Glass Houses, Stones and Cybersecurity

Posted by and at 1:34 pm on August 30, 2015
Category: CybersecurityTechnical Data ExportTechnology Exports

Chinese Army HackersRecently, the Department of Defense issued  an interim rule that would impose on DOD contractors and subcontractors a contractual duty to provide “adequate security” from “unauthorized access and disclosure” for a broad array of unclassified information Additionally, the interim rule requires DOD contractors and subcontractors to report within 72 hours directly to the appropriate DOD office a “cyber incident” or “malicious software.” A “cyber incident” is defined as an action on a computer network that compromises the network of has an “actual or potentially adverse effect” on the information on the network. Finally, the rule requires contractors to make available “media (or access to covered contractor information systems and equipment)” upon request.

The interim rule, which is immediately effective, applies to all contractors and subcontractors with “covered defense information transiting their information systems.” The “covered defense information” to be safeguarded is extremely broad. It includes information provided to the contractor by or on behalf of DOD in connection with performance of the contract or ”critical” or “controlled information stored by or on behalf of the contractor in support of the performance of the contract.

Of particular emphasis for readers of this blog, “covered defense information” also includes export controlled information, including “items identified in export administration regulations and munitions list,” license applications, and “sensitive nuclear technology information.” Beyond these obvious items, the covered export controlled information includes things not covered by existing export control regimes but “whose [sic] export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives.” We have no idea on earth what this could possibly mean or how any contractor can figure out what information, not covered by the EAR or the ITAR, actually fits in this category.

DOD recognizes that such cyber incident reports or other information provided to DOD under this interim rule may include a contractor’s proprietary information, including personal information relating to its employees. In response, DOD states “the government shall protect against the unauthorized use or release” of such information. Does anyone else see the tremendous irony here? The United States government, which has been hacked left and right by the Chinese, the Russians and others, promises to protect the information. To add to the irony, the new rule only applies to unclassified information, which is precisely the type of information the USG has been unable to protect on its own.

Rest assured that anything that you provide to the DOD will be read almost immediately by the Red Army in China. Perhaps the U.S. Government should get its own cybersecurity house in order before it starts preaching to private industry.

Permalink Comments (0)

Bookmark and Share



UBS Fined by OFAC For Dealing with Secret SDN

Posted by at 9:40 pm on August 27, 2015
Category: General

UBS by Martin Abegglen [CC-BY-SA-2.0 (], via Flickr [cropped]The Office of Foreign Assets Control (“OFAC”) whacked UBS AG, a Swiss bank, with a $1,700,100 penalty today. (That extra $100 is there to prove that OFAC reached this penalty in a super-accurate and completely scientific fashion.) The fine arises from UBS processing 222 transactions of unidentified value for an individual whose name was kept secret by the bank from OFAC but who was apparently designated as a global terrorist on OFAC’s Specially Designated Nationals and Blocked Persons List (the “SDN List”).

Although everyone understands why the Santa in Secret Santa is a secret, it may not be immediately clear why the SDN in a Secret SDN is clear. Apparently, Swiss law protects the names of global terrorists as well as those of ordinary customers. In other words, Switzerland is more interested in protecting the revenue of its banks than the safety of everyone else in the world. Frankly, if OFAC stood up to this nonsense and said it would fine UBS the maximum penalty (at least $250,000 times 222 violations which comes to $55.5 million) if it didn’t cough up the name of the SDN in question, well, even I might have said that was justified.

There’s another oddity in the OFAC release explaining the penalty. Obviously since the case was all about a secret SDN, the only way that OFAC could have learned about it without annoying the Swiss government is through a voluntary disclosure by UBS.

OFAC has determined that although UBS identified all of the apparent violations, the disclosures are not voluntary self-disclosures within the scope of OFAC’s definition under the Economic Sanctions Enforcement Guidelines, 31 C.F.R. part 501, app. A, because they were substantially similar to another apparent violation of which OFAC was already aware.

It’s rather difficult to get any idea what this means in the context that OFAC has no idea as to the identity of the SDN involved. So what does substantially similar mean? That OFAC had knowledge that UBS was supporting another SDN? Or does it mean that OFAC was aware that UBS had processed blocked funds for the Cuban government? Apparently, OFAC is saying that if it knows that you ever violated any OFAC rule you have no right to voluntarily disclose a separate and unrelated violation of that or a similar rule.

Still, between the Swiss and OFAC in this situation, I’m voting for OFAC.

Permalink Comments (0)

Bookmark and Share



Skateboarding on Thin Concrete

Posted by at 9:02 pm on August 25, 2015
Category: BISCuba SanctionsOFAC

Santa Monica Skateboarder by Clif BurnsAn article in today’s Washington Post may be attracting some attention over in the halls and cubicles of the Office of Foreign Assets Control (“OFAC”).  It describes in some detail how Miles Jackson, a local DC man and skateboarding enthusiast, appears to have been skating around the U.S. embargo on Cuba to deliver skateboards to Cuba and to spend time with his skateboarding buds in Havana.

Apparently the skateboarder became interested in Cuban skateboarding while studying abroad in Cuba during college.  So far, so good; nothing wrong with that.

The dicey stuff starts after he returns to the United States and wants to keep up with his skateboarding buddies in Cuba and send them real skateboards, notwithstanding the travel and export bans for Cuba.

