Archive for the ‘BIS’ Category


Mar

17

Fat Man Sanctioned over Little Boy


Posted by at 11:16 pm on March 17, 2016
Category: BISNorth Korea SanctionsOFAC

Fat Man and Little Boy via KCNA [Fair Use]Yesterday, the White House released an Executive Order ramping up U.S. sanctions on North Korea as a result of a recent ballistic missile test by the Norks and, it can be reasonably assumed, as a result of the Fat Man‘s recent claim to have his own Little Boy (or is it vice versa?). The new sanctions impose a complete ban on all exports of goods and services to North Korea, and as usual, with any executive order that gets drafted over at OFAC, the order, whether due to sloppy drafting or purposeful ambiguity, raises more questions than it answers.

Here’s the relevant provision that needs to be parsed:

Sec. 3. (a) The following are prohibited:

(i) the exportation or reexportation, direct or indirect, from the United States, or by a United States person, wherever located, of any goods,
services, or technology to North Korea;

(b) The prohibitions in subsection (a) of this section apply except to the extent provided by statutes, or in regulations, orders, directives, or licenses that may be issued pursuant to this order or pursuant to the export control authorities implemented by the Department of Commerce, and notwithstanding any contract entered into or any license or permit granted prior to the effective date of this order.

Prior to this order licenses have been required by the Bureau of Industry and Security for all items subject to the EAR other than food or medicine. BIS would license, on a case-by-case basis, EAR99 items (other than luxury goods) to North Korea. Items on the Commerce Control List subject to NP or MT controls are subject to a presumption of denial.

The new provision, due to the “notwithstanding” clause of subsection (b), appears to invalidate all existing specific licenses for exports to North Korea. Whether this Order changes the existing policy of BIS for future licenses is unclear and depends on what is meant by “export control authorities implemented by the Department of Commerce,” which is anybody’s guess. What is clear is that items not subject to the EAR, which previously could be exported to North Korea, cannot now be exported to the North Korea by U.S. persons unless such items are transshipped through the United States and a license is obtained from BIS or an OFAC license is obtained if the items are not shipped back to the United States first.

At the same time as the Executive Order, OFAC issued nine new general licenses, such as General License No. 7 which authorizes mail and telecommunications services to North Korea. Other general licenses permit most of the usual exceptions to bans on exports of services such as emergency medical services, legal services, intellectual property services, and personal financial remittances. Oddly, the normal exception for services related to Internet-based communications is not included. So, you can send snail mail to the Norks but sending email is not allowed.

One nagging question is whether the travel and information exceptions in the Berman Amendment remain in place. Neither OFAC’s existing North Korea regulations nor the order contain a travel exemption, such as the one contained in section 560.210(d) of the Iranian Transactions and Sanctions Regulations. Nor does the order or those regulations contain an exemption for informational materials such as is found in section 542.211(b) of the Syria Sanctions Regulations.

Both the travel and informational material exceptions in the Berman Amendment may not be applicable because the Berman Amendment only applies to actions taken under the International Emergency Economic Powers Act (“IEEPA”). This latest executive order relies not only on IEEPA but also on the North Korea Sanctions and Policy Enhancement Act of 2016 (Public Law 114-122). Whether or not section 3 of the new order is authorized by the North Korea Sanctions and Policy Enhancement Act is not clear.  If section 3 is authorized under that statute, services related to travel to North Korea and the provision of informational services to North Korea would not be permitted unless OFAC specifically authorizes such services in its regulations or provides for specific licenses which, so far, it has not done.

Photo Credit: KCNA

Permalink Comments Off on Fat Man Sanctioned over Little Boy

Bookmark and Share


Copyright © 2016 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Mar

7

ZTE Zells ZTE Zhells by the Zeashore


Posted by at 5:57 pm on March 7, 2016
Category: BISIran Sanctions

ZTE Stand 6 via http://www.zte.com.cn/cn/events/ces2013/show/201301/t20130110_381605.html [Fair Use]

The Bureau of Industry and Security (“BIS”) is placing Chinese telecom giant ZTE (and three related companies) on the Entity List tomorrow according to this pre-release version of the Federal Register notice announcing the action. As a result, all items subject to the EAR will require an export license prior to any export to ZTE. Under this action, all applications for such licenses will be subject to a policy of denial.

The action is taken as a result of the diversion by ZTE of certain U.S. origin products to Iran. More important, perhaps, than the diversion itself is that BIS caught ZTE playing a shell game and ZTE lost. Somehow or other, BIS got its hands on a ZTE internal document, labelled “Top Secret Highly Confidential” and titled, innocently enough, “Proposal for Import and Export Control Risk Avoidance.” In fact, this incriminating document might be better titled “Everything You Wanted to Know about Shells but Were Afraid to Ask.” It sets out, in excruciating detail, a plan for setting up a chain of shell companies through which the U.S. goods would pass with the hope that it would throw the U.S. government off the scent of what was really going on. Under this plan, a Chinese company owned by an allegedly independent Chinese investor would buy U.S. parts, sell them to another Chinese company, owned by another allegedly independent Chinese investor, which would sell those to another single “independent” Chinese investor company in Dubai, which would then sell the goods to Iran.

