U.S. controlled goods regulations, for both the Department of Commerce Export Administration Regulations (EAR) and the Department of State International Traffic in Arms Regulations (ITAR), have an original emphasis in the movement of goods.
That is, the regulations have been geared to physical access and transfer control. Companies crate up what they’ve sold and ship it out. The product has a classification, whether on the Commerce Control List (CCL) or the United States Munitions List (USML). It might be equipment, materials, or software, but, most of the time, you can pick it up and put it into a box, or a crane puts it into a crate.
On the other hand, the export might be “technology,” defined in the EAR as “Information necessary for the development, production, use, operation, installation, maintenance, repair, overhaul, or refurbishing … of an item.” In short, tech data. Which for a long time you could also pick up and put into a box. Tech data was original or printed paper output of documents, blueprints, and drawings.
The Times, They’re Changing
Printed documents still exist, but have been gradually, and recently overwhelmingly, replaced by electronic formats, with most tech data only existing in electronic formats now. Meanwhile, the storage and handling of electronic documents has become more sophisticated, in particular with global networks, often or usually in large-scale installations in the “cloud”. For technology subject to ITAR and EAR regulations, effective management of access to these data has quickly become critically important and urgent. Nonetheless, it remainsan involved and often-large undertaking for companies.
Physical controls remain an emphasis; but, for the unlawful appropriation of U.S. technical know-how, it has always been more attractive to get hold of plans, rather than deconstruct a piece of equipment hardware. Plans are now located in cyber vaults in cloud networks, which have the possibility of being infiltrated remotely; rather than documents and drawings previously in physical vaults on a manufacturer’s premises, which entailed a different variety of in-person espionage.
Tech Data Export Compliance Tips
Managing and protecting tech data has come to the forefront in controlled goods export management. In September 2017, the Society for International Affairs (SIA) operated its first-ever workshop for IT Capabilities and Solutions for the Trade Compliance Community in McLean, Virginia, presented and attended by leading experts in cyber management. SIA conferences and seminars are proprietary and cannot be quoted in any manner, but some of the key points can be summarized.
The central burden of tech data management for controlled goods is that of being able to share sensitive information among authorized persons without putting individuals, their companies, or their country at risk. This objective has two elements: cyber security, and cyber compliance. Cyber security is primarily concerned with access — how user permissions are managed and validated, and how documents and data are protected, in particular encryption methods and standards. With some overlap, cyber compliance is concerned with the nationality and location of users and servers. Which means U.S. persons, and not necessarily U.S. persons working with foreign nationals at an offshore company, or U.S. persons located in different foreign countries. Using cloud networks adds considerations for the reliable physical location of the servers, the type and location of back-ups, and who has access to the servers and backups.
With these issues examined, tech data systems require a process model, which includes automated triggers at compliance points. Paper policy enforcement is no longer adequate. Process maps define automated workflows that must have compliance controls built in, to create alerts when requirements and the data given (authorizations, screening, and so forth) do not match. In effect, that decision processes are embedded in your IT systems, which further embed trade compliance in your data management.
Automation With Human Action
It must be added that automation can help ensure compliance, but this does not replace human action and involvement, which requires training, including a thorough knowledge and understanding of the regulations. Then, even with good training, users may not always be aware of potential transgressions. Email is a particular villain, where the status of a recipient may not be known, and the confidentiality of documents attached is not ensured. Users have to be educated about the reasons for restrictions. In particular, they should understand that exposure to tech data in emails or otherwise can be an export, and that sending defense articles out of the U.S. or exposure to foreign nationals in any manner without a license is a violation, and, without a license, may be a violation for dual-use items depending on the classification and country of destination. Controlled tech data documents can, for instance, be tagged to trigger alerts in email, or to forbid attachment.
The same applies to storing tech data on a cloud server. If the server is physically outside of the U.S., or is transferred off U.S. soil, then the data has been exported. Under the EAR, theoretical or potential access is not a violation, only when such access is actual. Rules are under working group review for the ITAR, but have not yet been implemented. In any case, potential or actual exposure can only be demonstrated with detailed, thorough logging, which depends on strict identity management, which itself has several access models. The models adopted come from company policy, which defines a process map, which is converted into procedures.
There is no process model and no procedures suited to all situations. Study by knowledgeable, experienced analysts is required as an extension of company policy in concert with regulatory requirements. The objectives are the same in all cases, however: to create the capability for effective controlled goods export decisions, to encode authorization, compliance, and prior approval checks, to ensure the security of tech data and understand its cash value and value to national security, to be compliant, and be able to demonstrate that compliance.