Archive for the ‘Deemed Exports’ Category


May

28

Hackers Are Exporters Too


Posted by at 5:50 pm on May 28, 2013
Category: DDTCDeemed Exports

By Poa Mosyuen (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons http://commons.wikimedia.org/wiki/File:HK_%E7%9F%B3%E5%A1%98%E5%92%80%E5%B8%82%E6%94%BF%E5%A4%A7%E5%BB%88_Shek_Tong_Tsui_Municipal_Services_Building_%E9%9B%BB%E8%85%A6%E9%8D%B5%E7%9B%A4_Chinese_input_keyboard_Jan-2012.jpgThe Washington Post reported today that a confidential report from a Pentagon advisory group indicated that Chinese hackers had obtained sensitive military plans for a number of defense systems, including the Patriot Missile PAC-3, the F/A-18 fighter jet, the V-22 Osprey, the Black Hawk helicopter and the Navy’s new Littoral Combat Ship. The report did not specify whether these plans had been obtained by hackers from computers operated by the U.S. government or by the defense contractors involved.

So with this blockbuster revelation in hand, think for a moment about the ITAR-controlled technical data sitting on your computer system. You’ve gone to all the trouble to secure these files and prevent access by persons in your company who aren’t U.S. nationals. Then you’re hacked and this data is exfiltrated to China. What now?

Well, for starters, consider this: the definition of “export” in section 120.17 of the International Traffic in Arms regulations does not have a carve out for data hacked out of your system by foreign nationals. In fact, it covers “transferring technical data to a foreign person, whether in the United States or abroad,” without specifying how that transfer occurs. And make no mistake about it: when your system has been hacked by the People’s Liberation Army, it has transferred technical data to foreign nationals.

“But I didn’t mean for that data to be shipped to China!” you protest. Well, that may mean you lack the necessary scienter for a criminal prosecution, but civil penalties do not require intent. That also means it is probably time to think about a voluntary disclosure. And of course, one of the mitigating factors will be that you did not intentionally transfer the data to the PRC.

But here is the rub. Maybe you did not send the PLA an engraved invitation asking them to come hack your system, but maybe you also did not really have robust systems in place to prevent hacking. Often hackers get control of systems by sending infected links to employees. What protections do you have in place to prevent employees from clicking links in emails from outside the system? What systems do you have in place to monitor outbound traffic from your computers? And if you say, well, we have X or Y antivirus installed, you are going to hear the sad trombone because hackers can get around commercial antivirus software faster than Lindsey Lohan can sneak out of rehab.

Consider the Washington Post story a warning. It’s time to take a hard look at your security systems so that you either do not have to file a voluntary disclosure that you’ve been hacked or,  if you do have to make such a disclosure, you can honestly say you took every reasonable precaution.

Permalink Comments (6)

Bookmark and Share



May

10

DDTC Slams Stable Door After The Horses Have Bolted


Posted by at 1:02 am on May 10, 2013
Category: Arms ExportDDTCDeemed Exports

Liberator Hand Gun http://defdist.tumblr.com/ [By Permission of Defense Distributed]Unless you have been vacationing on the dark side of the moon today, you probably have seen that the Directorate of Defense Trade Controls (“DDTC”) told Defense Distributed to take down the plans that it had posted for producing a crappy plastic handgun using an expensive 3-D printer. You can read the letter by clicking this link.

Not surprisingly, DDTC takes the position that these plans are technical data relating to an article in Category I of the USML and that putting the plans on the Internet is an export of that technical data. Of course, whether these plans are technical data may not be entirely clear given the public domain exception to the definition of technical data. Detailed gun schematics are available in numerous widely available publications and all over the Internet. A Google search, for example, quickly brings up these schematics.

