Archive for the ‘Technical Data Export’ Category


Aug

30

Glass Houses, Stones and Cybersecurity


Posted by and at 1:34 pm on August 30, 2015
Category: CybersecurityTechnical Data ExportTechnology Exports

Chinese Army HackersRecently, the Department of Defense issued  an interim rule that would impose on DOD contractors and subcontractors a contractual duty to provide “adequate security” from “unauthorized access and disclosure” for a broad array of unclassified information Additionally, the interim rule requires DOD contractors and subcontractors to report within 72 hours directly to the appropriate DOD office a “cyber incident” or “malicious software.” A “cyber incident” is defined as an action on a computer network that compromises the network of has an “actual or potentially adverse effect” on the information on the network. Finally, the rule requires contractors to make available “media (or access to covered contractor information systems and equipment)” upon request.

The interim rule, which is immediately effective, applies to all contractors and subcontractors with “covered defense information transiting their information systems.” The “covered defense information” to be safeguarded is extremely broad. It includes information provided to the contractor by or on behalf of DOD in connection with performance of the contract or ”critical” or “controlled information stored by or on behalf of the contractor in support of the performance of the contract.

Of particular emphasis for readers of this blog, “covered defense information” also includes export controlled information, including “items identified in export administration regulations and munitions list,” license applications, and “sensitive nuclear technology information.” Beyond these obvious items, the covered export controlled information includes things not covered by existing export control regimes but “whose [sic] export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives.” We have no idea on earth what this could possibly mean or how any contractor can figure out what information, not covered by the EAR or the ITAR, actually fits in this category.

DOD recognizes that such cyber incident reports or other information provided to DOD under this interim rule may include a contractor’s proprietary information, including personal information relating to its employees. In response, DOD states “the government shall protect against the unauthorized use or release” of such information. Does anyone else see the tremendous irony here? The United States government, which has been hacked left and right by the Chinese, the Russians and others, promises to protect the information. To add to the irony, the new rule only applies to unclassified information, which is precisely the type of information the USG has been unable to protect on its own.

Rest assured that anything that you provide to the DOD will be read almost immediately by the Red Army in China. Perhaps the U.S. Government should get its own cybersecurity house in order before it starts preaching to private industry.

Permalink Comments (0)

Bookmark and Share



Jun

4

Once Upon a Time in a Public Domain Far, Far Away


Posted by at 9:19 pm on June 4, 2015
Category: DDTCTechnical Data Export

England's Oldest Working Catapult by Thoms Euler [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://www.flickr.com/photos/thomaseuler/3656736595/ [cropped]Once upon a time, and long before the Internet, in a distant and dank corner of Washington, D.C., there lived an obscure agency called the Directorate of Defense Trade Controls (“DDTC”), which, among other things, kept watch, like a jealous dragon, over certain types of information that it believed it was destined to protect, information such as how to build a catapult or the best timber to use for a battering ram or the deadliest method for swinging a mace at an enemy. And it sent out a decree, far and wide, that anyone who should dare to disseminate such information without its permission, except in locked rooms with less than three other citizens present between the hours of midnight and dawn, would be sentenced to immediate gibbeting. Fortunately, there was no Internet, so few, in those days, were seen hanging in cages in Foggy Bottom.

Of course, this little fairy tale is a preface to the recent release by DDTC of proposed revised definitions of, among other things, the term “public domain” which, as you might imagine, does not mean to DDTC what it means to anyone else who speaks English. The proposed new definition seems to have been written by people who have heard of the Internet only as something the kids use to tweet things and post selfies.

The importance of the definition of “public domain” is that information about defense articles (like muskets and missiles) is not subject to export controls if it is in the “public domain” as defined in section 120.11 of the International Traffic in Arms Regulations (the “ITAR”). DDTC has previously taken the position that pictures on the Internet were not “public domain” because section 120.11 does not specifically mention the Internet. (Never mind, of course, that the definition includes information available “[a]t libraries open to the public” and that every single library in the United States, save apparently for the one at DDTC, has Internet terminals.)

The newly proposed rules, coming more than twenty years after the appearance of the World Wide Web, finally (and grudgingly) acknowledges the existence of the Internet.  The new definition would define “public domain” to include information made available to the public through

Public dissemination (i.e.,unlimited distribution) in any form (e.g., not necessarily in published form), including posting on the Internet on sites available to the public;

Before you get to excited, however, there’s this: an exception that eats up the entire definition from any practical point of view.

(b) Technical data or software, whether or not developed with government funding, is not in the public domain if it has been made available to the public without authorization from:

(1) The Directorate of Defense Trade Controls;

(2) The Department of Defense’s Office of Security Review;

(3) The relevant U.S. government contracting entity with authority to allow the technical data or software to be made available to the public; or

(4) Another U.S. government official with authority to allow the technical data or software to be made available to the public.