Two juicy quotes from the report will give you the idea of what ZTE had in mind:

However, the detached [shell] companies … are invested by natives of [the People’s Republic of China] and not only does our company need to make [the detached shell companies] operate independently, [our company] also needs to effectively control them.

Yea, sure, that works … if you believe in oxymorons and unicorns.

The biggest advantage of [this] Model is that it is more effective, [because it’s] harder for the U.S. Government to trace it or investigate the real flow of the controlled commodities; and in formality, our company is not participating in doing business with [Iran].

Right, “in formality” it’s not doing business with Iran because its being done by those companies that look like they operate independently but which ZTE “effectively control[s].” Game over.

Permalink Comments (1)

Bookmark and Share


Copyright © 2016 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Jan

13

BIS Still Mulling Over Cybersecurity Export Rules


Posted by at 11:30 pm on January 13, 2016
Category: BISCyber WeaponsCybersecurity

Untitled by Kevin Wolf via https://scontent.fash1-1.fna.fbcdn.net/hphotos-xfa1/t31.0-8/12471591_10208490792490184_1220994233873918423_o.jpg [Public Domain - Work of U.S. Government]Yesterday Kevin Wolf, the Assistant Secretary of Commerce for Export Administration, testified before the House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies on the much reviled controls in the Wassenaar Arrangements on exports on certain software and technology. His testimony provides detailed insight into the interaction between the Bureau of Industry and Security, which is charged with implementing the Wassenaar Arrangement controls, and the technology and cybersecurity industry and community which was concerned about the overbreadth of the Wassenaar controls of “intrusion” software. This blog has previously articulated some of these concerns, particularly the extent to which the Wassenaar controls on “intrusion” software could reach auto-updating software, Address Space Layout Randomization (ASLR) security measures, and hot-patch programs.

Assistant Secretary Wolf’s testimony reveals that Commerce’s concerns about the potential overbreadth of the Wassenaar controls on intrusion software led the agency to take the “unprecedented step” of releasing the controls as a proposed rule and soliciting industry comments. Such a step is “unprecedented” because normally Commerce simply adopts and adds to the CCL all changes adopted by the Wassenaar Arrangement. The result of the request for industry comment, according to the testimony, was more than 260 comments, “virtually all of them negative.” The negative reaction was echoed in outreach meetings held by Commerce with industry. Assistant Secretary’s testimony summarizes these concerns, including the concerns we have expressed about how they would reach certain auto-updating and hot-patching programs.

Most importantly, Assistant Secretary Wolf’s testimony says this:

Neither the Commerce Department nor the Administration has reached a conclusion about how to respond to the public comments. We are still reviewing and considering them. … The commenters had many suggestions regarding how to address their concerns. The Administration will be reviewing all of them and many other ideas for how to address the policy objectives of the control but without unintended collateral harms. As I have said many times in response to questions about the rule, the only thing that is certain about the next step is that we will not be implementing as final the rule that was proposed.

The moral of this story is clear, even if the shape of the ultimate rule is not. The export industry, as demonstrated conclusively throughout the export control reform initiative, has been loath to comment on proposed rules, whether from fear of standing out from the crowd or because of a belief that such comments will have no effect. As a result, Assistant Secretary Wolf has been known to remark that industry gets the rules they deserve. The response of Commerce here to the issues raised in the comments and industry outreach, however, shows that there are times when public input will have an impact. So the moral of the story is simple: you may not get everything you ask for, but you’ll almost never get what you want if you don’t even ask for it.

Permalink Comments Off on BIS Still Mulling Over Cybersecurity Export Rules

Bookmark and Share


Copyright © 2016 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Dec

29

Egregiousness, Like Beauty, Is in the Eye of the Beholder


Posted by at 11:04 pm on December 29, 2015
Category: BIS

By Daderot (Own work) [CC0], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3APatent_quote_-_United_States_Department_of_Commerce_-_DSC05103.JPGNot to be outdone by the Directorate of Defense Trade Controls, which left a nice little gift under every exporter’s tree last week, the Bureau of Industry and Security had a gift of its own which it dropped down everyone’s chimney the day after Christmas. Of course, whether it is a gift or a lump of coal is open to some discussion.

The gift/coal lump in question consists of proposed guidelines for the assessment of penalties for export violations. It more or less adopts the mostly unhelpful scheme in place over at the Office of Foreign Assets Control, going so far even as to adopt the notoriously unhelpful distinction between egregious and non-egregious cases. The base penalty would be established by looking at whether the case is egregious and whether a voluntary disclosure had been filed.