But leaving aside whether or not these plans are controlled technical data that cannot be put on the Internet without a DDTC license, this whole brouhaha seems to be a waste of time by DDTC. Real guns that won’t blow up in your hand, can fire multiple shots before falling apart, and which can be much more cheaply manufactured are readily available outside the United States, so the danger posed by exporting these plans is, well, non-existent. Foreign militaries aren’t very likely to abandon their AK47s now that they can print their own plastic handguns. Worse yet, the plans had apparently been downloaded more than a 100,000 times before the Feds dropped the ban hammer. There is no way that DDTC can now stuff all that toothpaste back in the tube.

Finally, the DDTC letter seems to concede some uncertainty about whether the plans are technical data. Instead of simply demanding the removal of the plans and threatening enforcement action, the letter requests that Defense Distributed file a commodity jurisdiction request to “resolve” the “proper jurisdiction” of the technical data “officially.” So, stay tuned, this affair is far from over.

(The picture of the plastic gun parts from the Defense Distributed site that illustrates this post has been pixelated for your protection.)

Permalink Comments (1)

Bookmark and Share



May

3

Do As I Say Not As I . . . etc. etc.


Posted by at 2:15 pm on May 3, 2013
Category: ChinaDDTCDeemed Exports

Credit: China Great Wall Industry Corporation http://cn.cgwic.com/APSTAR-7/photo.html [Fair Use]
ABOVE: Apstar-7 launch in China

Picture this scenario: a U.S. defense contractor leases time on a Chinese satellite and uses the transponders of that satellite to beam ITAR-controlled technical data between and among its facilities in the United States. The Directorate of Defense Trade Controls (“DDTC”) which licenses exports of ITAR-controlled technical data by U.S. exporters and which has imposed an absolute ban on transferring such data to China would, pardon the metaphor, go ballistic. The defense contractor would be investigated, fined millions of dollars, forced to conduct public self-shaming sessions (i.e. compulsory self audits) and either debarred or threatened with debarment. The zombie apocalypse would seem a Sunday afternoon outing in the park compared to the terror that the agency would rain down on the guilty exporter.

Now, suppose that the U.S. defense contractor in this story is not a private contractor but instead . . . (are you sitting down?) . . . is the Pentagon. What has DDTC to say about this catastrophic breach of national security? Let’s listen: (Crickets chirping . . . crickets chirping . . .) Speak up, over there, Foggy Bottom. I can’t hear you. What? Nothing? Not a peep?

And, no, this is not merely a hypothetical. It is a fact.

Doug Loverro, deputy assistant secretary of defense for space policy, testified at an April 25 hearing of the House Armed Services strategic forces subcommittee that when he assumed his duties a month ago, he learned of DOD leases with a Chinese satellite service provider that were issued early last year following a joint urgent operational needs statement in support of “warfighter needs.”

“The warfighter needed [satellite communication] support in his area of operations. He went to the Defense Information Systems Agency to request that support,” Loverro said.

Loverro said DISA responded to the request by reaching out to its pool of providers. Only one of those providers, a company based in China, had the bandwidth available to meet the communications needs. …

“From that perspective, I’m very pleased with what we did,” Loverro said. …

According to Wired, the satellite in question is the Apstar-7, launched in China and operated by APT Satellite Holdings Ltd., which is owned by the PRC.

The point of raising this is not just to show the double standard the government exercises with respect to defense-related information but also to find some support for a potential problem that has been bedeviling exporters and (to a lesser extent) the export licensing agencies themselves — namely, the issue of the interaction between export law, controlled technology, the “cloud” and the use of the Internet and email for information transfer. Everyone pretty much agrees that if controlled technical data so much as traverses a foreign internet server for a nanosecond — even if the information originated in the United States and is being sent to another user in the United States  – there has been an unlicensed export of that data. And yet, no one who puts information in the cloud, or sends it by email, or otherwise transfers the data using the Internet can be certain of the path the information will take and that it won’t pay an infinitesimally brief visit to a server outside the United States. Does this mean that everyone with controlled data has foresworn the Internet, keeps all controlled data on paper locked in file cabinets and uses the good offices of the United States Snail Mail service to send it about? Of course not.

