Archive for the ‘BIS’ Category


Dec

10

More Details Emerge on Multilateral Export Controls on Cybersecurity Items


Posted by Clif Burns at 8:11 pm on December 10, 2013
Category: BISCyber WeaponsWassenaar

Photo: Harland Quarrington/MOD [see page for license], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ACyber_Security_at_the_Ministry_of_Defence_MOD_45153616.jpgLast week we posted on reports that the Wassenaar Plenary was considering adding certain cybersecurity hardware and software products to the list of items that members of the Wassenaar Arrangement, which includes the United States, have agreed to subject to export controls. A press release today from Privacy International purports to provide details and operative language for the new controls, the first control to be on certain types of intrusion software and the second on certain types of deep packet inspection (“DPI”). Both of the proposed new controls are somewhat narrower than we first thought might be the case before we saw this language.

The controls on intrusion software originate from a U.K. proposal. It would control software designed to bypass security and detection systems in order to collect data or modify the execution of software on the targeted device:

“Software” specially designed or modified to avoid detection by ‘monitoring tools’, or to defeat ‘protective countermeasures’, of a computer or network capable device, and performing any of the following:
a. The extraction of data or information, from a computer or network capable device, or the modification of system or user data; or
b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

The target seems to be malware and rootkits used by government agencies to spy on its citizens, such as FinFisher software which we previously discussed here. Of course, the language is broad enough to cover exports of most malware and might give governments additional enforcement tools against domestic hackers and distributors of malware. Although I don’t believe that anti-virus software is the intended target, the language might wind up covering such software as well since it is designed to defeat the countermeasures of viruses and malware and to extract data about the malware from a computer or network.

The second new controls will target “IP network surveillance systems.” Specifically, the language, as proposed by France, is narrower than the title suggests and reads as follows:

5. A. 1. j. IP network communications surveillance systems or equipment, and specially designed components therefor, having all of the following:
1. Performing all of the following on a carrier class IP network (e.g., national grade IP backbone):
a. Analysis at the application layer (e.g., Layer 7 of Open Systems Interconnection (OSI) model (ISO/IEC 7498-1));
b. Extraction of selected metadata and application content (e.g., voice, video, messages, attachments); and
c. Indexing of extracted data; and
2. Being specially designed to carry out all of the following:
a. Execution of searches on the basis of ‘hard selectors’; and
b. Mapping of the relational network of an individual or of a group of people.

When I previously posted about possible added controls on DPI software and hardware, I noted that the “deep” in DPI could mean many things. This language clarifies that by only covering inspection at OSI Layer 7, the so-called application layer. Moreover, it only captures items that in addition to capturing the traffic contents also index that software and analyze it for relational data among individuals. The biggest ambiguity is what is meant by a “carrier class IP network,” a term likely to be defined differently by the various members of the Wassenaar arrangement.

Permalink Comments (1)

Bookmark and Share



Dec

4

U.S. and Allies Mull Export Licenses for Network Equipment and Software


Posted by Clif Burns at 6:55 pm on December 4, 2013
Category: BISCyber WeaponsWassenaar

Photo: Harland Quarrington/MOD [see page for license], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ACyber_Security_at_the_Ministry_of_Defence_MOD_45153616.jpgWe can only assume that exporters have been very bad this year because they may find a big lump of coal left in their export reform stocking by jolly old St. Nick or, perhaps more accurately, Good King Wassenaar (to continue torturing this extended metaphor.) The jolly old elves who negotiate the Wassenaar Agreement are meeting in Vienna this week, and according to this Financial Times article, they are likely to impose new controls on cybersecurity hardware and software. When the U.S. implements these changes, it means that some network equipment and software that did not previously require licenses will now require them.

The details of the changes are still not fully known. Obviously, many things could be classified as “cybersecurity” software and/or hardware, so the scope of these controls could be significant. The Financial Times article singles out deep packet inspection as one area of cybersecurity likely to be subject to export controls:

Particularly sensitive areas include so-called “deep package inspection” technologies which allow users to screen data for hidden viruses, malware or surveillance programmes. Western intelligence agencies are particularly concerned about such technologies falling into enemy hands, because they could enable them to foil cyber attacks or gain an intimate understanding of Western screening systems and their fallibilities.

