Archive for the ‘BIS’ Category


Mar

7

ZTE Zells ZTE Zhells by the Zeashore


Posted by at 5:57 pm on March 7, 2016
Category: BISIran Sanctions

ZTE Stand 6 via http://www.zte.com.cn/cn/events/ces2013/show/201301/t20130110_381605.html [Fair Use]

The Bureau of Industry and Security (“BIS”) is placing Chinese telecom giant ZTE (and three related companies) on the Entity List tomorrow according to this pre-release version of the Federal Register notice announcing the action. As a result, all items subject to the EAR will require an export license prior to any export to ZTE. Under this action, all applications for such licenses will be subject to a policy of denial.

The action is taken as a result of the diversion by ZTE of certain U.S. origin products to Iran. More important, perhaps, than the diversion itself is that BIS caught ZTE playing a shell game and ZTE lost. Somehow or other, BIS got its hands on a ZTE internal document, labelled “Top Secret Highly Confidential” and titled, innocently enough, “Proposal for Import and Export Control Risk Avoidance.” In fact, this incriminating document might be better titled “Everything You Wanted to Know about Shells but Were Afraid to Ask.” It sets out, in excruciating detail, a plan for setting up a chain of shell companies through which the U.S. goods would pass with the hope that it would throw the U.S. government off the scent of what was really going on. Under this plan, a Chinese company owned by an allegedly independent Chinese investor would buy U.S. parts, sell them to another Chinese company, owned by another allegedly independent Chinese investor, which would sell those to another single “independent” Chinese investor company in Dubai, which would then sell the goods to Iran.

Two juicy quotes from the report will give you the idea of what ZTE had in mind:

However, the detached [shell] companies … are invested by natives of [the People’s Republic of China] and not only does our company need to make [the detached shell companies] operate independently, [our company] also needs to effectively control them.

Yea, sure, that works … if you believe in oxymorons and unicorns.

The biggest advantage of [this] Model is that it is more effective, [because it’s] harder for the U.S. Government to trace it or investigate the real flow of the controlled commodities; and in formality, our company is not participating in doing business with [Iran].

Right, “in formality” it’s not doing business with Iran because its being done by those companies that look like they operate independently but which ZTE “effectively control[s].” Game over.

Permalink Comments (1)

Bookmark and Share


Copyright © 2016 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Jan

13

BIS Still Mulling Over Cybersecurity Export Rules


Posted by at 11:30 pm on January 13, 2016
Category: BISCyber WeaponsCybersecurity

Untitled by Kevin Wolf via https://scontent.fash1-1.fna.fbcdn.net/hphotos-xfa1/t31.0-8/12471591_10208490792490184_1220994233873918423_o.jpg [Public Domain - Work of U.S. Government]Yesterday Kevin Wolf, the Assistant Secretary of Commerce for Export Administration, testified before the House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies on the much reviled controls in the Wassenaar Arrangements on exports on certain software and technology. His testimony provides detailed insight into the interaction between the Bureau of Industry and Security, which is charged with implementing the Wassenaar Arrangement controls, and the technology and cybersecurity industry and community which was concerned about the overbreadth of the Wassenaar controls of “intrusion” software. This blog has previously articulated some of these concerns, particularly the extent to which the Wassenaar controls on “intrusion” software could reach auto-updating software, Address Space Layout Randomization (ASLR) security measures, and hot-patch programs.

Assistant Secretary Wolf’s testimony reveals that Commerce’s concerns about the potential overbreadth of the Wassenaar controls on intrusion software led the agency to take the “unprecedented step” of releasing the controls as a proposed rule and soliciting industry comments. Such a step is “unprecedented” because normally Commerce simply adopts and adds to the CCL all changes adopted by the Wassenaar Arrangement. The result of the request for industry comment, according to the testimony, was more than 260 comments, “virtually all of them negative.” The negative reaction was echoed in outreach meetings held by Commerce with industry. Assistant Secretary’s testimony summarizes these concerns, including the concerns we have expressed about how they would reach certain auto-updating and hot-patching programs.

Most importantly, Assistant Secretary Wolf’s testimony says this:

Neither the Commerce Department nor the Administration has reached a conclusion about how to respond to the public comments. We are still reviewing and considering them. … The commenters had many suggestions regarding how to address their concerns. The Administration will be reviewing all of them and many other ideas for how to address the policy objectives of the control but without unintended collateral harms. As I have said many times in response to questions about the rule, the only thing that is certain about the next step is that we will not be implementing as final the rule that was proposed.

