Dangers of U.S. Export Control Law & the Cybersecurity Market


Andrew Bigart

This article examines the export controls applicable to the field of cybersecurity, an increasingly global industry in which U.S. companies sell their products and services to multinational companies, U.S. agencies with overseas operations, and even foreign governments, when permitted. The cybersecurity market – both public and private – hit $60 billion in 2011 and is expected to increase steadily over the next several years. Indeed, cybersecurity is one of the few defense “growth” areas to buck recent U.S. budget cuts.

As U.S. companies continue to expand in the market, however, so too does the risk of non-compliance with the confusing web of U.S. laws and regulations that govern export-related activities. U.S. law places the burden of complying with export controls and economic sanctions squarely on U.S. companies and their officers and employees. The cybersecurity industry is no exception, and may be particularly vulnerable to government scrutiny given the strategic need to protect U.S. technological advantages, critical infrastructure, and access to confidential information. In this regard, violating U.S. export laws can result in criminal law enforcement actions, jail time, and significant fines and penalties, including debarment from federal contracting.

U.S. Export Controls

The U.S. government maintains a complex set of regulations that govern the export of goods – including technology, software, and technical data – to foreign countries and specified foreign entities and individuals.

The State Department’s Directorate of Defense Trade Controls (DDTC) regulates the export of defense articles, related technical data, and defense services listed on the United States Munitions List (USML) through the International Traffic in Arms Regulations (ITAR). All manufacturers, exporters, and brokers of defense articles, related technical data and defense services are required to register with DDTC. Registration with DDTC is a prerequisite to applying for export licenses.

The Department of Commerce’s Bureau of Industry and Security (BIS) regulates anything that is not listed on the USML, including the export of commercial and dual-use commodities, software, and technology through the Export Administration Regulations (EAR). Both DDTC and BIS regulate exports depending on an item’s technical characteristics, destination, end-user, and end-use. In this regard, cybersecurity products and services present a challenge because the exports may contain a mixture of different software, encryption functions, and controlled technical information.

Finally, although not the focus of this article, it’s import to note that the Department of Treasury’s Office of Foreign Assets Control (OFAC) enforces trade embargoes and economic sanctions against specific countries (Cuba, Iran, North Korea – you get the picture) and individuals and entities (terrorists, narcotics traffickers and other bad guys). OFAC publishes the names of these ne’er-do-wells in the “Specially Designated Nationals” or “SDN” list. (BIS also maintains several lists of prohibited persons). Together, the Commerce and State export controls and OFAC sanctions programs are designed to protect U.S. foreign policy interests and to prevent U.S. persons from doing business with the wrong types of customers.

Classifying Cybersecurity Products and Services for Export Purposes

Whether an export license or other authorization is required for the export of a cybersecurity product is a fact-specific determination that includes a review of the items or services being exported, the destination, end-user and end-use. Given the complexity in classifying cybersecurity-related items, many companies request commodity jurisdiction determinations from the export agencies for guidance on whether their products are properly classified under the DDTC or BIS frameworks. These determinations, which are published, in part, by DDTC and BIS, highlight the breadth of USML and EAR classifications that potentially cover cybersecurity products and software. For example, DDTC has advised that a company’s “Customizable USB thumb drive that conducts targeted searches of digital assets for critical files” is classified under the USML section XI, which covers military electronics, as are certain military-grade GPS and cryptography products.

On the other hand, data manipulation software that uses Security Socket Layer (SSL) encryption usually qualifies for BIS’s “Mass Market Encryption” exception for items classified under Export Control Classification Numbers 5A992 and 5D992. This exception allows certain “publicly available” software to be exported to most countries without a license if the exporter registers with BIS by obtaining an Encryption Registration Number.

