Download - Export Controls and Cybersecrity 28 Oct 2015 FINAL

Cybersecurity & Export Controls

Jeremy OtisF-Secure Corporation

28 October 2015

© F-Secure Confidential2

Export Compliance: What?

UN Sanctions US Sanctions & Licensing:

OFAC = embargoed countries and SDN list Dept. of Commerce/BIS = export licenses Dept of State/ITAR = licenses for military goods

EU Sanctions & Licensing: National-level licensing requirements (dual-use) Unilateral embargos (numerous countries; generally on human rights grounds) Financial restrictions/prohibited transactions

Multi-lateral Treaties (eg Wassenaar Arrangement) Must be implemented by ind. signatory states to apply


Export Compliance: Challenges for In-

house Counsel Determining export control regimes applicable to your organization

UN; US v EU v National laws Persons/nationals/entities Dual-use tech/classification/licensing Subsidiary compliance

Raising ”C suite”-level awareness vs other competing compliance obligations (eg FCPA)

Limiting markets/suppliers & Brand considerations What is Right vs What is Legal

Keeping up with current events (eg 2014 Russia/Ukrane sanctions) Who can advise? (eg US nationals/Iran ”facilitation” ban)


Export Compliance: Why?

US - No finding of intent is necessary for administrative violations. cases may be brought in a wider variety of circumstances than criminal cases. Manufacurers of finished goods/tech are liable for all aspects of their offerings,

including 3rd party items violators may be subject to both criminal and administrative penalties –

especially if the violation is willful or if the EAR have been disregarded. Civil penalties of $250,000 or twice the value of the transaction, whichever is

greater, may be imposed for each violation. Criminal violations may result in fines up to $1,000,000 and/or up to 20 years in jail.

Administrative penalties may also include denial of export privileges; others may not participate in an export transaction with you as a “denied person.”

Debarment from US gov’t procurement (FAR/DFARs)


Export Compliance: How?

1. Implement clear policies, updated frequently Company-wide training; internal reporting/whistleblower mechanism Show management support & cross-organization accountability

2. Perform regular audits Internal: Order intake, contracts (”know your customer”) Supplier & resellers (”know your partner/know your supplier”) Automated compliance process controls are useful BUT regulators/prosecutors will look

for the “human touch”3. Take immediate corrective action on prohibited transactions

Monitor post-delivery actions (eg support calls from Iran) 4. If investigated engage outside counsel to ensure some a/c privilege

Extistence of In-house counsel privallge questionble – don’t count on it!


Export Controls & Sanctions: EU vs. US Sanctions

US Iran and Cuba sanctions: apply to non-US subs of US parents Extended jurisdiction: “cause a US person to breach US law” US comprehensive embargoes (Iran, Syria, Sudan, Cuba) vs. EU “smart sanctions”

Export Controls Extraterritorial impact of US export controls No re-export controls in the EU More unilateral (e.g. ECCN 5A992) controls in the US No deemed exports in the EU (but look at some national rules closely!) No de-minimis rule in the EU Dealing in illegally exported items under US export controls EU adopted 2013 Wassenaar update re ”Intrusion Software”; US implementation

pending as of Autumn 2015

Encryption Software Controls


Basics Restrictions on Encryption have a different/broader purpose than other

export controls Ensuring (gov’t) access to sw/data, not just where/who/for what purpose the item will

be used. Purpose & focus of regulating encryption sw has evolved over last 20 years

1995: 1st US rules enacted; encryption rare, nearly everything classified dual-use, licensing processes very rigid/long

Today: encryption is ubiquitous & applicability of controls (more) limited to military items, self-classification/certification available for most consumer-grade encryption items

Focus has shifted to from enabling access to controlling (cyberintrusion) tools & potential threats


Key Developments in US Encryption SW

Licensing Many drastic reforms witnessed since 2008:

Categories of military use sw mow much more specific; many less-sensitive items moved from ITAR (Dept. of State/military use) to Dept. of Commerce (dual-use)

DoC/BIS has much broader discretion to waive license requirement 70% reduction in # of licenses required/issued for encryption items to “STA 36” countries

2011: broad expansion of license exception ENC/NLR Today, 90% of commercial encryption sw subject only to self-classification/certification

DoC/BIS Technical Advisory Committee works with industry to agree and set technical parameters for export control

Today, far fewer commercial encrytpion sw items are subject to formal US licensing reqs


US: Key Export Concepts

Key Adminstrative/Regulatory Bodies: Dept. Of Treasury/OFAC = embargoed countries and SDN list Dept. of Commerce/BIS = export licenses Dept of State/ITAR = licenses for military goods

The Export Administration Regulations (EAR) controls export and reexport of most commercial items. enforced by the U.S. Department of Commerce through its Bureau of Industry and Security (BIS) Products or services with military or proliferation applications are regulated by the International Traffic in

Arms Regulations (ITAR), and enforced by the U.S. State Department. Commercial products and services may also have a military use. Those having both commercial and military or

proliferation applications are called “dual-use” and are also subject to the EAR. EAR jurisdiction controls all items in the U.S., regardless of origin, certain items outside the U.S., certain activities of U.S. persons and releases of source code or technology to foreign national in the U.S. or abroad.