So, you see a picture of a fighter jet on the Internet. Is it “public domain” or not?  Will you get in trouble for re-posting it? Well, you have no idea because you have no way of knowing whether any official falling in the four categories above has authorized it to be posted. You probably can’t even tell who falls in category (3) or (4). In fact, nobody can probably tell which government officials fall in those categories.

DDTC attempts to address this issue with a note saying that if somebody else put the information on the Internet you are not breaking the law unless you “know” that they did so without authority.  But does “know” mean actual knowledge or does it slide, like it often does, into not engaging in due diligence to determine that it was authorized?  Your guess is as good as mine.   So use the Internet at your own risk, unless you’re just posting selfies on Instagram.

For companies in the defense industry, this proposed definition is equally problematic if they use the Internet at all.  Every time they post information on their own products, thinking that the information they are posting is already in the “public domain,” they need to ask permission from DDTC if they haven’t already done so.  And, of course, since there are no time limits in the proposed definition, this issue would exist for everything the company has ever posted on the Internet.

Dark times for the Internet ahead when (and if, as is likely) this new definition goes into effect.

 

Permalink Comments (3)

Bookmark and Share



Mar

3

Might As Well Be Hung for a Sheep as a Lamb


Posted by at 9:58 pm on March 3, 2015
Category: Criminal PenaltiesDDTCTechnical Data Export

Mozaffar Khazaee [Credit: Essex County Mug Shot Catalog]
ABOVE: Mozaffar Khazaee


On February 25, Mozaffar Khazaee, a former employee of various defense contractors, pleaded guilty to illegal export of ITAR-controlled technical data to Iran. The case started with an audacious shipment from Connecticut to a freight forwarder in Long Beach, California, by Khazaee of 44 boxes labelled as household goods that, in fact, contained numerous manuals and other technical documents relating to the F35 Joint Strike Fighter and military jet engines. The boxes were intended for ultimate shipment to Iran. Further investigation revealed that these documents had been taken by Khazaee from defense contractors for which he worked and that taking these documents violated the contractors’ rules requiring return of all documents at the end of employment. Khazaee was initially arrested for charges, set forth in the criminal complaint, of illegally transporting stolen property across state lines.

Khazaee’s ultimate plea was for violation of the Arms Export Control Act. The superseding information that served as the basis for the plea, however, alleged the export of only one document (out of the 44 boxes of documents) which was asserted to contain controlled technical data designated under Category XIX(g) of the United States Munitions List.

Two things stand out about this case. First, the superseding information charged, and Khazaee pleaded guilty to, export of the document and not attempted export of the document. The problem is the document was seized in Long Beach and never left the country. Section 120.17 of the ITAR defines export as “taking a defense article out of the United States.” No matter what your feelings may be about Long Beach, California, it is definitively still in the United States last time I checked. There is some evidence that the boxes may have been loaded onto the Panamanian-flagged NYK Libra. But given the definition of United States in section 120.13, it is hard to argue that the document left the United States until the NYK Libra did.

The second thing of interest were statements made by Khazaee, and cited in the superseding information, to potential employers in Iran that his job advancement in the United States had been hindered by his Iranian nationality even though he was an American citizen.

Even though working industry being very exciting, with best pay salary and high-tech events, my original nationality being Iranian (which I am very proud of), has caused me tremendous issue and hindrances towards my progress and goals. I can’t make any publication in current job (everything is very proprietary and restricted, mostly military projects), I was rejected to participate in the new advance engine program (this is beyond F135 engine, it’s called AETD), purely based on my original nationality. This is the primary … reason for my consideration to move to Iran.

Obviously one wrong does not justify another. However, discrimination against a U.S. citizen based on his national origin,if this is what occurred here, is a violation of federal law. And given the unhealthy obsession of the DoD and DDTC on national origin, at least with respect to dual and third-country nationals, it seems at least possible that this may have occurred. It may well be that the best way to encourage loyalty among American citizens is to treat them all equally without respect to where they were born.

Permalink Comments Off on Might As Well Be Hung for a Sheep as a Lamb

Bookmark and Share



Sep

24

Get Smart: Chinese Spy Edition


Posted by at 4:51 pm on September 24, 2014
Category: Arms ExportCriminal PenaltiesDDTCTechnical Data Export

By General Artists Corporation-GAC-management. [Public domain], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ADonAdams.jpgMeet Charlie and Alice, two self-professed PRC spies who branched out from smuggling crystal meth into the United States to attempting to export airplanes and military technology from the United States to the PRC. Things did not turn out so well for Charlie and Alice who probably should have stuck with drug trafficking. So, find a comfortable chair, grab a bag of popcorn, and prepare to be entertained by the story that unfolds in the Criminal Complaint filed against them and to which they just pleaded guilty.