Jackson and [a friend] Bradley began traveling to Cuba that September to drop a few boards off. Because direct travel from the United States was limited, their first trips went through Toronto, Bradley said.

That sentence probably should be re-written to remove the word “limited” — “Because direct travel from the United States was illegal, their first trips went through Toronto.” Of course, direct travel would be legal with a license, but then you wouldn’t go through Canada. Of course, maybe Jackson did get an OFAC license to go skateboarding in Cuba and decided to take the long route through Toronto.

On top of that, Jackson started exporting skateboards to Cuba:

Jackson … regularly travels with up to 50 skateboards at a time. He and his friends, through their nonprofit organization Cuba Skate, have ferried more than 200 skateboards in the past five years to aspiring skaters in the island country.

Of course, that would be okay if licensed, but there is no indication that such licenses were obtained. Another possibility would be export pursuant to BIS License Exception GFT. But that covers parcels addressed to an individual containing quantities normally given as gifts; it does not cover carrying 50 skateboards to Cuba through Canada if that is what happened.

Now Jackson wants to fix up the skateboard parks in Havana. He and some friends

plan to travel again to Havana in September, when they hope to start an ambitious renovation of the country’s only official skatepark, El Patinodromo, on the outskirts of the city. During the rainy season, the park floods, and the metal ramps and rails have begun to rust.

With the embargoes relaxed, Jackson hopes to replace the aging ramps and rails over five to eight weeks, pending permission from the State Department.

The State Department? Really?? Apparently the editors at the Washington Post (like their colleagues at the Wall Street Journal) must also be on vacation.

Permalink Comments (0)

Bookmark and Share



Guns and Meat: More on the Midamar Case

Posted by at 9:58 am on August 20, 2015
Category: General

Bobcat Skid Loader via[Fair Use]I have wondered about the persistent zeal of the DoJ in pursuing a criminal case against Bill Aossey, the owner of Midamar Corp., for irregularities in meat exports that may or may not have caused those exports to violate a ban imposed by several countries on the import of non-halal meat products. You can read more about the prosecution of Mr. Aossey here, here, and here. There have been persistent rumors that somehow or other Aossey was involved in smuggling arms to Lebanon. Now we know where those rumors came from.

On Wednesday, a Cedar Rapids newspaper announced that various members of the Herz family, who apparently had been employed at Midamar and were friends with Aossey, were indicted for, among other things, unlicensed exports of firearms to Lebanon. The indictment alleges that the arms were hidden by the Herz defendants inside Bobcat skid loaders that were  placed in containers  shipped from Midamar’s loading docks.

This issue apparently came up after Bill Aossey’s conviction when the prosecution argued that Aossey should be jailed pending sentencing. They based their argument on his association with the Herz family and the use of Midamar facilities by Herz to engage in the illegal gun exports. Aossey claimed that the containers, which belonged to the Herz defendants, was also being used by Midamar to ship relief items to Lebanon and that he did not know that guns were hidden in the skid loaders. The prosecution, on the other hand, said this:

Assistant U.S. Attorney Richard Murphy admitted there wasn’t direct information tying Aossey to buying or smuggling guns. But he argued it was difficult to believe Aossey didn’t know about it.

There is a compliance lesson here hidden among the meat, guns, skid loaders and relief items: don’t share shipping containers, even with your best friends.

Permalink Comments Off on Guns and Meat: More on the Midamar Case

Bookmark and Share



It’s August, So All the WSJ Editors Must Be in the Hamptons

Posted by at 6:34 pm on August 18, 2015
Category: General

Wall Street Journal Printing by Neon Tommy [CC-BY-SA-2.0 (], via Flickr [cropped]Welcome to Pick-on-the-Wall-Street-Journal Week, which we have just declared because the once-fabled publication has, for the second time in two days, had an unfortunate run-in with fact-checking and U.S. export laws. From a piece titled “Iranian Art Lovers Await Accord’s Benefits,” reporter Kelly Crow says this:

For decades following Iran’s 1979 Islamic revolution, U.S. collectors wishing to visit Iran needed a travel license from the U.S. Treasury Department’s Office of Foreign Assets Control, which gave out a handful of licenses a year to those seeking to visit Iran and bring home “informational materials.”

Both travel to, and imports from, Iran were banned for the brief period from April 17, 1980, pursuant to Executive Order 12211, until January 23, 1981, when Executive Order 12282 revoked the travel and import bans imposed by President Carter in Executive Order 12211. Thereafter, no license has ever been required to travel to Iran.

Imports from Iran were not banned again until 1987 when President Reagan issued Executive Order 12613 in 1987. Shortly thereafter the Berman Amendment was passed in 1988 as section 2501(b) of the Omnibus Trade and Competitiveness Act of 1988. Under the Berman Amendment, “informational materials” could be imported from Iran. OFAC guidance provides that artwork classified under HTSUS 9701, 9702 and 9703 qualifies as “informational materials” eligible for importation from Iran without a license.

So, to summarize, licenses were not required “for decades” in order to travel to Iran to bring back artwork. A license to travel to Iran and to bring back artwork was required for less than one year between 1980 and 1981. Importing artwork from (but not travel to) Iran was banned thereafter only between October 29, 1987, and August 23, 1988.  After that, artwork could be freely imported from Iran without license as informational materials.

Permalink Comments (2)

Bookmark and Share

« Previous posts |