Export Controls and Cybersecrity 28 Oct 2015 FINAL
-
Upload
jeremy-otis -
Category
Documents
-
view
26 -
download
0
Transcript of Export Controls and Cybersecrity 28 Oct 2015 FINAL
Cybersecurity & Export Controls
Jeremy OtisF-Secure Corporation
28 October 2015
© F-Secure Confidential2
Export Compliance: What?
UN Sanctions US Sanctions & Licensing:
OFAC = embargoed countries and SDN list Dept. of Commerce/BIS = export licenses Dept of State/ITAR = licenses for military goods
EU Sanctions & Licensing: National-level licensing requirements (dual-use) Unilateral embargos (numerous countries; generally on human rights grounds) Financial restrictions/prohibited transactions
Multi-lateral Treaties (eg Wassenaar Arrangement) Must be implemented by ind. signatory states to apply
© F-Secure Confidential3
Export Compliance: Challenges for In-
house Counsel Determining export control regimes applicable to your organization
UN; US v EU v National laws Persons/nationals/entities Dual-use tech/classification/licensing Subsidiary compliance
Raising ”C suite”-level awareness vs other competing compliance obligations (eg FCPA)
Limiting markets/suppliers & Brand considerations What is Right vs What is Legal
Keeping up with current events (eg 2014 Russia/Ukrane sanctions) Who can advise? (eg US nationals/Iran ”facilitation” ban)
© F-Secure Confidential4
Export Compliance: Why?
US - No finding of intent is necessary for administrative violations. cases may be brought in a wider variety of circumstances than criminal cases. Manufacurers of finished goods/tech are liable for all aspects of their offerings,
including 3rd party items violators may be subject to both criminal and administrative penalties –
especially if the violation is willful or if the EAR have been disregarded. Civil penalties of $250,000 or twice the value of the transaction, whichever is
greater, may be imposed for each violation. Criminal violations may result in fines up to $1,000,000 and/or up to 20 years in jail.
Administrative penalties may also include denial of export privileges; others may not participate in an export transaction with you as a “denied person.”
Debarment from US gov’t procurement (FAR/DFARs)
© F-Secure Confidential5
Export Compliance: How?
1. Implement clear policies, updated frequently Company-wide training; internal reporting/whistleblower mechanism Show management support & cross-organization accountability
2. Perform regular audits Internal: Order intake, contracts (”know your customer”) Supplier & resellers (”know your partner/know your supplier”) Automated compliance process controls are useful BUT regulators/prosecutors will look
for the “human touch”3. Take immediate corrective action on prohibited transactions
Monitor post-delivery actions (eg support calls from Iran) 4. If investigated engage outside counsel to ensure some a/c privilege
Extistence of In-house counsel privallge questionble – don’t count on it!
© F-Secure Confidential6
Export Controls & Sanctions: EU vs. US Sanctions
US Iran and Cuba sanctions: apply to non-US subs of US parents Extended jurisdiction: “cause a US person to breach US law” US comprehensive embargoes (Iran, Syria, Sudan, Cuba) vs. EU “smart sanctions”
Export Controls Extraterritorial impact of US export controls No re-export controls in the EU More unilateral (e.g. ECCN 5A992) controls in the US No deemed exports in the EU (but look at some national rules closely!) No de-minimis rule in the EU Dealing in illegally exported items under US export controls EU adopted 2013 Wassenaar update re ”Intrusion Software”; US implementation
pending as of Autumn 2015
Encryption Software Controls
© F-Secure Confidential8
Basics Restrictions on Encryption have a different/broader purpose than other
