export controls and cybersecrity 28 oct 2015 final

Click here to load reader

Download Export Controls and Cybersecrity 28 Oct 2015 FINAL

Post on 12-Apr-2017




0 download

Embed Size (px)


Managing Export Control Issues in the Supply Chain: Encrypted Third Party Goods and more

Cybersecurity & Export ControlsJeremy OtisF-Secure Corporation28 October 2015

Export Compliance: What? UN SanctionsUS Sanctions & Licensing:OFAC = embargoed countries and SDN listDept. of Commerce/BIS = export licensesDept of State/ITAR = licenses for military goodsEU Sanctions & Licensing:National-level licensing requirements (dual-use)Unilateral embargos (numerous countries; generally on human rights grounds)Financial restrictions/prohibited transactionsMulti-lateral Treaties (eg Wassenaar Arrangement)Must be implemented by ind. signatory states to apply

F-Secure Confidential2

Export Compliance: Challenges for In-house Counsel

Determining export control regimes applicable to your organizationUN; US v EU v National lawsPersons/nationals/entitiesDual-use tech/classification/licensingSubsidiary complianceRaising C suite-level awareness vs other competing compliance obligations (eg FCPA)Limiting markets/suppliers & Brand considerationsWhat is Right vs What is LegalKeeping up with current events (eg 2014 Russia/Ukrane sanctions)Who can advise? (eg US nationals/Iran facilitation ban) F-Secure Confidential3

Export Compliance: Why?US - No finding of intent is necessary for administrative violations. cases may be brought in a wider variety of circumstances than criminal cases. Manufacurers of finished goods/tech are liable for all aspects of their offerings, including 3rd party itemsviolators may be subject to both criminal and administrative penalties especially if the violation is willful or if the EAR have been disregarded. Civil penalties of $250,000 or twice the value of the transaction, whichever is greater, may be imposed for each violation. Criminal violations may result in fines up to $1,000,000 and/or up to 20 years in jail. Administrative penalties may also include denial of export privileges; others may not participate in an export transaction with you as a denied person.Debarment from US govt procurement (FAR/DFARs) F-Secure Confidential4

Export Compliance: How?1. Implement clear policies, updated frequently Company-wide training; internal reporting/whistleblower mechanismShow management support & cross-organization accountability2. Perform regular auditsInternal: Order intake, contracts (know your customer)Supplier & resellers (know your partner/know your supplier)Automated compliance process controls are useful BUT regulators/prosecutors will look for the human touch3. Take immediate corrective action on prohibited transactionsMonitor post-delivery actions (eg support calls from Iran) 4. If investigated engage outside counsel to ensure some a/c privilegeExtistence of In-house counsel privallge questionble dont count on it!

F-Secure Confidential5

Export Controls & Sanctions: EU vs. US SanctionsUS Iran and Cuba sanctions: apply to non-US subs of US parentsExtended jurisdiction: cause a US person to breach US lawUS comprehensive embargoes (Iran, Syria, Sudan, Cuba) vs. EU smart sanctions

Export ControlsExtraterritorial impact of US export controls No re-export controls in the EUMore unilateral (e.g. ECCN 5A992) controls in the USNo deemed exports in the EU (but look at some national rules closely!)No de-minimis rule in the EUDealing in illegally exported items under US export controlsEU adopted 2013 Wassenaar update re Intrusion Software; US implementation pending as of Autumn 2015

F-Secure Confidential6

Encryption Software Controls

BasicsRestrictions on Encryption have a different/broader purpose than other export controlsEnsuring (govt) access to sw/data, not just where/who/for what purpose the item will be used.Purpose & focus of regulating encryption sw has evolved over last 20 years1995: 1st US rules enacted; encryption rare, nearly everything classified dual-use, licensing processes very rigid/longToday: encryption is ubiquitous & applicability of controls (more) limited to military items, self-classification/certification available for most consumer-grade encryption itemsFocus has shifted to from enabling access to controlling (cyberintrusion) tools & potential threats

F-Secure Confidential8

Key Developments in US Encryption SW LicensingMany drastic reforms witnessed since 2008:

Categories of military use sw mow much more specific; many less-sensitive items moved from ITAR (Dept. of State/military use) to Dept. of Commerce (dual-use)DoC/BIS has much broader discretion to waive license requirement70% reduction in # of licenses required/issued for encryption items to STA 36 countries2011: broad expansion of license exception ENC/NLRToday, 90% of commercial encryption sw subject only to self-classification/certificationDoC/BIS Technical Advisory Committee works with industry to agree and set technical parameters for export control