Deep packet inspection is commonly used to refer to network software and hardware that looks beyond the headers of IP packet transiting a network to examine the data payload in the packet. DPI technologies vary in the degree to which the data payload is inspected, particularly given constraints on inline processing as the data streams through the network. Some DPI may look for patterns or signatures indicating viruses or attacks (to block the packet), the type of traffic , e.g., (P2P vs VOIP ( to prioritize the traffic), or even the actual content of unencrypted traffic for censorship or law enforcement purposes. Given that there are varieties of “deep” in Deep Packet Inspection and varieties of purposes to which DPI could be put, a one-size-fits-all license requirement for DPI would certainly seem to be overkill.

But the biggest nightmare will be how these license requirements will seep into the deemed export rules. Any company that employs network engineers (in other words, any company but the Asian Lithuanian Taco and Waffle Truck on the corner) will encounter real difficulties in hiring and managing foreign employees working on their networks. Let’s just hope that these negotiations at Wassenaar fizzle (but I’m not holding my breath).

Permalink Comments (1)

Bookmark and Share



Nov

7

Naming Names


Posted by Clif Burns at 10:09 pm on November 7, 2013
Category: BISDDTCDeemed ExportsExport Reform

By MediaPhoto.Org (mediaphoto.org Own work) [CC-BY-3.0 (http://creativecommons.org/licenses/by/3.0)], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ARussian_passports.jpgThe Bureau of Industry and Security has released new guidance on deemed re-exports which is intended to deal with issues arising when a U.S. company exports technology to a foreign company that then re-exports that technology to its own employees which are not of the same nationality as the foreign company receiving the technology export. The purpose of the guidance is to address certain issues raised by the current export control reform effort and, specifically, to deal with re-exports of technology relating to the newly created 600 series of items that have been transferred from the United States Munitions List (“USML”) to the Commerce Control List (“CCL”).

As the guidance notes, one of the overarching principles of the export control effort is that military items moved from the USML to the CCL should not thereby be subjected to more stringent controls than were applicable to the item when it was on the USML. Under the International Traffic in Arms Regulations (the “ITAR”) “technical data” is subject to certain license exemptions permitting technical data, in certain cases, to be transferred without license by foreign companies to their employees who are not of the same nationality as the foreign company. These employees include “third country nationals” who are nationals of countries other than the nationality of the foreign company involved and “dual nationals” which are nationals of two countries, one of which may, but does not necessarily include, the nationality of the foreign company.

The first of these exceptions, found in section 124.16 of the ITAR,  allows such retransfer from companies in NATO countries, the EU, Australia, Japan, New Zealand and Switzerland to retransfer technologies to third country nationals who are also from such countries and subject to certain further conditions. And the other exception, found in section 126.18, permits intra-company transfers of technical data from the foreign company to employees without regard to the country restrictions of 124.16 but subject to certain other restrictions such as requiring the third country national employees to sign non-disclosure agreements and requiring the company to assure that the third country national doesn’t have “substantive contacts” with countries subject to arms embargoes under section 126.1 of the ITAR.

Nothing in the Export Administration Regulations (the “EAR”) provides equivalent license exceptions to permit the transfer of technology to nationals of NATO countries, the EU, Australia, Japan, New Zealand, and Switzerland without a license as permitted by section 124.16 of the ITAR. Accordingly, the new guidance indicates that it is the policy of BIS to permit transfers of technology relating to series 600 items without a license if the conditions of 124.16 are fulfilled. Also to the extent that section 126.18 of the ITAR permits transfers to third country nationals outside of the EU, Australia, Japan, New Zealand and Switzerland if they sign an NDA and are screened for contacts with embargoed countries, BIS will permit similar transfers of series 600 technology.