SO most items are subject to the EAR, but a relatively small percentage of all U.S. exports and reexports require a BIS license unless the destination is embargoed or has been designated as supporting terrorist activities.

Certain individuals and organizations are prohibited from receiving U.S. exports (eg SDNs, Russia list); others may receive goods only if they (the recipients) are licensed, even if the items themselves would otherwise be license exempt. Finally, some end-uses are prohibited while others may require a license.


Export/Re-export** US export control laws have broad extraterritorial application; Exports from other countries must comply with Export control laws of that country as well as U.S. export control laws**

US export control laws apply to the export and re-export of goods and technology (by phone, fax, download, technical assistance, etc.) from the U.S.

Re-export includes: U.S.- origin goods and technology from one foreign country to another Foreign made items containing U.S. components Foreign made items that are the "direct products" of certain U.S. origin technical data or software


EU SW Controls - Key Concepts &

Distinctions Export -> trans-frontier transfer to any non-EU country

No controls on re-export or deemed exports UGEA EU001 license permits general export of encryption products to EEA/NA/ANZ/JAP National rules govern most other encryption licensing reqs.

Dual use OR Country-by-country restrictions (human rights eg Iran) No/few mandatory formal classification reqs in EU NO counterpart to US “ENC” and “TSU” exemptions, ie, no exception for

”mass market” encryption items Record keeping (3 ys + national rules) Iran: US (statutory) sanctions against continue after Q4 2015 implementation day

EU vendors get big head start ”facilitation ban” for US nationals continues


Classification of US-Origin encryption

itemsDetermine whether the item is:

An encryption item An ancillary encryption item (Note 4 to Category 5, Part 2) A mass-market item (Note 3 to Category 5, Part 2) B2, B3, or B1 category

NO ENCRYPTION OR WEAK ENCRYPTION No encryption = ECCN: EAR99 or 5A991; Weak encryption – ECCN 5A992 or 5D992 Generally, no license required or products may ship under a license exception

*license is required for any delivery to Cuba, N. Korea, Iran, Sudan, and Syria*ENCRYPTION Mass Market – ECCN 5A992 or 5D992; Unrestricted – ECCN 5A002.a.1 or 5D002.c. -

Generally, no license required or products may ship under a license exception (ECN/TSU) Restricted – ECCN 5A002.a.1 or 5D002.c.1 - License required for Government / Military /

Defense contractors outside the “License-Free Zone” (~EU/EEA + ANZ/Japan)


ENC CHART740.17 Sub¶

Item Description or Purpose of Export

ECCN End User Authorized (outside E:1)

Submission Requirements

(a)(1)

Development/Production only

5A002.a1, .a2, .a5, .a6, .a9, 5A002.b, 5B002, 5D002, 5E002

Private end user HQ'd in Supp. 3 countries

None*

(a)(2)

Any internal purpose

5A002.a1, .a2, .a5, .a6, .a9, 5A002.b, 5B002, 5D002, 5E002

U.S. Subs (employees, interns, contractors)

None*

(b)(1)

All encryption items except items described in (b)(2) and (b)(3)

5A002.a1, .a2, .a5, .a6, .a9, 5B002, 5D002

All except E:1 countries

1. Encryption Registration (Submit Supp. 5, Part 742 in SNAP) ERN 2. Annual Self Classification Report ‐(Submit Supp. 8, Part 742 in email)

(b)(2)

Network infrastructure, source code,

designed for gov't, custom crypto, modifiable crypto, quantum crypto,

penetration testing, public safety radio, cryptanalytic, non standard ‐tech, OCI, encryption technology

5A002.a1, .a2, .a5, .a6, .a9, 5A002.b, 5B002, 5D002, 5E002

Immed‐ iate export to Supp. 3 30 day wait outside Supp. 3‐ No gov't outside Supp. 3‐ Cryptanalytic/source code no gov't‐ ‐ non standard/cryptanalytic tech and ‐ ‐

OCI: Supp. 3 only 5E002: no D:1 countries (unless HQ'd in ‐

Supp. 3)

1. Encryption Registration (Submit Supp. 5, Part 742 in SNAP) ERN 2. Classification Req. w/30 day wait (submit Supp. 6, part 742 in SNAP) 3. Semi Annual Report by email (see ‐740.17(e))

(b)(3)

(i) Encryption components: chips, electronic assemblies, crypto libraries, toolkit, dev kits (ii) Non‐standard crypto items (iii) Digital forensics