export controls Ensuring (gov’t) access to sw/data, not just where/who/for what purpose the item will
be used. Purpose & focus of regulating encryption sw has evolved over last 20 years
1995: 1st US rules enacted; encryption rare, nearly everything classified dual-use, licensing processes very rigid/long
Today: encryption is ubiquitous & applicability of controls (more) limited to military items, self-classification/certification available for most consumer-grade encryption items
Focus has shifted to from enabling access to controlling (cyberintrusion) tools & potential threats
© F-Secure Confidential9
Key Developments in US Encryption SW
Licensing Many drastic reforms witnessed since 2008:
Categories of military use sw mow much more specific; many less-sensitive items moved from ITAR (Dept. of State/military use) to Dept. of Commerce (dual-use)
DoC/BIS has much broader discretion to waive license requirement 70% reduction in # of licenses required/issued for encryption items to “STA 36” countries
2011: broad expansion of license exception ENC/NLR Today, 90% of commercial encryption sw subject only to self-classification/certification
DoC/BIS Technical Advisory Committee works with industry to agree and set technical parameters for export control
Today, far fewer commercial encrytpion sw items are subject to formal US licensing reqs
© F-Secure Confidential10
US: Key Export Concepts
Key Adminstrative/Regulatory Bodies: Dept. Of Treasury/OFAC = embargoed countries and SDN list Dept. of Commerce/BIS = export licenses Dept of State/ITAR = licenses for military goods
The Export Administration Regulations (EAR) controls export and reexport of most commercial items. enforced by the U.S. Department of Commerce through its Bureau of Industry and Security (BIS) Products or services with military or proliferation applications are regulated by the International Traffic in
Arms Regulations (ITAR), and enforced by the U.S. State Department. Commercial products and services may also have a military use. Those having both commercial and military or
proliferation applications are called “dual-use” and are also subject to the EAR. EAR jurisdiction controls all items in the U.S., regardless of origin, certain items outside the U.S., certain activities of U.S. persons and releases of source code or technology to foreign national in the U.S. or abroad.
SO most items are subject to the EAR, but a relatively small percentage of all U.S. exports and reexports require a BIS license unless the destination is embargoed or has been designated as supporting terrorist activities.
Certain individuals and organizations are prohibited from receiving U.S. exports (eg SDNs, Russia list); others may receive goods only if they (the recipients) are licensed, even if the items themselves would otherwise be license exempt. Finally, some end-uses are prohibited while others may require a license.
© F-Secure Confidential11
Export/Re-export** US export control laws have broad extraterritorial application; Exports from other countries must comply with Export control laws of that country as well as U.S. export control laws**
US export control laws apply to the export and re-export of goods and technology (by phone, fax, download, technical assistance, etc.) from the U.S.
Re-export includes: U.S.- origin goods and technology from one foreign country to another Foreign made items containing U.S. components Foreign made items that are the "direct products" of certain U.S. origin technical data or software
© F-Secure Confidential12
EU SW Controls - Key Concepts &
Distinctions Export -> trans-frontier transfer to any non-EU country
No controls on re-export or deemed exports UGEA EU001 license permits general export of encryption products to EEA/NA/ANZ/JAP National rules govern most other encryption licensing reqs.