It was a dark and stormy evening in Manila when a counterfeit cigarette smuggler introduced two undercover agents working for the United States to Hui Sheng Shen, a/k/a “Charlie,” and Huan Ling Chang, a/k/a “Alice.” According to Mr. Counterfeit Cigarette Guy, Alice and Charlie could help the UCs obtain methamphetamine.

Alice and Charlie, explaining to the UCs that email was insecure, set up a drop email account, gave the UCs the credentials for the account, and said that they should communicate via messages left in the draft folder. (This method is not particularly effective in hiding communications from the government when you’re dealing with undercover agents but, whatever, it’s the trendy spycraft du jour.) Using this method, a deal for a kilo of meth was consummated and shipped to the UCs in tea bags hidden in computer towers. (Of course, no customs inspector would ever be suspicious of tea bags in computer towers so this is yet another example of top notch spycraft by Charlie and Alice.)

Emboldened by their world-class narcotics deal, Charlie and Alice decided to move on to bigger things and just kinda casually dropped into a subsequent conversation with the UCs that they would, oh, by the way, like to buy a military aircraft. Because, naturally, guys who buy drugs normally have a warehouse of military aircraft that they can sell to the people they buy drugs from.  And Charlie and Alice wanted not just any airplane but a honking huge E-2 Hawkeye reconnaisance aircraft. “Sure, Charlie, I’ll leave one for you at the front desk of your hotel after you wire me $100 million dollars.”

Of course, knowing the sensitivity of such an operation, Charlie and Alice wanted to refer to the Hawkeye in code as the “Big Toy.” That way, they could always claim, if caught, that they were really talking about a 12-ton toy Tonka truck. At this point, one of the UCs hits comedy gold when he says to Charlie and Alice:

“Do you guys realize what this thing is?.. . This thing is like a um 757 plane — it’s on aircraft carriers. Those things don’t just disappear.”

Undeterred, Charlie and Alice still kept negotiating to buy the “big toy,” stating that their buyer, which they described as the “Chinese C.I.A.,” could afford it. The UCs, however, managed to steer them to something more manageable, something that could fit in a backpack, namely, a Raven RQ 11B UAV. Charlie and Alice explained that they could smuggle the UAV out of the United States by having scuba divers or remote-controlled submersible vehicles carry the items to an off-shore Chinese ship. They also planned to get the manuals out by taking pictures of the manuals, deleting the pictures from the memory cards and then having their friends in China recover the deleted images.

There were, of course, two problems with the deleted image trick. First, everyone (even Customs) knows about it and can easily detect and recover deleted images on digital camera memory cards. Second, Charlie and Alice were arrested while taking the pictures.

For those who want to try at home the recovering deleted images trick, here’s a quick guide on how to do that.

 

Permalink Comments (2)

Bookmark and Share



Apr

11

Bird Flu Research Flies Into Export Laws, Crashes, Then Burns


Posted by at 10:43 pm on April 11, 2012
Category: BISGeneralTechnical Data ExportWassenaar

Bird FluApparently international research on how best to prevent, contain and treat bird flu is now threatened by international laws restricting export of information relating to potential agents of biological warfare according to this report on NPR. The problem concerns research conducted by researchers in the United States and the Netherlands which resulted in a controversial paper concerning alterations in the virus that would make it more contagious. There was some concern that this information might be useful to terrorists and rogue states interested in biological warfare agents.

To address this concern, the decision was initially made to restrict publication of the study and related materials and to make them available only to designated researchers and government officials with “a need to know.” What apparently no one realized was that this would prevent the research from falling within the fundamental research exception and would, therefore, prevent cross-border discussions or transfer of the information without specific governmental authorization.

Once this was realized, the decision was made to eliminate the “need to know” restrictions and simply to publish the materials so that the research could be considered fundamental research and could be shared freely with researchers in other countries. But the government of the Netherlands is arguing that the publication of the research could not undo the effect of the earlier decision to restrict dissemination and that therefore the research could not be exported from the Netherlands without approval of that government.

This situation illustrates the difficulty in applying the fundamental research in practice. To begin with, there is no easy way to determine what is or is not fundamental research. Export lawyers and export professional at universities have tried to strengthen the case that research is eligible for the fundamental research exception by pointing to whether research was published or, even if not published, was permitted or required to be published under applicable grant contracts or university rules.

The conundrum here is whether sensitive material can be transformed into fundamental research simply by publication. If one group of researchers decides to release the information, does this act of a few individuals instantly transform the information into fundamental research? But if publication isn’t the standard for deciding what is fundamental research, what other standards are available and who should be able to apply those standards? What these questions without answers demonstrate more than anything else is the slippery slope that we head down when we try to apply export controls to information. Rather we should rely on classification rules and procedures to control dissemination of truly sensitive information.

Permalink Comments (3)

Bookmark and Share