Archive for the ‘DDTC’ Category


Sep

9

Export Fugitive Ends Life on the Lam, Pleads to Lesser Charge


Posted by at 9:06 pm on September 9, 2014
Category: Arms ExportCriminal PenaltiesDDTCExtradition

John NakkashianA little over five years ago, we reported on a settlement agreement pursuant to which Air Shunt, Inc., agreed to pay DDTC a penalty of $100,000 in connection with three unlicensed exports of military aircraft parts. These same three violations were alleged in an indictment of an Air Shunt Vice-President, John Nakkashian, who was at the time of the settlement nowhere to be found and presumed to be a “fugitive from justice.”

For reasons not entirely clear, Nakkashian was arrested in June of this year by ICE agents at the Los Angeles International Airport. I suspect that this was not because Nakkashian was trying to sneak back into the country to vacation at Disneyland. More likely it was part of a carefully negotiated deal, because Nakkashian and the prosecutors just submitted a plea agreement to the court under which Nakkashian pleaded to one false statement count (18 U.S.C. § 1001) in connection with one of the three illegal exports set forth in the original indictment. The false statement at issue was Nakkashian’s  statement in the export documents that no license was required for the export. The government, in return, agrees to a base offense level of 8 under the Sentencing Guidelines which would mean, if Nakkashian has no prior criminal history, a sentence of zero to six months. Compare this to the original indictment where each of the three counts had a base offense level of 26, meaning a sentence of at least 63-78 months for a defendant with no prior criminal history.

That’s a sweet deal and you have to wonder how a former “fugitive from justice” got this deal until you realize that Armenia, which is where we suspected Mr. Nakkashian (by virtue of his surname) was hiding out, has no extradition treaty with the United States. Moreover, given that this was not a crime of violence, it is unlikely that Armenia would voluntarily cooperate in returning Mr. Nakkashian to the United States for trial. That gave Nakkashian a potent bargaining chip which it would seem he used to maximum benefit with the U.S. preferring to impose some penalty rather than none at all.

Permalink Comments (0)

Bookmark and Share



Aug

20

The Consolidated Screening List Isn’t


Posted by at 9:01 pm on August 20, 2014
Category: BISCompliance Programs and ProceduresDDTCDebarred ListDenied Party ListEntity ListOFACRussia SanctionsSanctionsSDN ListUnverified List

PortShip by USDA (cropped) via https://www.flickr.com/photos/usdagov/9715983721 [CC BY 2.0 https://creativecommons.org/licenses/by/2.0/]The U.S. Government, over at export.gov, provides a so-called Consolidated Screening List, which you might think would be a one-stop shopping list for your screening needs, something that might be useful if you or your company does not subscribe to or implement one of the commercial screening solutions. Unfortunately, the Consolidated Screening List doesn’t consolidate all the lists you should review and has other significant limitations.

The good news is that the list now does include the Foreign Sanctions Evaders List, which was not included for some time after the list was adopted by Treasury back in February of this year. The description of the list still does not mention the FSE list, but the entries on that list have been quietly added.

However, two other Treasury Department lists are still not included. The relatively new Sectoral Sanctions Identifications List is missing as action. U.S. persons are forbidden from engaging certain transactions with entities on this list, including providing credit in excess of ninety days. Part of the reason for this is probably that the “consolidated” list is infrequently updated. The last update of the list was almost two months ago, on June 26, 2014.

In addition, the Palestinian Legislative Council List, adopted back in 2006, is not included. U.S. financial institutions must reject (not block) transactions with people on the PLC list.

Not only is the “consolidated” list not complete or consolidated, but also it is dangerous to rely on it alone for another significant reason. The search page for the list only retrieves literal matches and does not allow address searching. In addition to searching the consolidated list, you should also rely on OFAC’s sanction list search tool. That tool uses, fairly successfully, “fuzzy logic” to retrieve similarly spelled names. Because many of the names on the list are transliterated versions of Arabic names, meaning that there are many alternate spellings, the “fuzzy logic” will be somewhat more successful in identifying alternate spellings.