Today, far fewer commercial encrytpion sw items are subject to formal US licensing reqs

F-Secure Confidential9

US: Key Export ConceptsKey Adminstrative/Regulatory Bodies:Dept. Of Treasury/OFAC = embargoed countries and SDN listDept. of Commerce/BIS = export licensesDept of State/ITAR = licenses for military goodsThe Export Administration Regulations (EAR) controls export and reexport of most commercial items. enforced by the U.S. Department of Commerce through its Bureau of Industry and Security (BIS)Products or services with military or proliferation applications are regulated by the International Traffic in Arms Regulations (ITAR), and enforced by the U.S. State Department.Commercial products and services may also have a military use. Those having both commercial and military or proliferation applications are called dual-use and are also subject to the EAR. EAR jurisdiction controls all items in the U.S., regardless of origin, certain items outside the U.S., certain activities of U.S. persons and releases of source code or technology to foreign national in the U.S. or abroad. SO most items are subject to the EAR, but a relatively small percentage of all U.S. exports and reexports require a BIS license unless the destination is embargoed or has been designated as supporting terrorist activities.Certain individuals and organizations are prohibited from receiving U.S. exports (eg SDNs, Russia list); others may receive goods only if they (the recipients) are licensed, even if the items themselves would otherwise be license exempt. Finally, some end-uses are prohibited while others may require a license. F-Secure Confidential10

Export/Re-export** US export control laws have broad extraterritorial application; Exports from other countries must comply with Export control laws of that country as well as U.S. export control laws**

US export control laws apply to the export and re-export of goods and technology (by phone, fax, download, technical assistance, etc.) from the U.S.

Re-export includes:U.S.- origin goods and technology from one foreign country to another Foreign made items containing U.S. components Foreign made items that are the "direct products" of certain U.S.origin technical data or software F-Secure Confidential11

EU SW Controls - Key Concepts & DistinctionsExport -> trans-frontier transfer to any non-EU countryNo controls on re-export or deemed exportsUGEA EU001 license permits general export of encryption products to EEA/NA/ANZ/JAPNational rules govern most other encryption licensing reqs.Dual use OR Country-by-country restrictions (human rights eg Iran)No/few mandatory formal classification reqs in EUNO counterpart to US ENC and TSU exemptions, ie, no exception for mass market encryption itemsRecord keeping (3 ys + national rules)Iran: US (statutory) sanctions against continue after Q4 2015 implementation dayEU vendors get big head startfacilitation ban for US nationals continues

F-Secure Confidential12

Classification of US-Origin encryption items

Determine whether the item is:An encryption itemAn ancillary encryption item (Note 4 to Category 5, Part 2)A mass-market item (Note 3 to Category 5, Part 2)B2, B3, or B1 categoryNO ENCRYPTION OR WEAK ENCRYPTIONNo encryption = ECCN: EAR99 or 5A991; Weak encryption ECCN 5A992 or 5D992Generally, no license required or products may ship under a license exception*license is required for any delivery to Cuba, N. Korea, Iran, Sudan, and Syria*ENCRYPTION Mass Market ECCN 5A992 or 5D992; Unrestricted ECCN 5A002.a.1 or 5D002.c. - Generally, no license required or products may ship under a license exception (ECN/TSU)Restricted ECCN 5A002.a.1 or 5D002.c.1 - License required for Government / Military / Defense contractors outside the License-Free Zone (~EU/EEA + ANZ/Japan)

F-Secure Confidential13


F-Secure Confidential14


TSU scope. In certain cases, license exception TSU (Technology and softwareunrestricted) may be available for: Operating technology and software (section 740.13(a)) Sales technology and software (section 740.13(b)) Bug fixes (section 740.13(c)) General software notesmass market software (section 740.13(d)) Publicly available encryption source code (and corresponding object code) (section 740.13(e)) TNU license exception can be used for operating technology and software as follows: "Operation technology" is the minimum technology necessary for the installation, operation, maintenance (checking), and repair of those commodities or software that are lawfully exported or reexported under a license, a License Exception, or NLR. The "minimum necessary" operation technology does not include technology for development or production and includes use technology only to the extent required to ensure safe and efficient use of the commodity or software. Operation software may be exported or reexp

View more