The moral of this story is clear, even if the shape of the ultimate rule is not. The export industry, as demonstrated conclusively throughout the export control reform initiative, has been loath to comment on proposed rules, whether from fear of standing out from the crowd or because of a belief that such comments will have no effect. As a result, Assistant Secretary Wolf has been known to remark that industry gets the rules they deserve. The response of Commerce here to the issues raised in the comments and industry outreach, however, shows that there are times when public input will have an impact. So the moral of the story is simple: you may not get everything you ask for, but you’ll almost never get what you want if you don’t even ask for it.

Permalink Comments Off on BIS Still Mulling Over Cybersecurity Export Rules

Bookmark and Share


Copyright © 2016 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Dec

29

Egregiousness, Like Beauty, Is in the Eye of the Beholder


Posted by at 11:04 pm on December 29, 2015
Category: BIS

By Daderot (Own work) [CC0], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3APatent_quote_-_United_States_Department_of_Commerce_-_DSC05103.JPGNot to be outdone by the Directorate of Defense Trade Controls, which left a nice little gift under every exporter’s tree last week, the Bureau of Industry and Security had a gift of its own which it dropped down everyone’s chimney the day after Christmas. Of course, whether it is a gift or a lump of coal is open to some discussion.

The gift/coal lump in question consists of proposed guidelines for the assessment of penalties for export violations. It more or less adopts the mostly unhelpful scheme in place over at the Office of Foreign Assets Control, going so far even as to adopt the notoriously unhelpful distinction between egregious and non-egregious cases. The base penalty would be established by looking at whether the case is egregious and whether a voluntary disclosure had been filed.

If the case is egregious and there is no voluntary disclosure the base penalty is the statutory maximum. (Ouch!) If egregious and voluntarily disclosed, the base penalty is half the statutory maximum. (Still an ouch!) If non-egegious but without a voluntary disclosure, the base penalty is a thing called, in Mid-Atlantic bureaucratese, the “Applicable Schedule Amount” capped at $250,000 per violation. The Applicable Schedule Amount is basically a bracketed round-up of the transaction value. For example, it’s $170,000 for transactions valued at between $100,000 and $170,000. And for non-egregious violations that were voluntarily disclosed, it is the transaction value capped at $125,000 per violation.  BIS then pulls aggravating and mitigating factors out of the sorting hat and decides whether to impose a penalty greater than or less than the base penalty

Now let’s talk about whether these Guidelines are a gift or a lump of coal. Because BIS takes the odd opportunity in the proposed guidelines to remind lawyers that it can disbar them from practice before the agency for whatever reason it wants, let’s start with the gifts and leave the lumps of coal for last in hopes that no one from the agency will read down that far.

Gift: BIS reiterates that most voluntary disclosures will result in no-action or warning letters and thus will not even involve these guidelines. In fact, BIS says this:

[O]ver the past several years, on average only three percent of VSDs submitted have resulted in a civil penalty.

Gift: Acquiring companies will not be weighed down by the sins of acquired companies. This is not a retreat from the doctrine of successor liability, premised on the ridiculous notion that without such liability companies will commit export violations willy-nilly knowing that they can easily absolve themselves by selling the company. (One has to imagine that no one at BIS has ever done a corporate deal if they actually believe this.) But the Guidelines now make clear that, if the acquiring company discloses and cleans up the target’s past violations, they won’t be counted under the aggravating factor for prior violations in subsequent voluntary disclosures by the acquiring company.

Lump of Coal: BIS is expressly reverting back to its practice of “piling on” violations, something it swore up and down to Congress it would stop doing if Congress upped the penalties to $250,000 per violation, a promise the agency kept for a while when it said that in cases where the same act led to multiple violations it would only charge the most serious. Well forget that. Now we are expressly back to the situation where if an exporter misclassifies an item, it has committed three (if not more) violations: one for the illegal export, one for the wrong ECCN on the AES, and one for putting NLR (“No License Required”) on the AES. That’s $750,000 before you’ve even walked through the door.  BIS makes clear that now (forget those pesky promises) it has the “discretion” to charge all three violations separately.