Permalink Comments (1)

Bookmark and Share



Aug

19

Chinese Hacker Nabbed on Export Charges


Posted by at 9:20 pm on August 19, 2014
Category: Arms ExportCriminal PenaltiesDDTCDeemed Exports

Stephen Su photo taken by CBP during U.S. transit in 2011 via http://www.cbc.ca/news/canada/british-columbia/su-bin-chinese-man-accused-by-fbi-of-hacking-in-custody-in-b-c-1.2705169 [Public Domain]
ABOVE: Stephen Su


Well, we all know, or should know, that hacking is a criminal violation of the Computer Fraud and Abuse Act, at least when it entails unauthorized access to another party’s computer. What you may not know is that if you’re a foreign national and if the data accessed is technical data controlled by the International Traffic in Arms Regulations, hacking can also be a violation of the Arms Export Control Act.

Back in June, Canadian authorities arrested, at the request of the FBI, a Chinese citizen and Canadian permanent resident named, variously, Su Bin, Stephen Su and Stephen Subin, who we’ll refer to simply as Su for convenience.  Su , the owner of Lode-Tech, a Chinese company with an office in Canada, was accused of conspiring with several Chinese nationals to hack into U.S. defense contractors’ computer systems and to exfiltrate data about military aircraft back to China.  Last Friday, Su was indicted by a federal grand jury in California.

One of the charges in the indictment is a violation of the Arms Export Control Act.  The theory behind this charge is that Su, with his PRC-based co-conspirators, conspired to break in the U.S. computer systems and to disclose ITAR-controlled technical data to foreign nationals among whom were, of course, themselves.

The criminal complaint filed back in June, which served as the basis for Su’s arrest, contains some fascinating details.  First, it appears that access was gained to the defense contractors’ systems by sending emails to employees of the contractors containing infected attachments or links to infected websites that installed malware on the systems which allowed the hackers to control the systems, to view files on the system, and to send the files back to themselves.   Interestingly, the files were then transferred to hop points or servers in Hong Kong and Macao and from there were physically carried back into the PRC.   Interestingly, it appears that as the Internet becomes easier for security agencies to surveil, modern spies have started to revert back to older methods of spycraft such as smuggling documents, document drops, and, conceivably, even encrypted Morse code shortwave radio transmissions.  One wonders if the NSA is training folks in Morse Code and invisible ink.  What’s next?  Microdots?

Permalink Comments Off

Bookmark and Share



Jun

24

It’s Good To Be The King


Posted by at 11:15 pm on June 24, 2014
Category: DDTCITARUSML

Intersil Low Dose Irradiator via http://www.intersil.com/en/applications/rad-hard/eldrs.html [Fair Use]Last week the Directorate of Defense Trade Controls (“DDTC”) announced that it had fined Intersil Corporation, a California-based manufacturer and developer of semiconductors and integrated circuits, $10,000,000 of which $6,000,000 goes to Uncle Sam and the remaining $4,000,000 goes to Intersil’s compliance program and remedial measures. Along with the fines, DDTC has required Intersil to jump through a number of now-typical compliance and re-education hoops, including appointing an ombudsman, hiring a special compliance officer, rewriting its compliance programs, engaging in audits, making frequent reports to DDTC and writing “I will not violate the ITAR” three million times on a blackboard after school. Well, of course, only the last item was not actually required.

According to the Proposed Charging Letter, Intersil incurred the ire of DDTC by classifying certain of its products as ECCN 3A001.a.1, 3A001.a.2, and EAR99 even though the items were radiation hardened and space qualified and, therefore, covered instead by USML Category XV(e). Why Intersil made this mistake is not revealed in the documents but since Intersil was applying for BIS licenses for the goods when required, it is hard to imagine that it was anything other than a good faith mistake (which is, probably, the reason why this information is omitted.) As a result, there were 3,152 unauthorized exports of Intersil’s products, although, due to the statute of limitations, only 339 exports were actually charged, with DDTC swearing left and right that although it couldn’t help mentioning the 3,152 exports it was paying absolutely no attention whatsoever to those in formulating the $10 million penalty.

But here is the most interesting part of the charging documents:

Several of the unauthorized exports were subsequently re-exported or retransferred without authorization due in part to the misclassification of the ICs.On August 20, 2010, a DDTC official misinformed Intersil that for any ICs that “HAVE already been exported under EAR jurisdiction, these [ICs] ARE NOT retroactively subject to the retransfer provisions of 22 CFR 123.9.: Intersil was further misadvised that Intersil did not need to inform its foreign customers to submit ITAR re-export authorization for these items and that this “decision to not retroactively aply USML controls for these already exported [ICs] will continue to be applicable even if a future formal CJ determination asserts USML controls apply.”

