BIS Finally Releases Proposed Cybersecurity Rules

Posted by at 11:55 pm on May 20, 2015
Category: BISCyber Weapons

Photo: Harland Quarrington/MOD [see page for license], via Wikimedia Commons istry_of_Defence_MOD_45153616.jpgAt long last, and well after the E.U. and many other members of the Wassenaar Arrangement, BIS has released proposed (but not final) rules implementing the December 2013 changes adopted by the Arrangement and which imposed export controls on “intrusion detection software” and “IP network communications surveillance” systems and equipment. After the E.U. adopted the 2013 changes in October 2014, we speculated that the delay by BIS beyond its announced September 2014 date for releasing a proposed rule was that it perhaps was struggling with the impact of Wassenaar’s overbroad definition of “intrusion detection software.” But we were wrong.

The proposed rule adopts the Wassenaar changes without clarification of the scope of coverage of intrusion detection software. Instead, the delay seems to have been wholly occasioned by housekeeping matters: specifying the reasons for control, deciding that no license exceptions would apply, and so forth. The proposed BIS rules also grapple with a rather esoteric problem: what to do with intrusion detection software with encryption functionality. And it decides that the software is classified, and must comply with, both ECCNs, which, at last, concedes something BIS long said was impossible: that an item could have two ECCNs. Finally, and I’m not joking, so I’ll quote the agency itself to prove that I’m not

[a] reference to §772.1 is proposed to be added to ECCNs 4A005, 4D001 and 4E001 to point to the location of the ‘‘intrusion software’’ definition, as this rule may be of interest to many new exporters that would not otherwise know that double quoted terms in the EAR are defined in §772.1.

Seriously? Now BIS starts to worry about the indecipherability of the EAR and the secret rules of interpretation that must be applied? What next? Will proposed rules start spelling out “n.e.s.”?

But, all joking aside, the problems with the definition of intrusion software remain

‘‘Software’’ ‘‘specially designed’’ or modified to avoid detection by ‘monitoring tools,’ or to defeat ‘protective countermeasures,’ of a computer or network-capable device, and performing any of the following: (a) The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or (b) The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

The notes indicate that protective measures include “Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) or sandboxing.”

Many have pointed out this definition would cover programs that permit auto-updating without user intervention, such as, for example, the Chrome browser, which updates itself in the background and circumvents protections normally imposed by the operating system to prevent installation or modification of programs without user intercession. Address Space Layout Randomization (ASLR) loads program components into random addresses in memory as a security measure against buffer overflow attacks and yet legitimate programs that must “hot-patch” operating servers or systems must scan memory to locate the program components, thereby both extracting data and defeating ASLR. The definition of sandboxing as a protective measure will subject programs that permit rooting or jailbreaking of mobile telephones to export controls.

I don’t normally try to look into a crystal ball and make predictions about the future, but I see clearly a flood of classification requests by software developers.

Permalink Comments Off on BIS Finally Releases Proposed Cybersecurity Rules

Bookmark and Share



BIS Publishes Tips You Can Use (or Not) to Unmask Russian Straw Purchasers

Posted by at 9:48 pm on May 19, 2015
Category: BISRussia Sanctions

By Daderot (Own work) [CC0], via Wikimedia Commons Bureau of Industry and Security (“BIS”) just released new guidance, snappily titled “Guidance on Due Diligence to Prevent Unauthorized Transshipment/Reexport of Controlled Items to Russia,” which attempts to reveal ways in which U.S. exporters can detect whether a purchaser is sneakily trying to buy things not for itself but for the bad guys in Russia. This, of course, is a laudable purpose, not just for the Russians, but for the many other countries and entities that know they can’t directly buy certain export-controlled goods and have a straw purchaser do their dirty work. But, sadly, most of the advice for sniffing out secret Russian intermediaries is about as useful as the secret decoder rings that used to be found in cereal boxes.

Here it is:

When inquiring into the ultimate destination of the item, an exporter should consider e-mail address and telephone number country codes and languages used in communications from customers or on a customer’s website. The exporter should also research the intermediate and ultimate consignees and purchaser, as well as their addresses, using business registers, company profiles, websites, and other resources. … Furthermore, exporters should pay attention to the countries a freight forwarder serves, as well as the industry sectors a distributor or other non-end user customer supplies.

Particularly risible is the advice to pay attention to the “email address and … languages used in communications from customers or on a customer’s website.” Because, of course, if you’re trying to hide the fact that your acting on behalf of the Russians you’re going to put up a website in Russian, email from a .ru domain, and say “Nyet” when asked if you’re secretly working for the Russkis.