5A002.a1, .a5, .a6, 5A002.b, 5D002

Immediate export to Supp. 3 countries‐

30 day wait outside Supp. 3 countries‐

1. Encryption Registration (Submit Supp. 5, Part 742 in SNAP) ERN

2. Classification Req. w/30 day wait (submit Supp. 6, part 742 in SNAP)

3. Semi Annual Report for (b)(3)(iii) ‐only, by email (see 740.17(e))

(b)(4) (i) Short range Wireless‐ (ii) Foreign dev with US enc parts

5A002.a1, .a5, .a6, 5B002, 5D002

All except E:1 countries

None


US LICENSE EXCEPTION TSU

TSU scope. In certain cases, license exception TSU (Technology and software—unrestricted) may be available for: Operating technology and software (section 740.13(a)) Sales technology and software (section 740.13(b)) Bug fixes (section 740.13(c)) General software notes—“mass market software” (section 740.13(d)) Publicly available encryption source code (and corresponding object code) (section 740.13(e)) TNU license exception can be used for operating technology and software as follows: "Operation technology" is the minimum technology necessary for the installation, operation, maintenance (checking), and repair of

those commodities or software that are lawfully exported or reexported under a license, a License Exception, or NLR. The "minimum necessary" operation technology does not include technology for development or production and includes use technology only to the extent required to ensure safe and efficient use of the commodity or software.

Operation software may be exported or reexported so long as it is the minimum necessary to operate equipment authorized for export or reexport and the operation software is in object code.

Operation software and technology may be exported or reexported to any destination to which the equipment for which it is required has been or is being legally exported or reexported.

Who can use TSU. U.S. persons and foreign persons to export eligible operation technology or software to a company’s employees (both U.S. and foreign) located abroad. Further, foreign national employees of the recipient company may use this license exception to reexport operation technology and software to third parties so long as the equipment has been, or will be, legally exported. Per the above, operation software can only be exported and reexported in object code.


License Exceptions ECN/TSU:

Practical Steps For unrestricted (consumer) items:

file/receive Encyrption Registration Statement/Number from Commerce Dept./BIS

(Self) classify and file annual report for each item For restricted items:

file/receive encryption classification ruling (CCATS) from BIS if gov’t end user outside of ”license free zone”, obtain export

license from BIS File semi-annual US export sales reports with BIS

Online filing via SNAP-R


Cybersecurity & Wassenaar


Wassenaar Arragement

= multilaterally-agreed control list of dual use goods with possible military applications that are subject to export licensing In 2013, dual-use list was expanded to include tools related to the

development of ”intrusion software” and ”IP network surveillance systems” such tools can be used by police and other authorities against their citizens and thus

there is a (perceived) needs to regulate the cross-border trade in ”Spyware” New rule potentially covers many malware and bug reporting tools which are the

lifeblood of security R&D EU has implemented this addition to Wassenaar list BUT the US has not

Due to this imbalance EU security sw companies are placed at a potential disadvantage Mandatory export licensing will have a chilling effect on R&D in the global

security software sector and could potentially cripple the EU security industry


“Intrusion software”Def: software that is specially designed to avoid detection by security monitoring tools (such as antiviruses or firewalls) or to defeat protective countermeasures (namely the memory protection functions of operating systems) in order to (a) extract or modify data of the device, or (b) allow the execution of externally provided instructions. Intrusion Software itself is not an item controlled under the Wassenaar Arrangement by itself. Rather, this control focuses on

items that have a specified relationship with Intrusion Software, specifically: “equipment” [4. A. 5.] or “software” [4. D. 4.] specially designed or modified to be used for the generation, operation, or delivery of, or

communication with Intrusion Software?; or, ‘technology,’ such as technical schematics or technical assistance, necessary for the development of an Intrusion Software product. [4. E. 1. c.]

Intrusion Software does not include: debuggers and software reverse engineering tools, digital rights management systems, asset recovery software that is installed by manufacturers, administrators, or users, Software that is generally available to the public (is available for free or purchase through unrestricted retail-style sales

and does not require substantial support from the seller) Most common malware R&D tools (remote control sw, penetration testing tools, vulnerability reports)

potentially fall under new Wassensaar list and would be subject to (national) export licensing requirements


The Debate European Commission (2015): Human rights and security are ”inexorably interlinked” European export control regime(s) must find a balance which allows for the free flow and use of day

to day security-sectory R&D w/o bad sw getting into the hands of bad people. Activities of ceratin European vendors providing cyberseciurity services to respressive governments & law

enforcement agencies has come under close scruitiny (eg HackingTeam/Egypt; FinFisher) Restrictions on the free exchange of malware tools etc. will have a chilling effect on cybersecurity

R&D Effective Implementation of new Wassenaar rules requires at a minimum:

clear guidelines from EC & establishment of Help Desk for inquiries- Narrow application of Wassenaar by national authorities Express carve-out for day-to-day R&D tools

Recent lobbying efforts from Finland Sept. 2015: FSC attends European Parliament public hearing Oct. 2015: FSC, SSH, Nixu all individually participated in in public commentary to European Commission Nov 2015: Finnish cybersecurity companies submit joint position paper to EC

Download - Export Controls and Cybersecrity 28 Oct 2015 FINAL

Top Related