Archive for the ‘BIS’ Category



The District of Columbia? Is That Somewhere in South America?

Posted by at 11:59 pm on June 10, 2015
Category: BIS

African American Civil War Memorial Metro Stop by Clif Burns via Flickr [with permission]Those of us who live in the District of Columbia are used to, if not content with, the routine indignities imposed on us as residents of that tiny square of reclaimed swamp land sandwiched in between Virginia and Maryland.   Like convicted felons, we can’t vote for anyone in Congress.  Like third-world dictatorships, any laws enacted by our city council cannot go into effect unless approved by our unelected overlords in Congress.  When trying to book a hotel or buy a gadget over the Internet, we find we can’t fill out the order form because the District of Columbia, which is not a state, is not listed in the drop-down list of states.   When traveling, we can be denied boarding flights because some TSA agent decided that a D.C. drivers license isn’t a state-issued ID.

So kudos to the Bureau of Industry and Security (“BIS”) for, at last, recognizing that the District of Columbia exists, as it finally did in the recently proposed amendment to the definitions in the Export Administration Regulations.  Currently, section 734.2(b)(8) of the EAR says this:

Export or reexport of items subject to the EAR does not include shipments among any of the states of the United States, the Commonwealth of Puerto Rico, or the Commonwealth of the Northern Mariana Islands or any territory, dependency, or possession of the United States. These destinations are listed in Schedule C, Classification Codes and Descriptions for U.S. Export Statistics, issued by the Bureau of the Census

Take a look at Schedule C which defines those territories, dependencies and possessions of the United States that are not exports, and you will see Puerto Rico, the Virgin Islands, Guam, American Samoa, Northern Mariana Islands, and the United States Minor Outlying Islands. Conspicuously missing from the list is the District of Columbia.

The proposed amendments add a new section 734.18(a)(3) which says this:

Shipping, moving, or transferring items between or among the United States, the District of Columbia, the Commonwealth of Puerto Rico, or the
Commonwealth of the Northern Mariana Islands or any territory, dependency, or possession of the United States as listed in Schedule C, Classification Codes and Descriptions for U.S. Export Statistics, issued by the Bureau of the Census.

Now that may be good news for us in the District of Columbia, but it’s bad news for anyone who has ever shipped an item on the Commerce Control List, such as a cattle prod, into the District of Columbia in the past five years. Anyone who did that has violated U.S. export laws because the District of Columbia is not a state and it’s not listed in Schedule C. It’s a foreign destination under current rules. You could go to jail. You could be fined $250,000 for each such export by BIS. You could have your export privileges denied. So, folks, get those voluntary disclosures in before you find a team of ICE agents in your offices carting off all your computers and interrogating all your employees.

Permalink Comments (1)

Bookmark and Share



BIS Finally Releases Proposed Cybersecurity Rules

Posted by at 11:55 pm on May 20, 2015
Category: BISCyber Weapons

Photo: Harland Quarrington/MOD [see page for license], via Wikimedia Commons istry_of_Defence_MOD_45153616.jpgAt long last, and well after the E.U. and many other members of the Wassenaar Arrangement, BIS has released proposed (but not final) rules implementing the December 2013 changes adopted by the Arrangement and which imposed export controls on “intrusion detection software” and “IP network communications surveillance” systems and equipment. After the E.U. adopted the 2013 changes in October 2014, we speculated that the delay by BIS beyond its announced September 2014 date for releasing a proposed rule was that it perhaps was struggling with the impact of Wassenaar’s overbroad definition of “intrusion detection software.” But we were wrong.

The proposed rule adopts the Wassenaar changes without clarification of the scope of coverage of intrusion detection software. Instead, the delay seems to have been wholly occasioned by housekeeping matters: specifying the reasons for control, deciding that no license exceptions would apply, and so forth. The proposed BIS rules also grapple with a rather esoteric problem: what to do with intrusion detection software with encryption functionality. And it decides that the software is classified, and must comply with, both ECCNs, which, at last, concedes something BIS long said was impossible: that an item could have two ECCNs. Finally, and I’m not joking, so I’ll quote the agency itself to prove that I’m not

[a] reference to §772.1 is proposed to be added to ECCNs 4A005, 4D001 and 4E001 to point to the location of the ‘‘intrusion software’’ definition, as this rule may be of interest to many new exporters that would not otherwise know that double quoted terms in the EAR are defined in §772.1.