Interestingly, notwithstanding this bad advice, Intersil is charged with causing various unauthorized re-exports from, and retransfers in, foreign countries due to its misclassification of the integrated circuits. Whether or not any of these were the result, at least in part, of DDTC’s admittedly bad advice that the retransfer provisions would not apply to items exported under the EAR is not clear, but let’s give DDTC the benefit of the doubt and assume that these were all unrelated.

Even so, there is still an interesting moral to this story. Exporters who make mistakes have to pay large fines and engage in burdensome remediation activities. DDTC officials who make mistakes have to do, er, well, nothing at all because, well, you know, mistakes happen. As they say, it’s good to be the king.

Permalink Comments (3)

Bookmark and Share



Jun

11

DDTC Deflates Cloud Puffery


Posted by at 5:25 pm on June 11, 2014
Category: DDTCDeemed ExportsEncryption

Lonely Cloud by Kate Haskell https://www.flickr.com/photos/fuzzcat/32487111/ CC BY 2.0 [https://creativecommons.org/licenses/by/2.0/] (cropped)One of the most frustrating ways in which the Luddites at DDTC have made life difficult for exporters in the 21st century is by taking the position that encrypted technical data is the same thing as unencrypted technical data for purposes of the ITAR. So if you put encrypted technical data on a cloud server outside the United States, you’d better get measured for an orange jumpsuit, because you’ve just exported technical data. Never mind, of course, that no one outside the United States can actually read or decrypt the data; you’ve still exported it.

Even the DoD, hardly a progressive force in these matters, thinks this position is nonsense. As we reported a while back, the DoD defended its decision to use Chinese satellites to transmit its own data on the grounds that all the data encrypted and thus meaningless to our friends in Beijing. Since DoD has guns, and DDTC does not, you won’t be surprised as to who would win any argument between DoD and State on the efficacy of encryption for these purposes.

So earlier this month, you might have been surprised to see this press release from Perspecsys:

Perspecsys, the leader in enterprise cloud data protection, announced today that it received a written ruling from the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) confirming that technical data secured using Perspecsys tokenization can be processed outside the U.S. through the cloud without obtaining an export license under the International Traffic in Arms Regulations (ITAR).

In its groundbreaking decision, DDTC reinterpreted the ITAR to authorize the use of Perspecsys tokenization to process ITAR technical data in the cloud without a license, even where the tokenized technical data may be transferred to servers located outside the United States. DDTC’s new interpretation shifts the regulatory landscape – opening the cloud to companies subject to the ITAR.

Tokenization is a process whereby a random token is issued to replace sensitive data such as a credit card number. Unlike encryption, there is no algorithm to decode the token back into the credit card number. Rather the token and the original data are maintained on a secure server which can be used to replace the token when necessary. Thus, if the press release were to be believed, if the translation server remained in the United States, the token for technical data could be transferred to a cloud outside the United States without need for an export license.

Of course, before you get too excited, I regret to inform you that this is not what the DDTC advisory opinion actually said. Instead, it said that section 125.4(b)(9) might exempt tokenized data if it was sent by by a U.S. employee overseas to another U.S. employee and no foreign person had access to the tokenized data. In other words, tokenized data would be treated exactly the same as its non-tokenized counterpart and was eligible only for export subject to exceptions that would be applicable to all technical data, whether encrypted, tokenized or in plain text.

DDTC was not amused by Perspecsys’s suggestion in its press release that the agency had finally entered the 21st century.  So the agency “requested” that Perspecsys post a statement that amounts to a retraction of Perspecsys’s earlier press release. In that statement, DDTC clarified (a) that only transfers from a U.S. corporation to its own U.S. national employees was covered by the advisory opinion, (b) that steps must be taken to assure that no foreign persons had access to the data and (c) that the advisory opinion did not hold that tokenization constituted sufficient steps to prevent foreign access to the technical data.

All this makes me wonder: if you shred controlled technical data into a million tiny bits of paper do you have to make sure that the garbage collector is not a foreign person and that no foreign persons are allowed to visit the garbage dump?

[Thanks to an alert reader who pointed out the two press releases to me!]

Permalink Comments (2)

Bookmark and Share