a subsidiary of Intel that was formed after Intel bought Wind River’s assets (and liabilities!) in 2009.  So, the important take away is that there is “successor liability,” and the government will go after a company for an acquisition’s export violations.  So, ask to be at the table in M&A talks.

*    The statute of limitations for the early violations had run out, but BIS made the company waive the statute somewhere along the line, so that the violations count.

*    The company submitted a Voluntary Self Disclosure that up until now (when done in connection with an encryption violation) usually leads to a nasty gram from BIS but no fines.

*    BIS issued a gag order in the Settlement Agreement prohibiting Wind River from saying anything about the case.

*    The Settlement agreement states that Wind River has to pay up in 30 days, or else they won’t be allowed to use any licenses or exceptions.

From my perspective, enforcement actions are useful training tools.  It is always a “better sell” when I am talking to companies about the risks involved in non-compliance when I have a good enforcement case to present as an example.  And indeed, I have had more than one awkward moment when talking with tech executives and developers who ask me to come up with evidence that the encryption controls are worth compliance measures.  Sometimes, I have to appeal to their patriotism as a last resort.  It is good to know that BIS cares enough about encryption export controls to go after non-compliant companies.

Lately though, I have been seriously questioning the rationale for maintaining export controls on commercial products that use encryption, since the disclosures made regarding NSA surveillance by Edward Snowden last year.  If NSA can intercept and decipher 99 percent of data transmissions, how can the USG continue to maintain that the encryption regs are necessary to support the intelligence community?

The better answer is that Category 5 Part II is synced in most respects to the Wassenaar list and the US is obligated to maintain controls to honor commitments made to the Wassenaar member states.  And it is clear that efforts have been made by at least three of the most powerful delegations (US, France and the UK) to shore up controls on “cyber security” products, as they actively considered this at the December 2013 Plenary. (BIS deferred publication of CCL changes agreed to at the December 2013 plenary affecting “cyber security” products – indicating that these would be published in September, which has come and gone with no reg in sight.)

So, Wassenaar member states have had controls on encryption too.  But no country has a byzantine regulatory scheme comparable to that maintained by the US.  Over the years, License Exception ENC has morphed into a virtually inexplicable licensing loophole.  And so we wonder–should companies really have to continue funneling information to BIS and NSA by way of Classification Requests and Classification reports?  Does NSA really use any of the information?  Does anyone actually read the self-classification reports? ENC shipping reports?

In the few cases over the years that someone from NSA has shown up in daylight to an industry meeting, I always ask the question and I get the answer that, yes, the information it gleans from the classification requests and reporting process is still necessary.  I must admit I have never really bought that story, but that remains part of the answer to the why question.

That brings us back to the timing issue.  The press has widely reported the steps that the information technology industry has been taking to harden products and networks using cryptography and other security technologies to protect customer information from access by government agents.  Perhaps the Wind River case was meant to be a reminder to the industry that the US Government still has the power to regulate which technologies are deployed internationally.