The situation with section 126.18 is more complicated because section 126.18 addresses an issue under the ITAR that is not a problem under the EAR, namely the problem of dual nationals born in countries subject to arms embargoes. Section 126.18 was designed to deal with the thorny problem of dual nationals under DDTC which require that a dual national should be treated as a citizen of both countries. Accordingly a naturalized U.K. citizen born in China would still be treated as Chinese, and thus ineligible to receive ITAR-controlled technical data even if he had been awarded the OBE by the Queen because, in DDTC’s eyes, that dual national was irrevocably and permanently tainted with Chinese blood. Although such discrimination would be illegal if applied by DDTC in the United States, DDTC saw no problem with applying this rule in foreign countries even if it would, as it often did, violate the human rights laws of that foreign country to discriminate against someone solely based on place of birth. Under BIS rules, in contrast,
a person is treated as a citizen of the country of his or her most recent nationality. A naturalized UK citizen would be treated simply as a UK citizen without regard to the fact that he or she was born in China and was once Chinese. Thus, strictly speaking, the BIS guidance does not need to implement those parts of 126.18 as they relate to dual nationals.

There is, however, one problem relating to technology re-exports for series 600 items where the transfer from the USML to the EAR will subject the technology to more stringent requirements and which is not addressed by this guidance. Under DDTC’s application procedures, a U.S. exporter seeking authority for a foreign company to transfer technical data to its third country and dual nationals, the U.S. exporter need only list the nationalities of the employees. In other words, the U.S. exporter says, for example, that the technical data will be exported to French, German and Mexican nationals. Under BIS application guidelines, however, the U.S. exporter must give the names, passport numbers and addresses for each employee that will receive the technology re-export. In addition to that, a resume for each individual, showing education, employment history and military service, must be provided for each employee.

Over and above the obvious burden of compiling this information in the first place, the U.S. exporter will be required to obtain amendments or new authorizations each time the foreign transferee hires new employees in the affected program area. Under DDTC’s rules, an amendment is required only if an employee with a nationality not previously approved is hired. Granted this burden can be minimized to some extent through reliance on section 126.18, but this may not be possible where the foreign employer is either unable or unwilling to comply with all of the conditions required by section 126.18, including screening employees for contacts with embargoed countries, maintaining records of this screening, and fulfilling the other requirements of section 126.18.

Permalink Comments Off

Bookmark and Share



Nov

5

Be Careful What You Say on LinkedIn


Posted by Clif Burns at 6:08 pm on November 5, 2013
Category: BISCriminal PenaltiesIran Sanctions

Nicholas Kaiga http://www.linkedin.com/in/nkaiga [Fair Use]
ABOVE: Nicholas Kaiga


According to a recently unsealed criminal complaint, a Belgian citizen, Nicholas Kaiga, has been charged with attempted unlicensed exports of export controlled aluminum tubing to Malaysia. The story recounted by the complaint begins with an order placed with a U.S. company for 7075 aluminum to be exported to a company in the UAE. Because 7075 aluminum is covered by ECCN 1C202, an export license application was filed with the Bureau of Industry and Security (“BIS”). When BIS sent an employee to the company address in the UAE, it discovered that the address actually belonged to a different company. Worse, it belonged to a different Iranian company, so BIS denied the license.

Undeterred, the UAE company instructed that the aluminum be shipped to Belgium instead given that a license is not required to send 7075 aluminum to Belgium. Enter Mr. Kaiga and his company Industrial Metals and Commodities, which he apparently was running from his house in a residential area of Brussels. Mr. Kaiga went so far as to fill out a BIS Form 711 stating that the aluminum was destined to be resold in Belgium In cahoots with federal investigators, the U.S. company then shipped what purported to be 7075 aluminum (but was in fact a lower grade EAR99 aluminum)  to Kaiga, who then promptly shipped it to a company in Malaysia related to the Iranian company that ordered the 7075 aluminum in the first place. The shipment would have required a license both for export to Malaysia and, obviously, Iran, neither of which had been obtained.

Some time later, Mr. Kaiga made an improvident trip to New York and met with an undercover agent, whom he allegedly told that the aluminum was always intended to go to Malaysia. For good measure, Kaiga allegedly bragged to the agent about his ability to get around export controls. Then they arrested him.