Moreover, both DDTC and BIS regulations define an export as including the disclosure (orally or visually) of technical information or software to a foreign person. Thus, a “deemed export” takes place when technology or software is released to foreign a person or national for visual inspection (such as reading technical specifications, plans, blueprints, etc.); when technology is exchanged orally with a foreign person or national; or when technology is made available by practice or application to a foreign person or nationals under the guidance of persons with knowledge of the technology. Depending on the nature of the technology and the country to which the technology is disclosed, releasing technology to a foreign person or national may require an export license (or in the case of ITAR possibly a Technical Assistance Agreement, depending on the individual circumstances).

Why Should The Cybersecurity Industry Care?

As the importance of cybersecurity has grown from a national defense perspective, so too has the U.S. government’s focus on regulating the export of sensitive technology. A number of recent U.S. government enforcement actions involve U.S. persons selling software, encryption products, and other cybersecurity related information abroad:

  • In 2010, a resident of China was sentenced by a federal court to serve 96 months in prison for his efforts to obtain sensitive encryption, communications, and global positioning system equipment without a DDTC license.
  • In 2009, a U.S. national working for Technical Integration Group was sentenced to six years in prison and paid $1.1 million for exporting mobile telecommunications equipment containing encryption properties to Iraq, in violation of the then U.S. embargo on Iraq.
  • In 2008, two companies paid administrative penalties to settle BIS allegations that the companies exported U.S.-origin engineering software to Iran and to companies on the BIS Entity List without the required licenses.
  • In 2002, Neopoint Inc. paid a $95,000 civil penalty to settle charges that it unlawfully exported 128-bit encryption software to South Korea.

The consequences for non-compliance with U.S. laws overseas are severe and can include large monetary fines per violation for businesses, and similar monetary fines and imprisonment for individuals. On top of that, in cases of significant violations, the consequences can include a denial of future export privileges and federal contract debarment, which is particular onerous for cybersecurity companies dependent primarily on business from U.S. government contracts.

What Can My Company Do To Minimize Risk When Selling Abroad?

The first step in minimizing export-related risk is to understand the nature of your business and potential customers, including the who, what, and where of every export transaction. The U.S. government expects companies that export to inform themselves of the facts of any export transaction and exercise reasonable care in complying with applicable U.S. export requirements. This process requires companies to determine the appropriate export classifications for their products and services. If any of your products or services falls under the USML, then you must register with DDTC as a manufacturer, exporter, or brokerer.

The next step is to develop a compliance plan that is tailored to your company’s specific export needs. A compliance plan should address, at a minimum, the following:

  • Overview of applicable laws;
  • A list of prohibited activities and employee responsibilities;
  • Regular compliance training for employees;
  • Required checking of all business partners and customers against OFAC’s SDN list on a transactional basis;
  • Rigorous internal financial and audit controls to monitor export and FCPA compliance; and
  • Required due diligence on all agents or independent contractors and required written contracts with export, economic sanctions, and FCPA prohibitions and certifications.

Finally, under U.S. law, exporters that become aware of – or should be aware of – “red flags” are required to resolve them before proceeding with a transaction. Monitoring the activities of your business partners overseas is particularly important because the conscious avoidance of knowledge of wrong doing is not a defense. Typical red flags include:

  • Transactions with incomplete information regarding end users, country of origin or destination;
  • Exportation of products that do not not fit the buyer’s line of business;
  • Unusual contract terms, payments in cash, or requests for high commissions;
  • Direct or indirect payments to government officials or their families or payments to persons outside the normal scope of a transaction;
  • Payment for travel, lodging, or business expenses or extravagant gifts or entertaining of government officials or their families; and
  • Consultants who are connected with a foreign government or political party.

What if a Potential Violation Arises?

Unfortunately, for some companies the legal risks of doing business abroad are not apparent until something goes wrong. If you discover questionable business practices regarding your export-related activities, stop the conduct in question immediately and report the activities to your company’s compliance officer. If your company finds itself in such a position, consider the option of a voluntary disclosure. Each of the agencies discussed above – Commerce, State, and OFAC – maintain procedures that encourage companies to self-report violations under certain circumstances. Although these programs do not allow companies to evade liability completely, they do offer reduced penalties and other incentives.