Lump of Coal: BIS will take into account whether the exporter had a compliance program at the time of the violation, at least to “the extent to which a Respondent complies with the principles set forth in BIS’s Export Management System (EMS) Guidelines.” The what guidelines, you ask? Oh, you know the, ones that “can be accessed through the BIS Web site at www.bis.doc.gov.” The lump of coal here is awarded because of this dispiriting proof that the agency in charge of regulating exports of technology can’t figure out how links and the Internet work. Perhaps they are afraid that if they give an actual link to these guidelines, the Chinese will click on it and hack their systems again. I would suggest typing “Export Management System Guidelines” into the search box on the BIS website, but that’s more characters than is allowed by that search tool. You can type in “Export Management Sy” but that doesn’t provide any useful results. If your Google-fu is strong, you can find them. If not, you’re pretty much out of luck.

Comments on the proposed guidelines are due on February 26, 2016.

Permalink Comments (2)

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Dec

4

We’re from BIS and We’re Here to Help You


Posted by at 8:21 am on December 4, 2015
Category: BIS

By Daderot (Own work) [CC0], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3APatent_quote_-_United_States_Department_of_Commerce_-_DSC05103.JPGIn a laudable effort to increase transparency of its operations and processes, the Bureau of Industry and Security (“BIS”) has launched an initiative to release statistics and data on at least part of its operations. The new “data portal” can be found here. And although it’s clearly a work in progress, there are still some interesting factoids that can be gleaned from the “2014 Statistical Analysis of BIS Licensing” that appears there.

First, export control reform did not create a licensepocalypse. Many ill-mannered cynics (though not me, in this case) speculated that the onslaught of license applications for new 600 series items transferred from the USML would overwhelm BIS staff and result in a license tar pit from which fossilized approvals would emerge centuries, if not eons, later. The new figures however show a steady decrease in licensing times. Since 2010 average license processing times have decreased from 31 to 23 days even though the number of applications processed each year has increased from approximately 22,000 to 31,000. And, not surprisingly, the largest category of applications processed by BIS was the 600-series ECCN 9A610, which covers military aircraft and commodities.

Second, BIS grants the overwhelming majority of licenses that it processes. Of the approximately 31,000 applications processed in 2014, only 321 were denied with the remainder being returned without action or approved. The top items that were denied were, in this order, rifle scopes, encryption software, and EAR99 items. Although I understand rifle scopes and EAR99 items (for which licenses are required only when exported to bad people or for bad uses) being on this list, I am a bit baffled as to why licenses for 5D002 software receives so many denials. It’s not like there’s any real reason to control encryption software given that the U.S. (despite some self-delusions in this regard) does not have a monopoly on secure encryption technology.

Finally, I have just one little wish for the data portal. It would be tremendous if BIS would provide similar data on classification requests, particularly processing times. The classification process is just as important as, and in some instances even more important than, the licensing process. And I suspect that the processing time figures do not look quite as rosy as they do for licensing.

Permalink Comments (1)

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Nov

19

BIS Imposes Controls on High-Tech Cloaking Material


Posted by at 7:57 pm on November 19, 2015
Category: BIS

XBS Epoxy System Demo via http://www.spacephotonics.com/Coating_Glob-top_Cavity_Fill_X-Ray_Blocking_Anti-Tamper_Material.php [Fair Use]On Monday, BIS announced in an “interim final” rule (a top contender for the best oxymoronic regulatory phrase ever) imposing export controls on Harry Potter’s invisibility cloak as well as on tarnhelms, the predecessor technology to the invisibility cloak.   Actually, the control, which was effective immediately upon publication, was placed on a high-tech equivalent of those two items, namely, XBS epoxy systems.

The website of Space Photonics, which is the apparent developer of this technology, explains the technology.  According to that website, XBS epoxy systems are

proven effective in obfuscation of critical technology components against X-Ray and Terahertz Microscopy imaging attempts … developed to conceal critical components from adversaries.

The picture on the left is a visual demonstration of the technology.

One interesting issue of an immediately effective “interim final” rule is a simple commercial issue. Suppose one of the systems was in transit on the date of publication. If it crossed the U.S. border after the rule was published, did the exporter violate the law? The rule has no grandfathering or savings provision, so the apparent answer would be that the exporter did violate the law and could be subject to civil penalties. It seems doubtful that BIS would fine someone in that situation, but it’s hard to see why the immediately effective rule did not address this issue rather than throw any such exporters on the presumed mercy of BIS.

Because it is an “interim not-yet-final but almost and pretty much but not quite final rule,” BIS will permit comments on the rule until January 15, 2016, after which BIS will presumably issue the “final and we really mean final this time final” rule.

Permalink Comments Off on BIS Imposes Controls on High-Tech Cloaking Material

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)