Archive for the ‘Technology Exports’ Category



Glass Houses, Stones and Cybersecurity

Posted by and at 1:34 pm on August 30, 2015
Category: CybersecurityTechnical Data ExportTechnology Exports

Chinese Army HackersRecently, the Department of Defense issued  an interim rule that would impose on DOD contractors and subcontractors a contractual duty to provide “adequate security” from “unauthorized access and disclosure” for a broad array of unclassified information Additionally, the interim rule requires DOD contractors and subcontractors to report within 72 hours directly to the appropriate DOD office a “cyber incident” or “malicious software.” A “cyber incident” is defined as an action on a computer network that compromises the network of has an “actual or potentially adverse effect” on the information on the network. Finally, the rule requires contractors to make available “media (or access to covered contractor information systems and equipment)” upon request.

The interim rule, which is immediately effective, applies to all contractors and subcontractors with “covered defense information transiting their information systems.” The “covered defense information” to be safeguarded is extremely broad. It includes information provided to the contractor by or on behalf of DOD in connection with performance of the contract or ”critical” or “controlled information stored by or on behalf of the contractor in support of the performance of the contract.

Of particular emphasis for readers of this blog, “covered defense information” also includes export controlled information, including “items identified in export administration regulations and munitions list,” license applications, and “sensitive nuclear technology information.” Beyond these obvious items, the covered export controlled information includes things not covered by existing export control regimes but “whose [sic] export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives.” We have no idea on earth what this could possibly mean or how any contractor can figure out what information, not covered by the EAR or the ITAR, actually fits in this category.

DOD recognizes that such cyber incident reports or other information provided to DOD under this interim rule may include a contractor’s proprietary information, including personal information relating to its employees. In response, DOD states “the government shall protect against the unauthorized use or release” of such information. Does anyone else see the tremendous irony here? The United States government, which has been hacked left and right by the Chinese, the Russians and others, promises to protect the information. To add to the irony, the new rule only applies to unclassified information, which is precisely the type of information the USG has been unable to protect on its own.

Rest assured that anything that you provide to the DOD will be read almost immediately by the Red Army in China. Perhaps the U.S. Government should get its own cybersecurity house in order before it starts preaching to private industry.

Permalink Comments Off on Glass Houses, Stones and Cybersecurity

Bookmark and Share

Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



Some Things Change; Some Things Don’t

Posted by at 9:14 pm on March 9, 2010
Category: Cuba SanctionsIran SanctionsSudanSyriaTechnology Exports

Twitter Keeps Iran AfloatHere’s what has changed at OFAC. Yesterday OFAC announced a general license for Iran and Sudan that would permit export of

certain services and software incident to the exchange of personal communications over the Internet, such as instant messaging, chat and email, social networking, sharing of photos and movies, web browsing, and blogging.

To be eligible the services must be offered free of charge and any software must be EAR99, not subject to the EAR, or mass market software classified under ECCN 5D992. Also, the exporter must not have any reason to believe that the services or software is destined to be used by the government of Sudan or Iran. A similar license was announced for Cuba but it only covered services since BIS controls exports of software to Cuba. Any bets on how long it will take for BIS to act to permit these software exports to Cuba? BIS action will also be necessary for similar exports to Syria.

And here is what hasn’t changed at OFAC. Today OFAC announced that it spent untold tens of thousands of taxpayer dollars to fine some poor schlub $575 for buying Cuban cigars over the Internet. I have to assume that this single cigar purchase will provide funds to the current Cuban government that will keep it in power for about five minutes longer than otherwise would have been the case thereby justifying all the government expense involved in imposing the fine.

Permalink Comments (5)

Bookmark and Share

Copyright © 2010 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



Cloudy with a Chance of Fines

Posted by at 9:23 pm on January 12, 2010
Category: Technology Exports

Cloud ComputingAs enterprises began to confront the issues raised by cloud computing, this article on TMCnet is a good reminder that export issues may be some of the most intractable. Although some clouds, like Amazon’s EC2, provide servers in defined locations, other cloud providers, Google notably, are more secretive about where their clouds are located or on which clouds user data is stored. If ITAR-controlled technical data or CCL-controlled technology is stored by a U.S. company on a cloud outside the United States, an export has occurred. If no license has been obtained it is safe to say that this is going to be a cloud without a silver lining.

BIS did issue an advisory opinion in January 2009 on cloud computing. The advisory opinion was requested by an unnamed provider of cloud computing service and fails to address the export issues relating to users of such cloud computing services. In the advisory opinion, BIS stated, among other things, that the provision of cloud computing services is not an export subject to the EAR and that the cloud provider is not considered to be the exporter of any data that users place on and retrieve from the cloud.

The TMCnet article focuses unduly on the location of the server while neglecting that even if the cloud is wholly within the United States an export could occur if foreign nationals employed by the cloud provider in the United States have access to controlled technology or technical data. The same article also neglects to point out that export issues are raised in other Internet contexts. If an email contains controlled technology or technical data an illegal export will have occurred if the email transits a foreign server even if the email is sent from a server in the United States and is addressed to a server in the United States. The same issue could exist for VOIP voice communications if the VOIP provider utilizes any servers located outside the United States.

The BIS advisory opinion shows a laudable effort to understand and accommodate issues posed by cloud technology, at least from the perspective of the cloud provider. Hopefully, it will show the same practical considerations for users of cloud technology. Whether OFAC and DDTC will demonstrate similar understanding of the technology remains to be seen.

Permalink Comments (3)

Bookmark and Share

Copyright © 2010 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)