Seriously? Now BIS starts to worry about the indecipherability of the EAR and the secret rules of interpretation that must be applied? What next? Will proposed rules start spelling out “n.e.s.”?

But, all joking aside, the problems with the definition of intrusion software remain

‘‘Software’’ ‘‘specially designed’’ or modified to avoid detection by ‘monitoring tools,’ or to defeat ‘protective countermeasures,’ of a computer or network-capable device, and performing any of the following: (a) The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or (b) The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

The notes indicate that protective measures include “Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) or sandboxing.”

Many have pointed out this definition would cover programs that permit auto-updating without user intervention, such as, for example, the Chrome browser, which updates itself in the background and circumvents protections normally imposed by the operating system to prevent installation or modification of programs without user intercession. Address Space Layout Randomization (ASLR) loads program components into random addresses in memory as a security measure against buffer overflow attacks and yet legitimate programs that must “hot-patch” operating servers or systems must scan memory to locate the program components, thereby both extracting data and defeating ASLR. The definition of sandboxing as a protective measure will subject programs that permit rooting or jailbreaking of mobile telephones to export controls.

I don’t normally try to look into a crystal ball and make predictions about the future, but I see clearly a flood of classification requests by software developers.

Permalink Comments Off on BIS Finally Releases Proposed Cybersecurity Rules

Bookmark and Share



BIS Publishes Tips You Can Use (or Not) to Unmask Russian Straw Purchasers

Posted by at 9:48 pm on May 19, 2015
Category: BISRussia Sanctions

By Daderot (Own work) [CC0], via Wikimedia Commons Bureau of Industry and Security (“BIS”) just released new guidance, snappily titled “Guidance on Due Diligence to Prevent Unauthorized Transshipment/Reexport of Controlled Items to Russia,” which attempts to reveal ways in which U.S. exporters can detect whether a purchaser is sneakily trying to buy things not for itself but for the bad guys in Russia. This, of course, is a laudable purpose, not just for the Russians, but for the many other countries and entities that know they can’t directly buy certain export-controlled goods and have a straw purchaser do their dirty work. But, sadly, most of the advice for sniffing out secret Russian intermediaries is about as useful as the secret decoder rings that used to be found in cereal boxes.

Here it is:

When inquiring into the ultimate destination of the item, an exporter should consider e-mail address and telephone number country codes and languages used in communications from customers or on a customer’s website. The exporter should also research the intermediate and ultimate consignees and purchaser, as well as their addresses, using business registers, company profiles, websites, and other resources. … Furthermore, exporters should pay attention to the countries a freight forwarder serves, as well as the industry sectors a distributor or other non-end user customer supplies.

Particularly risible is the advice to pay attention to the “email address and … languages used in communications from customers or on a customer’s website.” Because, of course, if you’re trying to hide the fact that your acting on behalf of the Russians you’re going to put up a website in Russian, email from a .ru domain, and say “Nyet” when asked if you’re secretly working for the Russkis.

It’s not quite clear why BIS mentions these factors — which may from time to time catch a really stupid Russian intermediary who slips and starts babbling in Russian — rather than more reliable red flags. The most frequent indicators that you’re dealing with an imposter is a purchaser who appears to have no clear understanding of, or use for, the item he or she is seeking to purchase. Small purchasers that your company has never dealt with or who say that they are simply a reseller should set off alarm bells. And here’s a personal favorite: Google Maps Street View is your friend. If you track down the address in Amsterdam and see that the purchaser of a controlled accelerometer is a bicycle store or a car repair garage, well, your work is done.

