� Cyber Security and Export Controls: You Need to Know More Than You Already Do � AnnaLisa Nash Export Control Officer, NDSU
Why Should You Care About Export Controls? …so you can avoid HERE.
When Should You Care? NOW. U.S. export control regulations affect many activities within academia, government, and industry, including: • Employee Hiring & Payroll • R&D • Purchasing/Procurement • Classifying/licensing items/data • International Travel • Shipping • Tech Transfer/IP • Grants, Contracts, etc. • Licensed Software Agreements • Cyber Security/Controlled Info.
Key Issues: • Overview of Export Controls o Exports and Deemed Exports o ITAR, EAR, OFAC • “High Risk” Areas • International Travel & Activities, UAS • IT, “Controlled Information,” and Cyber Security o Access Controls o System Management o Transmission of Data o Shared Systems o Mobile Computing Devices • Technology Control Plans (TCPs) • Penalties • Compliance Programs and Red Flags
What are export controls? ü Federal statutes and regulations that govern the transfer of certain goods, technologies, services, data, and money to non-U.S. persons and locations. ü Export controls generally restrict the export of items/services based on the type of item, its end use, and the destination of the export.
Why do we have export controls? U.S. export control system: shaped by our national security, economic interests, and foreign policy. ü Advance foreign policy goals ü Restrict export of goods and technology that might contribute to the military expertise of adversaries ü Prevent the proliferation of Weapons of Mass Destruction (WMD) ü Fulfill international obligations (e.g., treaties) ü Prevent terrorism ü Etc.
What are exports? • physical shipment or hand-carried item(s) out of U.S. • electronic and voice transmissions out of the U.S. (emails or phone calls to a colleague at a foreign institution, or remotely accessing certain documents while traveling internationally) Includes: • tangible (physical) items – software, biological materials, chemicals equipment (etc.) • intangibles – information, research data, technologies, engineering designs, ideas (etc.) “But – I don’t ship anything anywhere!”
That seems easy enough… � but wait! Exports also include – DEEMED EXPOR DEEMED EXPORTS TS: • the release of data/technology/source code to foreign nationals within the U.S.; • the provision of training or services involving controlled equipment to foreign nationals in the U.S. or abroad; and • providing services to, or engaging in transactions with, entities and individuals who are on embargo or restricted parties’ lists. • Definition: U.S. Persons (U.S. citizens and PRs/Green Card Holders) and Foreign Persons (non-U.S. Persons)
Deemed Exports � (= same effect as an actual export) In other words, you can “export” controlled data or information to a foreign person without ever leaving your office or workplace, in violation of Federal export laws, through a simple conversation with an international colleague, or by sending an email to an international colleague within your building. We welcome our international population! However, export control laws are specific to certain international members of our community.
Deemed Exports � Examples: • Visual inspection by foreign persons of U.S.-origin equipment and facilities; • Oral exchanges of information; or • Access to a computer that possesses export controlled information and/or technology.
What laws are we talking about? We primarily are concerned with three sets of export control regulations: 1. the International T International Traffic in A raffic in Arms Regulations rms Regulations (ITAR), administered by the Department of (ITAR) State 2. the Export Administration Regulations (EAR) Export Administration Regulations (EAR), administered by the Department of Commerce 3. the Office of F Office of Foreign A oreign Assets Control (OFAC) ssets Control (OFAC), administered by the Department of Treasury
The ITAR: • “Inherently military in nature” • Covers military items found on the United States M nited States Munitions unitions List (USML) List (USML) – munitions and defense articles • Includes most space-related technologies because of application to missile technology • Includes technical data related to defense articles and services • ITAR items virtually ALWAYS require an export license; policy of denial for exports to certain countries
The EAR: • Covers “dual-use” items – found on Commerce Control Commerce Control List (CCL) List (CCL) • Regulates items designed for commercial purposes that also have military applications (computers, pathogens, civilian aircraft, etc.) • Covers goods, test equipment, materials, and the software and technology • Each item has an Export Export Controls Classification Controls Classification Number (ECCN) umber (ECCN)
Classification & Licensing: EAR and ITAR • Classification is the exercise of understanding where an item or technology falls on the USML or CCL. Can be complicated! • EAR/CCL much more extensive list than the ITAR/USML. Controls are based on the type of item, the end use/user, and the destination country. Not all items are controlled for all countries. Must analyze a combination of item and recipient/destination country, with 4-5 places to look (EAR regs, country charts, restricted lists, etc.) – some ECCNs need a license for every end-user country in the world, and some only need a license for one country. • Most exports (90%+) under EAR jurisdiction may be made without Most exports (90%+) under EAR jurisdiction may be made without an export license an export license. N . Nearly all exports under ITAR require a license early all exports under ITAR require a license. • Can take weeks to obtain a license; specific only to that transaction! • Exempt: information that is publicly available/in public domain…
OFAC: • Restricted parties’ lists • Economic sanctions focus on end-user or country, and may limit transfer of technologies and assistance to OFAC’s list of sanctioned countries • OFAC has a “Specially Designated Nationals and Blocked Persons List” • Prohibits payments or providing “value” to nationals of sanctioned countries and certain entities – or could require an export license
Screenings: OFAC There are over 250 published restricted parties’ lists – and each can contain thousands of entities, and can change daily and without warning. Manual screening is labor-intensive, inefficient, and prone to error (errors can be detrimental/costly). First and most basic layer of export control compliance.
Screenings: Shipping, Vendors, Collaborations • Shipping equipment, technology, software, computers, goods outside the U.S. may require a license • Payment to foreign individuals/entities outside the U.S. should raise a red flag! • OFAC has regulations regarding payments to sanctioned countries – Iran and Cuba the most restrictive • Payments to entities/persons on restricted parties’ lists could result in fines • International collaborations, international visitors (tour groups) and international visiting scholars/researchers/guest speakers, international travel, etc. • Customers, suppliers, vendors, trading partners, students, workers, etc.
“High Risk” Areas • Advanced Computer Sciences/ Microelectronic Technology • Biotechnology and Biomedical Engineering – Including Biological Agents • Nuclear Technology and Toxins • Remote Sensing, Imaging, and • Chemical Engineering Reconnaissance • Encryption/Encrypted Software • Robotics • Information Security • Sensors and Sensor Technology • Materials Technology • Space Sciences • Navigation Systems/GPS • Telecommunications/Networking • UAS ***not an exhaustive list! ***don’t forget international travel and other concerns
International T International Travel and ravel and � International Research/Activities: International Research/Activities: 1. 1. International T International Travel ravel • hand-carrying export-controlled items: GPS, prototypes, laptops, software, etc. • taking controlled technical data or encryption items: unpublished research, blueprints, engineering designs, etc. • to or through: Cuba, Iran, North Korea, Syria, Sudan • presentations or attendance at closed conferences abroad 2. 2. Shipping/Carrying Any Item to a F Shipping/Carrying Any Item to a Foreign Country: oreign Country: • requires documented export review 3. 3. Transactions with Restricted Persons or Entities: ransactions with Restricted Persons or Entities: • restricted parties’ screenings
International Travel: Departments of Commerce and State Departments of Commerce and State have regulations that affect: have regulations that affect: � • Physically taking items with you on a trip, such as o Laptop o Encryption products on your laptop o PDAs/smartphones o Data/technology/source code o Blueprints, drawings, schematics o Other “tools of the trade” • Giving controlled technology/data/source code to a foreign person outside the U.S.
Recommend
More recommend