It’s not quite clear why BIS mentions these factors — which may from time to time catch a really stupid Russian intermediary who slips and starts babbling in Russian — rather than more reliable red flags. The most frequent indicators that you’re dealing with an imposter is a purchaser who appears to have no clear understanding of, or use for, the item he or she is seeking to purchase. Small purchasers that your company has never dealt with or who say that they are simply a reseller should set off alarm bells. And here’s a personal favorite: Google Maps Street View is your friend. If you track down the address in Amsterdam and see that the purchaser of a controlled accelerometer is a bicycle store or a car repair garage, well, your work is done.

Permalink Comments (1)

Bookmark and Share



Federal Court Strikes Down Warrantless Border Search in Iran Export Case

Posted by at 11:23 pm on May 12, 2015
Category: Criminal PenaltiesIran Sanctions

Los Angeles International Airport by Daniel Betts [CC-BY-SA-2.0 (], via Flickr federal district court judge in the District of Columbia last week granted a motion to suppress evidence obtained by a DHS Special Agent after a laptop was seized from a departing passenger at LAX and subsequently subjected to a comprehensive forensic search. Prosecutors attempted to defend the search as a routine border search which could be conducted without reasonable suspicion of any kind and without any warrant. The court held that the search was impermissible both because the government had no reasonable suspicion of “ongoing or imminent” criminal behavior and because the search was an extensive forensic search conducted away from the border after the passenger had long departed the country.

In the case at issue, the DHS had some evidence that the defendant, five years prior to the search, had shipped items to China knowing that they were going to be transshipped to Iran. When the investigating special agent learned that the defendant had traveled to the United States, the agent decided to have CBP seize the defendant’s laptop at LAX when he departed the country. The laptop was then shipped to San Diego where the hard drive was imaged. Specialized software was then used to search the contents of the hard drive. More than 20,000 files and a large number of emails were retrieved which, after review by the special agent, provided evidence of the Iran exports that occurred five years earlier. The special agent then applied for, and obtained, a search warrant seeking authority to seize those emails and documents which then served as a basis for the prosecution before the federal district court in the District of Columbia.

The Court’s decision that the search was unreasonable relied on a number of factors. First, the court noted that suspicion of prior criminal activity was not a reasonable suspicion that could support a warrantless search at the border. Such a search could only be justified on the basis of a suspicion of imminent or ongoing criminal activity, not past criminal activity, and there was no reason for the agent to suspect ongoing or imminent criminal activity. Instead he was just fishing for evidence of past criminal activity.

Second, the court distinguished the type of search that occurred from a routine border search that could be justified by reasonable suspicion of ongoing or imminent criminal activity. The court noted that the actual search occurred long after the passenger had departed and at hundreds of miles from the border where the laptop was seized. Additionally, it was a search of unlimited scope and unlimited duration. This, the court felt, was far different from opening and examining a passengers luggage or briefcase at the border for a search prior to departure.

The court also seemed troubled by misrepresentations made by the DHS Special Agent when he did finally apply for a warrant to seize the documents obtained from the defendant’s hard drive. The affidavit in support of the application for a warrant represented to the court that the warrant was needed to enable a search of the “mind-boggling” amount of data on the hard drive and that the extraction of the data “may take weeks or months.” In fact, this was all a charade (to use a polite term); all of the extraction had already occurred and no further searches of the hard drive were thereafter conducted by the DHS special agent or the government.

Although the court did not directly focus on this, another factor seems dispositive here. Warrantless searches are normally justified by some exigency for the search which makes it difficult to obtain a warrant in advance. In a typical border search, the luggage or briefcase being examined is about to leave the country and seeking a warrant before that departure would be impractical. Here, however, the government had the luxury of all the time in the world to image the hard drive and examine its contents. There is no possible reason as to why it was impractical to get a warrant before extracting the data and rifling through its contents.

Permalink Comments Off on Federal Court Strikes Down Warrantless Border Search in Iran Export Case

Bookmark and Share



When Economists Write Regs, Everybody Loses

Posted by at 9:38 pm on May 7, 2015
Category: General

Brian Moyer via [Public Domain]
ABOVE: Dr. Brian Moyer,
BEA Director

Are you an individual residing in the United States? Do you have no ownership interest in any foreign enterprise? Have you filed yet a Form BE-10 with the Bureau of Economic Analysis (“BEA”) informing them that you don’t have any ownership interest in any foreign business? No, you haven’t? Well if you don’t file that form with the BEA by May 29, 2015, you can be fined $10,000. You’re welcome.

