Today, companies of all sizes and scopes produce equipment and software that utilizes encryption. From business enterprise software that encrypts data as it moves between offices, to routers and switches that contain encryption in their fundamental architecture and anything else that integrates encryption code in some way, encryption-related items intended for overseas markets are likely subject to U.S. export controls.
In fact, even products that don’t contain their own encryption code – yet call to third-party encryption (for example, in an operating system) – could be considered encryption items under U.S. export regulations. It’s an area of export compliance that’s as widely misunderstood as it is broad in scope. One of the biggest misconceptions is that all encryption is subject to the International Traffic in Arms Regulations (ITAR). In fact, only a very limited set of military and intelligence-specific cryptographic devices come under the ITAR. Commercial encryption hardware, software and technology has been subject to the Export Administration Regulations (EAR) since 1996.
To anyone with experience in export compliance, that should come as no surprise. U.S. export controls are as voluminous as they are complex. Some controls even defy common sense—yet they are the rules and must be followed. Nothing, not even the smallest detail, can be left to chance when it comes to export compliance. And while executing on an export compliance program takes solid understanding in many areas, the challenge is even tougher when it comes to software or equipment that utilizes encryption.
Indeed, U.S. export rules on encryption – be it common, standards-based encryption or otherwise – are especially intricate. When producers of telecommunications, information security, computers and other products with encryption functionality seek to sell products abroad, they must first understand how U.S. export controls may apply. Still, trying to figure out what’s controlled and what’s not, whether you need a license or not and what information needs to be filed with what entity can be overwhelming for even seasoned exporters.
If, for example, your company manufactures networking infrastructure, and you want to export that to certain types of government customers abroad, you may need a license—or it may be possible to use a license exception, depending on the destination country. On the other hand, some open source encryption software is not subject to any export controls at all.
How do you know? What constitutes controlled encryption? After all, not everything capable of encryption is captured by the Commerce Control List (CCL) as an encryption item. For example, an exercise bicycle that streams workout regimens may use encryption because it runs on an Android platform; but it doesn’t get controlled the same as, say, enterprise VPN software or a network switch would under the EAR.
There’s more. Encryption-related export compliance entails certain requirements that aren’t typical of “normal” export controls. For example, U.S. exporters ordinarily must try to figure out how a particular item is controlled—i.e., how or if it’s classified in an Export Control Classification Number (ECCN). If it is, then the appropriate license requirements apply, and they must be followed. End of story. In other words, self-classification is the norm.
With some encryption products, however, the Bureau of Industry and Security (BIS) requires that companies first approach them by filing a commodity classification request. Consequently, before a U.S. company can broadly export certain encryption products (other than to Canada), it must submit this request (and a substantial amount of supporting technical information) to the BIS. The BIS shares these technical details with the National Security Agency (NSA). In the realm of U.S. export compliance, that’s unusual, and it creates a daunting challenge for companies to understand what’s required, and when it must be submitted.
Another unusual feature of encryption export compliance is the prevalence of reporting requirements. There are two types of encryption-specific reports. The first is an annual Self-Classification Report. This report is required when a company determines the classification of a hardware or software product on its own initiative. The Self-Classification Report essentially tells the government “OK, certain products of ours have been classified by us in these ECCNs.” Additionally, there’s a shipping report for exports (and reexports from Canada) that must be filed twice annually for a subset of encryption items. Again, this is extraordinary in the export compliance realm—yet it’s 100% necessary for companies exporting the affected encryption products.
As you can begin to see, a wide range of controls and variables exists in this arena, depending on what the item is, how it is sold, how it’s used and who uses it. What to do?
At the Export Compliance Training Institute, we understand the challenges that U.S. companies face in all export-related situations—including those that must navigate the complex waters of encryption. In this spirit, we recently released a new on-demand webinar, “Understanding Encryption Export Controls,” that helps companies achieve compliance and maintain it over time in this arena.
The Export Administration Regulations (EAR) have long controlled many forms of commercial encryption; yet the details of the rules have hardly remained static. Moreover, the Bureau of Industry and Security amends the regulations seemingly every few years. With this as a backdrop, “Understanding Encryption Export Controls” is designed to help you learn how to understand and apply EAR controls on encryption, and the crucial steps of classification and license determination.
Training includes a discussion and examples of the following issues:
- Considerations for overseas development and testing
- Open source and other published encryption software not subject to the EAR
- Identifying what is and is not controlled as encryption in Commerce Control List Category 5, Part 2
- Classification of hardware, software and technology in CCL Category 5, Part 2
- Determining if a product qualifies for mass market treatment, and what that means
- All about the primary encryption export authorization – License Exception ENC
- Unique reporting requirements related to the classification and export of encryption
- Export license applications for encryption
- Latest developments and updates to the rules
We hope this article helps you understand some of the encryption-related intricacies surrounding U.S. export compliance for companies involved in this ever-expanding space. As we said earlier, export compliance is a complex and detailed undertaking. Your company’s investments rely on achieving 100% compliance with all applicable export regulations and controls. That said, it is absolutely achievable—you can do it, provided you take the necessary time up front to align with an established and widely acclaimed export compliance training partner who can guide you step by step toward compliance success.
Do you have questions about export compliance challenges around encryption technology and products? Visit www.learnexportcompliance.com to learn about our company, our faculty, our staff and our esteemed Export Compliance Professional (ECoP®) certification program. To find upcoming e-seminars, live seminars and live webinars and browse our catalog of 80-plus on-demand webinars, visit our ECTI Academy. You can also call the Export Compliance Training Institute at 540-433-3977 for more information.
Scott Gearity is President of ECTI, Inc.