Glass Houses, Stones and Cybersecurity
Posted by Clif Burns and Dan Schwartz at 1:34 pm on August 30, 2015
Category: Cybersecurity • Technical Data Export • Technology Exports
Recently, the Department of Defense issued an interim rule that would impose on DOD contractors and subcontractors a contractual duty to provide “adequate security” from “unauthorized access and disclosure” for a broad array of unclassified information Additionally, the interim rule requires DOD contractors and subcontractors to report within 72 hours directly to the appropriate DOD office a “cyber incident” or “malicious software.” A “cyber incident” is defined as an action on a computer network that compromises the network of has an “actual or potentially adverse effect” on the information on the network. Finally, the rule requires contractors to make available “media (or access to covered contractor information systems and equipment)” upon request.
The interim rule, which is immediately effective, applies to all contractors and subcontractors with “covered defense information transiting their information systems.” The “covered defense information” to be safeguarded is extremely broad. It includes information provided to the contractor by or on behalf of DOD in connection with performance of the contract or ”critical” or “controlled information stored by or on behalf of the contractor in support of the performance of the contract.
Of particular emphasis for readers of this blog, “covered defense information” also includes export controlled information, including “items identified in export administration regulations and munitions list,” license applications, and “sensitive nuclear technology information.” Beyond these obvious items, the covered export controlled information includes things not covered by existing export control regimes but “whose [sic] export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives.” We have no idea on earth what this could possibly mean or how any contractor can figure out what information, not covered by the EAR or the ITAR, actually fits in this category.
DOD recognizes that such cyber incident reports or other information provided to DOD under this interim rule may include a contractor’s proprietary information, including personal information relating to its employees. In response, DOD states “the government shall protect against the unauthorized use or release” of such information. Does anyone else see the tremendous irony here? The United States government, which has been hacked left and right by the Chinese, the Russians and others, promises to protect the information. To add to the irony, the new rule only applies to unclassified information, which is precisely the type of information the USG has been unable to protect on its own.
Rest assured that anything that you provide to the DOD will be read almost immediately by the Red Army in China. Perhaps the U.S. Government should get its own cybersecurity house in order before it starts preaching to private industry.
Some Things Change; Some Things Don’t
Posted by Clif Burns at 9:14 pm on March 9, 2010
Category: Cuba Sanctions • Iran Sanctions • Sudan • Syria • Technology Exports
Here’s what has changed at OFAC. Yesterday OFAC announced a general license for Iran and Sudan that would permit export of
certain services and software incident to the exchange of personal communications over the Internet, such as instant messaging, chat and email, social networking, sharing of photos and movies, web browsing, and blogging.
To be eligible the services must be offered free of charge and any software must be EAR99, not subject to the EAR, or mass market software classified under ECCN 5D992. Also, the exporter must not have any reason to believe that the services or software is destined to be used by the government of Sudan or Iran. A similar license was announced for Cuba but it only covered services since BIS controls exports of software to Cuba. Any bets on how long it will take for BIS to act to permit these software exports to Cuba? BIS action will also be necessary for similar exports to Syria.
And here is what hasn’t changed at OFAC. Today OFAC announced that it spent untold tens of thousands of taxpayer dollars to fine some poor schlub $575 for buying Cuban cigars over the Internet. I have to assume that this single cigar purchase will provide funds to the current Cuban government that will keep it in power for about five minutes longer than otherwise would have been the case thereby justifying all the government expense involved in imposing the fine.
Cloudy with a Chance of Fines
Posted by Clif Burns at 9:23 pm on January 12, 2010
Category: Technology Exports
As enterprises began to confront the issues raised by cloud computing, this article on TMCnet is a good reminder that export issues may be some of the most intractable. Although some clouds, like Amazon’s EC2, provide servers in defined locations, other cloud providers, Google notably, are more secretive about where their clouds are located or on which clouds user data is stored. If ITAR-controlled technical data or CCL-controlled technology is stored by a U.S. company on a cloud outside the United States, an export has occurred. If no license has been obtained it is safe to say that this is going to be a cloud without a silver lining.
BIS did issue an advisory opinion in January 2009 on cloud computing. The advisory opinion was requested by an unnamed provider of cloud computing service and fails to address the export issues relating to users of such cloud computing services. In the advisory opinion, BIS stated, among other things, that the provision of cloud computing services is not an export subject to the EAR and that the cloud provider is not considered to be the exporter of any data that users place on and retrieve from the cloud.
The TMCnet article focuses unduly on the location of the server while neglecting that even if the cloud is wholly within the United States an export could occur if foreign nationals employed by the cloud provider in the United States have access to controlled technology or technical data. The same article also neglects to point out that export issues are raised in other Internet contexts. If an email contains controlled technology or technical data an illegal export will have occurred if the email transits a foreign server even if the email is sent from a server in the United States and is addressed to a server in the United States. The same issue could exist for VOIP voice communications if the VOIP provider utilizes any servers located outside the United States.
The BIS advisory opinion shows a laudable effort to understand and accommodate issues posed by cloud technology, at least from the perspective of the cloud provider. Hopefully, it will show the same practical considerations for users of cloud technology. Whether OFAC and DDTC will demonstrate similar understanding of the technology remains to be seen.