An interesting footnote to all this is Mr. Kaiga’s expansive LinkedIn biography where he explains:

My overall experiences have taught me to become very flexible and adaptable to different manners of … working.

Maybe flexibility is not always such a good thing.  He also claims that one of his “specialties” is “managing high risk operations.” Not so much given the outcome of his trip to New York. He might want to change that when he gets access to a computer again in several years.

Permalink Comments Off

Bookmark and Share



Oct

23

Berman Amendment? What Berman Amendment??


Posted by Clif Burns at 10:42 pm on October 23, 2013
Category: BISCuba SanctionsOFAC

By Marrovi (Own work) [CC-BY-SA-2.5-mx (http://creativecommons.org/licenses/by-sa/2.5/mx/deed.en)], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3AAntiguo_Centro_Asturiano%2C_hoy_Museo_Nacional_de_Bellas_Artes.JPGBack in August, the Bureau of Industry and Security issued an advisory opinion relating to a request from a number of U.S. art museums regarding temporary export of artworks from the United States to Cuba, presumably to be displayed in the 2014 Havana Biennial. A simple question, one would think, easily answered by the Berman Amendment which prohibits BIS from regulating “directly or indirectly” the export of “informational materials” to Cuba. But never, ever underestimate the inventiveness of BIS in figuring out ways to prevent the Commies in Cuba from being propped up by American paintings hanging on museum walls in Havana.

The BIS advisory opinion starts promisingly by conceding that BIS would be “prohibited from  regulating ‘information or informational material’ such as artwork.” But don’t start packing up your Rembrandts yet:

You stated in your request that the artwork would be transported to Cuba using a vessel. Please note that, pursuant to Section 746.2 of the EAR, an export license is required for the temporary sojourn of vessels to Cuba. The vessel may not travel to Cuba unless the exporter of the vessel first obtains a temporary sojourn license from BIS.

So, if you can have Scotty and the Starship Enterprise beam the artwork up to Havana, you don’t need an export license from BIS to send a painting to Cuba. Otherwise, so sad, too bad, but you’d better get permission from BIS first, Berman amendment or not. This rather defeats the part of the Berman amendment which says that BIS can’t regulate “directly or indirectly” the export of informational materials to Cuba or other sanctioned countries. Even OFAC, not a hotbed of pro-Cuba sympathy or Berman amendment enthusiasm, gets this. Section 515.550 of OFAC’s Cuban Assets Control Regulations makes clear that a vessel engaging in exempt transactions does not require a license to go to Cuba.

To add insult to injury, the advisory opinion says this:

[A]rtwork is considered “informational materials” exempt from the EAR’s jurisdiction when exported to Cuba if it is classified under Chapter subheadings 9701, 9702, or 9703 of the Harmonized Tariff Schedule of the United States (HTSUS). If the material at issue is exempt from the EAR, a BIS license is not required for its export to Cuba. Please contact the U.S. International Trade Commission if you need assistance with classifying the artwork in accordance with HTSUS.

Seriously, the person who wrote this opinion thinks that you get HTSUS classification decisions from the USITC. The USITC itself, as a quick to Google would have revealed to the author of the opinion, doesn’t think it can provide classification assistance:

Although, in principle, articles can be classified in only one place, classification often requires interpretation and judgment. U.S. Customs and Border Protection (CBP) has authority to make classification decisions and may disagree with a reasonable classification offered by the importer. Published Customs rulings (http://rulings.cbp.gov) are often useful to see how Customs looks at the issues. USITC does not issue classification decisions.

Even more bizarre, why does BIS suggest that the exporter needs to make some difficult decision to determine whether an artwork fits in a specific HTSUS tariff heading and then misdirect the exporter to the wrong agency to resolve that thorny issue? Evidently to make the museums think twice before they send paintings to Havana. It’s a slippery slope after all that starts with oil paintings and ends up with weapons of mass destruction.

[Note:  even though the advisory opinion suggests that all vessels need a license to go to Cuba, the museums could put the artwork on a boat, send it to a foreign port, and have a foreign boat transport the artwork to Cuba -- an unnecessary, pointless and possibly hazardous solution.]

Permalink Comments Off

Bookmark and Share