Instead, it appears that those who have thought about the vagaries of Internet routing and cloud storage have adopted, at least as a best practice and perhaps as a mitigating factor, the use of encryption on controlled technical data being sent by email or stored in the cloud even where this is intended to be a solely domestic transaction. Of course, there is nothing in the ITAR or the EAR that endorses this and, technically speaking, the export of encrypted technical data is still the export of technical data.

Now in that light, consider this nugget from Lovero’s testimony:

Based on his review of the leases, Loverro said, the agency followed all of the current procedures and operational commanders were aware of the safety and business concerns connected with such an agreement. Those commanders, he said, are equipped with the necessary encryption to protect the information being relayed.

File that testimony away, folks, because you may need it. In short, the DoD is endorsing the notion that encryption effectively prevents the transfer of controlled technical data to the Chinese even when it passes through their hands. I’m certainly not guaranteeing that this is a “Get Out Of Jail Free” card, but it might some day be all you have.

Permalink Comments Off

Bookmark and Share



Aug

21

We Apologize for the Inconvenience


Posted by at 5:56 pm on August 21, 2012
Category: DDTCDeemed Exports

DDTC HQ
ABOVE: DDTC offices in DC

The Directorate of Defense Trade Controls (“DDTC”) has just revised its guidance on licensing foreign persons employed by U.S. persons. Foreign persons that will have access to ITAR-controlled technical data need to be licensed by DDTC prior to obtaining access to that technical data, and the guidelines describe how to use licensing application form DSP-5 to obtain the requisite license.

The revised guidelines contain only one change, and it is a footnote inserted at the beginning of the document relating to the enforcement of anti-discrimination provisions by the Office of Special Counsel in the Civil Rights Division of the Department of Justice. The oddly vague footnotes reads in its entirety as follows:

The ITAR imposes a license requirement for the export of U.S. defense articles and defense services to foreign persons. The ITAR does not, however, impose requirements on U.S. companies concerning the recruitment, selection, employment, promotion or retention of a foreign person. Federal law prohibits discrimination in hiring, firing, or recruitment/referral for a fee based on an individual’s citizenship status or national origin. See Section 274B of the Immigration and Nationality Act (INA), 8 U.S.C. § 1324b. Unless otherwise required to comply with law, regulation, executive order, government contract, or determination by the Attorney General of the United States, discrimination based on an individual’s citizenship status is unlawful. The Office of Special Counsel for Immigration-Related Unfair Employment Practices (Office of Special Counsel) in the Civil Rights Division of the United States Department of Justice enforces Section 274B of the INA. The Office of Special Counsel, located in Washington, D.C., has issued public guidance relating to non-discriminatory practices when complying with ITAR. For additional guidance, please contact the Office of Special Counsel at osccrt@usdoj.gov, its employer hotline at 1-800-255-8155, or visit its website at www.justice.gov/crt/about/osc.

You would not be alone if your first reaction to this elliptical mish-mash of bureaucratese and CYA-speak does not seem to make any sense. It seems to be saying that the ITAR requires you to discriminate against non-citizens and that the Immigration and Nationality Act makes it illegal to discriminate against non-citizens and it is entirely up to you to figure out how to comply with both requirements at once. So long, poor exporter, and thanks for all the fish.

This problem is complicated by the footnote referencing “public guidance” by the OSC without, of course, bothering to provide, you know, something helpful like a link to that guidance. In fact, the OSC hasn’t issued anything that might fairly be called public guidance on how to navigate the Scylla of the ITAR and the Charybdis of the INA. Instead, I was able to locate two “Technical Assistance Letters” issued by the OSC in response to narrow questions posed by members of the public.