Permalink Comments (1)

Bookmark and Share



Export Control Reform Comes to USML Category XII

Posted by at 11:25 pm on May 5, 2015
Category: BISDDTCNight Vision

AN/PSQ-20 Enhanced Night Vision Goggle (ENVG) by Program Executive Office Soldier [CC-BY-SA-2.0 ( and/or Public Domain (work of government employee)], via Flickr [cropped]Well, who would have thought? Contrary to broad expectations that export control reform would never in a million years come to Category XII, which contains tactical gamestoppers such as night vision and laser designators and markers, export control reform came today to Category XII in the form of proposed rules. The BIS proposed rules are here; the DDTC proposed rules are here.

While it may be surprising that Category XII is being reformed, it is not so surprising that the new “positive” list of items controlled in the new proposed Category XII has expanded considerably, growing from less than a page in the Code of Federal Regulations to five densely packed pages in the Federal Register. And what is and isn’t on this extensive new list will be the subject, I assume, of extensive industry comments due, by the way, on July 6, 2015.

Because of the much-publicized interagency squabbling between BIS and DDTC over which agency license which night vision system, a quick look at the new provisions relating to night vision is instructive. Obviously, the new rules do not simply cover infrared focal plan array detectors (“IRFPAs”) and image intensification tubes (“IITs”) designed for military use but instead cover IITs and IRFPAs with specified peak response levels. IITs meeting the peak response rate for IITs must have either second or third generation photocathodes. Interestingly, the definition of second and third generation photocathodes is completely different in the proposed rules from the definition given in the current USML, reinforcing the general conception that nobody really knows what the difference is between second and third generation night vision beyond the obvious: third is better than second.

A note to be included to subparagraph (c), which covers night vision, in Category XII appears to maintain, more or less, the current principle, at least for certain components, that when they are incorporated into commercial systems, the commercial system is not subject to ITAR controls, but the parts in question will be subject to ITAR controls if exported separately from the commercial system. However, a new qualification to this principle, that is not currently expressed in Category XII, is added: for this rule to apply, the component must not be removable from the system “without destruction or damage to the [component] or render [sic] the item inoperable.” What the practical impact of this new qualification will be is hard to predict, but my guess is that it may gut the exception and expand control over commercial system given that I can’t imagine many situations where the item can’t be removed without destroying it. But I’ll defer to any engineers who may know better whether this is the case or not.

Permalink Comments Off on Export Control Reform Comes to USML Category XII

Bookmark and Share



Florida Man Sentenced for Brokering Dual-Use Exports

Posted by at 10:10 pm on April 29, 2015
Category: BISCriminal Penalties

Universal Industries HQ via Google Maps [Fair Use]
ABOVE: Universal Industries HQ

Russell Henderson Marshall, a UK citizen living in Florida, pleaded guilty and was sentenced to 41 months in prison and deportation on charges that he brokered dual-use items listed on the Commerce Control List. Yes, that’s right — for brokering non-USML items listed on the CCL. Because there is no prohibition on unlicensed brokering of items on the CCL, you may wonder how this happened.

To understand how this happened, we have to go back to 2012 when Universal Industries Limited, Inc., was slapped by the Bureau of Industry and Security with an Order Denying Export Privileges based on Universal’s conviction under the Arms Export Control Act for unlicensed exports of military aircraft parts. The order prohibited Universal or any of its employees from “carrying on negotiations concerning … any item … to be exported from the United States.”

Marshall was the CEO of Universal and was charged with two counts of violating the denial order. The first count, as described in the factual proffer supporting Marshall’s guilty plea, alleged that he sent an email to a potential U.S. purchaser quoting a price for three aircraft temperature sensors. A document recovered after a BIS agent did some dumpster diving behind Universal’s office.  Documents found in the trash revealed that the sensors were destined for the Royal Air Force of Thailand. The second count alleged that Marshall exchanged emails with a U.S. company related to a jet aircraft part to be exported to the Pakistan Air Force. The content of the emails sent by Marshall are not revealed.

Oddly, the factual proffer devotes considerable space to establishing that the items involved were ECCN 9A619.x. Given that the Denial Order would be violated if Marshall sent an email with a price quote for a Snickers Bar that was to be sent to Canada as a family birthday gift, it is not quite clear why the documents go to such length to establish that the items were not simply EAR99.

Permalink Comments Off on Florida Man Sentenced for Brokering Dual-Use Exports

Bookmark and Share