Conclusion

There is no doubt that the export market for cybersecurity products and services remains an attractive and growing market for U.S. exporters. Before taking the leap overseas, however, take the time to review and understand your company’s responsibilities under U.S. export control and economic sanctions. An ounce of prevention in this regard goes a long way in keeping your business profitable and out of trouble.

Eric Savitz, Forbes Staff  -  Guest post written By Andrew Bigart

Andrew Bigart is an associate with Venable LLP, a Washington-based law firm.

Newscribe : get free news in real time

Related posts:

 Washington seeks to extend hegemony to trade

China successfully launches two more Beidou navigation satellites


China has moved a step closer to completing its own navigation and positioning satellite network with the launch of two more navigation satellites.

 China plans to launch 35 navigation satellites

It brings the Beidou system, which became operational with coverage of China last December, to 13 satellites.

To have global coverage, the country eventually aims to have 35 satellites in orbit by 2020.

China hopes that Beidou will wean it off the US Global Positioning System.

Just like GPS, the Chinese system is designed to let users determine their positions to within a few meters.

Beidou, also known as Compass, has been developed for both military and civilian uses.

The two satellites went up on Monday morning from the Xichang Satellite Launch Centre in southwest Sichuan province.

They were carried on a Long March-3B rocket, according to the state-run Xinhua news agency.

“The two satellites will help improve the accuracy of the Beidou, or Compass system,” Xichang Satellite Launch Centre said in a statement carried by the agency.

GPS
  • Sat-nav systems determine a position by measuring the distances to a number of known locations – the spacecraft constellation in orbit
  • In practice, a sat-nav receiver will capture atomic-clock time signals sent from the satellites and convert them into the respective distances
  • A sat-nav device will use the data sent from at least four satellites to get the very best estimate of its position – whether on the ground or in the sky
  • The whole system is monitored from the ground to ensure satellite clocks do not drift and give out timings that might mislead the user

Now partially operational, Beidou makes China only the third country in the world, after the US and Russia, to have its own navigation system.

Russia’s Glonass satellite network has 31 satellites in orbit, but only 24 of them are operational. Four more are in reserve, one undergoing trials, and two under maintenance.

According to the Russian Space Agency, Roscosmos, Russia plans to spend $694m (£427m) on its Glonass system this year.

At a recent annual Satellite Navigation Forum in Moscow, Russia’s deputy prime minister Vladislav Surkov said that more than 300 billion roubles (£6bn, $10.2bn) have been budgeted to further develop Glonass and bring 30 satellites into operation by 2020.

Europe has also been building a navigation system, called Galileo, which has two satellites in orbit, launched in October last year. The next two are scheduled to follow later this year.

The space project of the European Commission, the EU’s executive arm, plans to have all 26 Galileo satellites in orbit by the end of 2015. – BBC Newscribe : get free news in real time

Play Video

 China has successfully launched a pair of navigation satellites. The launch took place on Sunday Morning from Xichang Satellite Launch Center and marks the first time the Long March 3B launch vehicle has been used for this kind of mission.

The Compass Navigation Satellite System is China’s second-generation satellite navigation system, capable of providing continuous, real-time passive 3D geo-spatial positioning and speed measurement.

The Long March-3B rocket carrying two satellites blasts off from the launch pad at the
Xichang Satellite Launch Center in Xichang,southwest China’s Sichuan Province,on April
30,2012.China successfully launched two satellites into space Monday morning,the 12th
and 13th of its indigenous global navigation and positioning network known as Beidou,
or Compass system,the launch center said.(Xinhua/Tao Ming)

http://player.cntv.cn/standard/cntvOutSidePlayer.swf?v=0.171.5.8.9

Related posts:

China implements Beidou navigation satellite system

Chinese Rocket Launches New Navigation Satellite

Follow

Get every new post delivered to your Inbox.

Join 1,155 other followers