Deciphering the Complexities Associated with Exporting Encryption Software

Don Miller

The stated goal of National Cyber Security Awareness Month 2014 is to “increase the American public’s understanding of basic cyber security practices and the role each of us plays in keeping cyberspace safe and secure.”  Export control is a vital cog in our country’s cybersecurity infrastructure, because it helps to prevent sensitive U.S. technology from falling into the hands of our enemies.  Yet few people actually know much about the export control process.

In the spirit of increasing understanding of cyber security practices during National Cyber Security Awareness Month, we would like to share with our readers a recent export control case involving encryption technology, a fundamental feature of any enterprise-level managed file transfer solution.  The case offers a glimpse into the basics of how government and industry are supposed to work together within the export control system to protect our cybersecurity infrastructure.

The Wind River Case

The Department of Commerce, Bureau of Industry and Security (“BIS”), charged Wind River Systems with violations of export control laws for making unauthorized sales of encryption software to foreign government customers and to organizations on BIS’s “Entity List.” The BIS press release summarizes the underlying facts:

Between 2008 and 2011 the company made 55 exports of operating software valued at $2.9 million to governments and various end users in China, Hong Kong, Russia, Israel, South Africa, and South Korea.  The operating software is controlled under Export Administration Regulations for national security reasons, and some of the export recipients in China are on the BIS Entity List.

If you are not familiar with the export control process, this case information probably raises many questions.  Who is BIS?  Are there rules preventing my company from selling encryption software to foreign governments/entities?  Can BIS “charge” a company for violating these rules?  Provided below are summary answers to these and other questions, along with links to the BIS website containing more detailed information relating to each subject.

  • The Agency

BIS’s mission is to advance the security of the United States, which necessarily includes cyber security.  To that end, BIS is responsible for regulating the export of sensitive technologies while   taking “great care to ensure that its regulations do not impose unreasonable restrictions on legitimate international commercial activity that is necessary for the health of U.S. industry.”

  • The Control Lists

To provide guidance to industry, the federal government publishes three lists of export-controlled items:  Commerce Control List (CCL), United States Munitions List (USML), and Nuclear Regulatory Commission Controls (NRCC).  Items can be included on these lists for multiple reasons, from guarding our national security, to protecting our national economy, to supporting our national foreign policy.

BIS determined that Wind River’s encryption software is export-controlled by means of the CCL for “national security purposes.”  Generally speaking, the CCL governs technology items that are “dual-use,” meaning they have actual/potential military uses in addition to civilian/commercial applications.  Please click here if you want to access the BIS web page containing additional information about export controls relating to encryption products.

  • The License Procedure

Because Wind River’s encryption software is subject to export control, it was required (but failed) to submit a license request before exporting the software.  BIS has a section of its website that is “designed to assist visitors through the export licensing process and provides important information that individuals and firms need to know before exporting.”  The license process involves cooperation between government and industry to screen proposed exports for compliance with export control laws.

bTrade’s encryption products have been reviewed by BIS and were classified under ECCN (Export Control Classification Number) 5D992 NLR, meaning bTrade’s encryption products are eligible for export and re-export with no license requirements to any country but the “T5” countries, which enables our customers to have a large install base worldwide.

  • The Agency’s Enforcement Power

BIS has an elite law enforcement organization that “accomplishes its mission through preventative and investigative enforcement activities and then, pursuing appropriate criminal and administrative sanctions against export violators.”  Given the stakes, it should come as no surprise that violations can carry heavy penalties, both civil and criminal, as explained on the BIS website:

In the post-9/11 world, the export control challenge is to enable legitimate global trade in U.S. goods and technology, while keeping these items out of the hands of weapons proliferators and terrorists. BIS addresses this challenge through assisting legitimate export traders to comply with export control and antiboycott requirements, preventing violations before they occur, and bringing willful export control violators to justice.

Wind River settled charges for violating the export control laws by agreeing to pay a $750,000 civil penalty.

The Fall-Out From Wind River

There have been several articles/blogs questioning the action taken by BIS in the Wind River case.  Some say that BIS is “attacking” the export of encryption products.  Others say the case demonstrates a “fundamental change” in the way BIS deals with violations involving encryption technology.  I disagree.  Wind River was slapped with a hefty civil penalty because it failed to comply with the core requirements of the export control process, including one of its most basic components, as described below.

The Take-Away From Wind River:  Know Your Customer

BIS issued a press release related to the Wind River case, a fact that is not mentioned in the aforementioned articles/blogs.  The title of the press release—“Intel Subsidiary Agrees to $750,000 Penalty for Unauthorized Encryption Exports”—clearly identifies the basis for the fine:  “unauthorized” exports.  The press release also clearly identifies the reasons why BIS found the exports to be unauthorized: (1) failure to obtain the “required Department of Commerce licenses”; (2) sales to foreign government end-users and to organizations on the “BIS Entity List” (i.e., the “bad guys” list); and (3) violations were “ongoing over a period of several years.”

So what is BIS telling us?  That Wind River utterly and repeatedly failed to comply with even the basic export compliance steps.  This conclusion becomes abundantly clear if one considers the following quote in the press release from Assistant Secretary of Commerce for Enforcement, David W. Mills, the man who actually levied the penalty:  “This penalty should serve as a reminder to companies of their responsibility to know their customers and, when using license exceptions, to ensure their customers are eligible recipients.”

That is the take-away from the Wind River case.  For the export control system to function properly, government must be able to rely on industry to ensure that the end-use and end-user of an export complies with the export control laws.  In other words, it is industry’s responsibility to “know your customer,” and if industry fails to live up to its responsibility, the consequences can be severe, as the Wind River case shows us.