If the case is egregious and there is no voluntary disclosure the base penalty is the statutory maximum. (Ouch!) If egregious and voluntarily disclosed, the base penalty is half the statutory maximum. (Still an ouch!) If non-egegious but without a voluntary disclosure, the base penalty is a thing called, in Mid-Atlantic bureaucratese, the “Applicable Schedule Amount” capped at $250,000 per violation. The Applicable Schedule Amount is basically a bracketed round-up of the transaction value. For example, it’s $170,000 for transactions valued at between $100,000 and $170,000. And for non-egregious violations that were voluntarily disclosed, it is the transaction value capped at $125,000 per violation.  BIS then pulls aggravating and mitigating factors out of the sorting hat and decides whether to impose a penalty greater than or less than the base penalty

Now let’s talk about whether these Guidelines are a gift or a lump of coal. Because BIS takes the odd opportunity in the proposed guidelines to remind lawyers that it can disbar them from practice before the agency for whatever reason it wants, let’s start with the gifts and leave the lumps of coal for last in hopes that no one from the agency will read down that far.

Gift: BIS reiterates that most voluntary disclosures will result in no-action or warning letters and thus will not even involve these guidelines. In fact, BIS says this:

[O]ver the past several years, on average only three percent of VSDs submitted have resulted in a civil penalty.

Gift: Acquiring companies will not be weighed down by the sins of acquired companies. This is not a retreat from the doctrine of successor liability, premised on the ridiculous notion that without such liability companies will commit export violations willy-nilly knowing that they can easily absolve themselves by selling the company. (One has to imagine that no one at BIS has ever done a corporate deal if they actually believe this.) But the Guidelines now make clear that, if the acquiring company discloses and cleans up the target’s past violations, they won’t be counted under the aggravating factor for prior violations in subsequent voluntary disclosures by the acquiring company.

Lump of Coal: BIS is expressly reverting back to its practice of “piling on” violations, something it swore up and down to Congress it would stop doing if Congress upped the penalties to $250,000 per violation, a promise the agency kept for a while when it said that in cases where the same act led to multiple violations it would only charge the most serious. Well forget that. Now we are expressly back to the situation where if an exporter misclassifies an item, it has committed three (if not more) violations: one for the illegal export, one for the wrong ECCN on the AES, and one for putting NLR (“No License Required”) on the AES. That’s $750,000 before you’ve even walked through the door.  BIS makes clear that now (forget those pesky promises) it has the “discretion” to charge all three violations separately.

Lump of Coal: BIS will take into account whether the exporter had a compliance program at the time of the violation, at least to “the extent to which a Respondent complies with the principles set forth in BIS’s Export Management System (EMS) Guidelines.” The what guidelines, you ask? Oh, you know the, ones that “can be accessed through the BIS Web site at www.bis.doc.gov.” The lump of coal here is awarded because of this dispiriting proof that the agency in charge of regulating exports of technology can’t figure out how links and the Internet work. Perhaps they are afraid that if they give an actual link to these guidelines, the Chinese will click on it and hack their systems again. I would suggest typing “Export Management System Guidelines” into the search box on the BIS website, but that’s more characters than is allowed by that search tool. You can type in “Export Management Sy” but that doesn’t provide any useful results. If your Google-fu is strong, you can find them. If not, you’re pretty much out of luck.

Comments on the proposed guidelines are due on February 26, 2016.

Permalink Comments (2)

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Dec

4

We’re from BIS and We’re Here to Help You


Posted by at 8:21 am on December 4, 2015
Category: BIS

By Daderot (Own work) [CC0], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3APatent_quote_-_United_States_Department_of_Commerce_-_DSC05103.JPGIn a laudable effort to increase transparency of its operations and processes, the Bureau of Industry and Security (“BIS”) has launched an initiative to release statistics and data on at least part of its operations. The new “data portal” can be found here. And although it’s clearly a work in progress, there are still some interesting factoids that can be gleaned from the “2014 Statistical Analysis of BIS Licensing” that appears there.

First, export control reform did not create a licensepocalypse. Many ill-mannered cynics (though not me, in this case) speculated that the onslaught of license applications for new 600 series items transferred from the USML would overwhelm BIS staff and result in a license tar pit from which fossilized approvals would emerge centuries, if not eons, later. The new figures however show a steady decrease in licensing times. Since 2010 average license processing times have decreased from 31 to 23 days even though the number of applications processed each year has increased from approximately 22,000 to 31,000. And, not surprisingly, the largest category of applications processed by BIS was the 600-series ECCN 9A610, which covers military aircraft and commodities.

Second, BIS grants the overwhelming majority of licenses that it processes. Of the approximately 31,000 applications processed in 2014, only 321 were denied with the remainder being returned without action or approved. The top items that were denied were, in this order, rifle scopes, encryption software, and EAR99 items. Although I understand rifle scopes and EAR99 items (for which licenses are required only when exported to bad people or for bad uses) being on this list, I am a bit baffled as to why licenses for 5D002 software receives so many denials. It’s not like there’s any real reason to control encryption software given that the U.S. (despite some self-delusions in this regard) does not have a monopoly on secure encryption technology.

Finally, I have just one little wish for the data portal. It would be tremendous if BIS would provide similar data on classification requests, particularly processing times. The classification process is just as important as, and in some instances even more important than, the licensing process. And I suspect that the processing time figures do not look quite as rosy as they do for licensing.

Permalink Comments (1)

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)