So get to it and get that BE-10 Claim for Not Filing filed. You can file it electronically here. Oh, and where else but in DC would you have to file a claim for not filing?

Now, it may not actually be the case that you have to file, but that is not what BEA’s regulations say. They say clearly that you have to file. The relevant section is 15 C.F.R. § 801.8, which establishes the mandatory filing requirement for U.S. persons with respect to their interests, or lack thereof, in foreign business enterprises. It says this:

(a) Response required. A response is required from persons subject to the reporting requirements of the BE-10, Benchmark Survey of U.S. Direct Investment Abroad—2014, contained herein, whether or not they are contacted by BEA. …

(b) Who must report. (1) A BE-10 report is required of any U.S. person that had a foreign affiliate—that is, that had direct or indirect ownership or control of at least 10 percent of the voting stock of an incorporated foreign business enterprise, or an equivalent interest in an unincorporated foreign business enterprise, including a branch—at any time during the U.S. person’s 2014 fiscal year.

(2) If the U.S. person had no foreign affiliates during its 2014 fiscal year, a “BE-10 Claim for Not Filing” must be filed by the due date of the survey.

This couldn’t be much clearer, could it? Everyone must file who is required to report, even if they are not contacted by BEA. And section (b) which defines “who must report” includes in subsection (2) U.S. persons without foreign affiliates and therefore must file a BE-10 Claim for Not Filing.

It is possible, indeed quite likely, that what BEA meant to say, but could not manage to actually say, is that the BE-10 Claim for Not Filing only must be filed by persons contacted by BEA to file and who did not have a 10 percent or greater interest in a foreign enterprise. So even though section (b) purports to define “who must report” that definition only means to cover people described in (b)(1) — who have a 10 percent interest — and not those described in (b)(2) who don’t.

First moral of the story: Economists shouldn’t write regulations and lawyers shouldn’t run the economy

Second moral of the story: If you are a U.S. person (business or individual) and you do have an 10 percent in a foreign enterprise, you have to file a BE-10 by May 29, 2015, something which I suspect many companies don’t know right now

Permalink Comments (2)

Bookmark and Share



On a Slow Boat to Cuba

Posted by at 8:48 pm on May 6, 2015
Category: Cuba SanctionsOFAC

Cuba Capitole by y.becart(Own work) [CC-BY-SA-2.0 (], via Flickr, the Office of Foreign Assets Control issued “guidance” on the new Cuba travel regulations. In fact, the “guidance” says little that isn’t already in the regulations, but it does serve as a reminder of at least one of the quirks in the Cuba sanctions that persists despite recent reforms.

In particular, the guidance points out that the regulations only provide for the transport of authorized travel between the United States by aircraft. No cruises allowed, unless the boat gets a specific license to provide service to Cuba for persons authorized to go to Cuba.

Now let’s dive down the rabbit hole into the “Wonderland” of export control, where if OFAC and the Bureau of Industry and Security (“BIS”) “had a world of [their] own, everything would be nonsense.”

You might think that once the boat got a license to provide service to Cuba, that would be the end of it, right?

(“‘You don’t know much,’ said the Duchess, ‘And that’s a fact.'”)

No, because OFAC licenses providing the travel service to Cuba and BIS licenses the export of the boat to Cuba.

(“At last the Dodo said, ‘everybody has won, and all must have prizes.'”)

And, yes, once the boat crosses into Cuban waters, you’ve “exported” the boat to Cuba, even if the boat turns around and heads straight back for the United States.

(“‘When I use a word,’ Humpty Dumpty said, in rather a scornful tone, ‘it means just what I choose it to mean — neither more nor less.'”)

If travel is provided by an airplane “of U.S. registry operating under an Air Carrier Operating Certificate” instead of a boat, then the short little foray into Cuban territory is covered by License Exception AVS, and no license is required.

(“When I used to read fairy-tales, I fancied that kind of thing never happened, and now here I am in the middle of one!”)

So what is the difference, for any conceivable policy purposes, between an airplane and a boat?

(“The Hatter opened his eyes very wide on hearing this; but all he said was, ‘Why is a raven like a writing-desk?'”)

All I can figure, is that a boat is more comfortable and has better food than the coach cabin of an airplane and the U.S. doesn’t want to make it all that easy to get to Cuba.

(“No, I give it up,” Alice replied: “What’s the answer?” “I haven’t the slightest idea,” said the Hatter.)

Permalink Comments (2)

Bookmark and Share

« Previous posts | Next posts »