The first said that it was illegal for employers to use documents gathered in the I-9 process to determine whether the employee was eligible to receive ITAR-controlled technical data. It said, somewhat confusingly, that the employer must gather documents establishing ITAR eligibility in a “separate and distinct verification procedure,” whatever that means.

The second technical assistance letter advises that employers may inquire whether applicants are citizens of embargoed countries for purposes of complying with export obligations “as long as such inquiries were made uniformly and without the intent to discriminate on the basis of national origin or citizenship status.” Just to keep things confusing, the letter says that the OSC reserves the right to examine the “totality of the circumstances” to determine whether an inquiry related to citizenship in an embargoed country was nevertheless discriminatory notwithstanding the export issue.

Reading between the lines of these two OSC letters, there is one thing that can be said with certainty about simultaneous compliance with the INA and the ITAR. Because permanent residents, refugees and asylees are entitled to receive ITAR-controlled technical data and employer may not, in an effort to comply with the ITAR, limit employment to U.S. citizens or even to U.S. citizens and permanent residents. Beyond that, you are pretty much on your own in reconciling the two regulatory schemes, with each agency helpfully pointing its fingers at the other for guidance.

Permalink Comments (6)

Bookmark and Share



Apr

30

Danger, Danger, Will Robinson! Deemed Exports Ahead!!


Posted by at 6:51 pm on April 30, 2012
Category: BISDDTCDeemed Exports

Medical LabA long article published today on the Bloomberg News website tells the story of a voluntary disclosure by Georgia Tech after one of its instructors inadvertently posted some export-controlled data on the Internet. The article follows this anecdote up with a ton of (virtual) ink about how universities are giving away all of our military secrets and how we shouldn’t be surprised when this results in the U.S. becoming a satellite province of China or Iran.

First, here’s what the story reveals about the Georgia Tech voluntary disclosure. According to the story, a research scientist at the university wanted to put course materials and videos of his lectures for his course “Infrared Technology and Applications” on a DVD because he was planning to retire and he wanted to use these materials to train his successor. When the university’s media staff encountered problems putting the video and materials on DVD, they suggested making the information available by a link. The research scientist approved this idea, thinking that it was an internal link, whereas it was an ordinary Internet link. The material was available online for about three weeks before the mistake was discovered and the materials were taken down. Although the video received hits only from the United States, some of the Powerpoint slides that were posted received hits from foreign countries, including 33 from China and one from Iran. The university disclosed this lapse to the Directorate of Defense Trade Controls which issued a warning letter but imposed no penalties, something which appears to have scandalized the Bloomberg reporter.

Above and beyond the description of the Georgia Tech voluntary disclosure, the article takes a Chicken Little approach to the dangers posed to national security by university research:

Eager to preserve their culture of openness and global collaboration, campuses are skirting — and even flouting — export-control laws that require foreigners to hold government licenses to work on sensitive projects.

To support this startlingly broad conclusion, the reporter humps the Roth case for all it is worth and cites some voluntary disclosures by several universities. That doesn’t much sound like “flouting” export rules to me, but perhaps Bloomberg has a different definition of that word.

For those familiar with the sorts of information which may be export-controlled (but not classified), it is hard to get too worked up about the national security implications of this. After all, business proprietary information about how to make handcuffs is controlled under the Commerce Department’s rules. Suffice it to say, things that are of real concern are classified. Accordingly, I am not scandalized when voluntary disclosures by universities relating to deemed exports result in warning letters rather than jail time for everyone involved as the reporter seems to think is appropriate. And because “fundamental research,” which is exempted from export controls, is an incredibly vague term that is difficult to apply in many contexts, overzealous enforcement of export rules to university research would have an unwarranted chilling effect on that research given the number of foreign students at almost every college and university. Well, I suppose colleges could adopt an American-only admissions policy, and I wouldn’t be surprised if there weren’t certain advocates of deemed export controls who secretly wish for such national homogeneity at our institutions of higher learning.

Permalink Comments (6)

Bookmark and Share