Dual use OR Country-by-country restrictions (human rights eg Iran) No/few mandatory formal classification reqs in EU NO counterpart to US “ENC” and “TSU” exemptions, ie, no exception for
”mass market” encryption items Record keeping (3 ys + national rules) Iran: US (statutory) sanctions against continue after Q4 2015 implementation day
EU vendors get big head start ”facilitation ban” for US nationals continues
© F-Secure Confidential13
Classification of US-Origin encryption
itemsDetermine whether the item is:
An encryption item An ancillary encryption item (Note 4 to Category 5, Part 2) A mass-market item (Note 3 to Category 5, Part 2) B2, B3, or B1 category
NO ENCRYPTION OR WEAK ENCRYPTION No encryption = ECCN: EAR99 or 5A991; Weak encryption – ECCN 5A992 or 5D992 Generally, no license required or products may ship under a license exception
*license is required for any delivery to Cuba, N. Korea, Iran, Sudan, and Syria*ENCRYPTION Mass Market – ECCN 5A992 or 5D992; Unrestricted – ECCN 5A002.a.1 or 5D002.c. -
Generally, no license required or products may ship under a license exception (ECN/TSU) Restricted – ECCN 5A002.a.1 or 5D002.c.1 - License required for Government / Military /
Defense contractors outside the “License-Free Zone” (~EU/EEA + ANZ/Japan)
© F-Secure Confidential14
ENC CHART740.17 Sub¶
Item Description or Purpose of Export
ECCN End User Authorized (outside E:1)
Submission Requirements
(a)(1)
Development/Production only
5A002.a1, .a2, .a5, .a6, .a9, 5A002.b, 5B002, 5D002, 5E002
Private end user HQ'd in Supp. 3 countries
None*
(a)(2)
Any internal purpose
5A002.a1, .a2, .a5, .a6, .a9, 5A002.b, 5B002, 5D002, 5E002
U.S. Subs (employees, interns, contractors)
None*
(b)(1)
All encryption items except items described in (b)(2) and (b)(3)
5A002.a1, .a2, .a5, .a6, .a9, 5B002, 5D002
All except E:1 countries
1. Encryption Registration (Submit Supp. 5, Part 742 in SNAP) ERN 2. Annual Self Classification Report ‐(Submit Supp. 8, Part 742 in email)
(b)(2)
Network infrastructure, source code,
designed for gov't, custom crypto, modifiable crypto, quantum crypto,
penetration testing, public safety radio, cryptanalytic, non standard ‐tech, OCI, encryption technology
5A002.a1, .a2, .a5, .a6, .a9, 5A002.b, 5B002, 5D002, 5E002
Immed‐ iate export to Supp. 3 30 day wait outside Supp. 3‐ No gov't outside Supp. 3‐ Cryptanalytic/source code no gov't‐ ‐ non standard/cryptanalytic tech and ‐ ‐
OCI: Supp. 3 only 5E002: no D:1 countries (unless HQ'd in ‐
Supp. 3)
1. Encryption Registration (Submit Supp. 5, Part 742 in SNAP) ERN 2. Classification Req. w/30 day wait (submit Supp. 6, part 742 in SNAP) 3. Semi Annual Report by email (see ‐740.17(e))
(b)(3)
(i) Encryption components: chips, electronic assemblies, crypto libraries, toolkit, dev kits (ii) Non‐standard crypto items (iii) Digital forensics
5A002.a1, .a5, .a6, 5A002.b, 5D002
Immediate export to Supp. 3 countries‐
30 day wait outside Supp. 3 countries‐
1. Encryption Registration (Submit Supp. 5, Part 742 in SNAP) ERN
2. Classification Req. w/30 day wait (submit Supp. 6, part 742 in SNAP)
3. Semi Annual Report for (b)(3)(iii) ‐only, by email (see 740.17(e))
(b)(4) (i) Short range Wireless‐ (ii) Foreign dev with US enc parts
5A002.a1, .a5, .a6, 5B002, 5D002
All except E:1 countries
None
© F-Secure Confidential15
US LICENSE EXCEPTION TSU
TSU scope. In certain cases, license exception TSU (Technology and software—unrestricted) may be available for: Operating technology and software (section 740.13(a)) Sales technology and software (section 740.13(b)) Bug fixes (section 740.13(c)) General software notes—“mass market software” (section 740.13(d)) Publicly available encryption source code (and corresponding object code) (section 740.13(e)) TNU license exception can be used for operating technology and software as follows: "Operation technology" is the minimum technology necessary for the installation, operation, maintenance (checking), and repair of
those commodities or software that are lawfully exported or reexported under a license, a License Exception, or NLR. The "minimum necessary" operation technology does not include technology for development or production and includes use technology only to the extent required to ensure safe and efficient use of the commodity or software.
Operation software may be exported or reexported so long as it is the minimum necessary to operate equipment authorized for export or reexport and the operation software is in object code.
Operation software and technology may be exported or reexported to any destination to which the equipment for which it is required has been or is being legally exported or reexported.
Who can use TSU. U.S. persons and foreign persons to export eligible operation technology or software to a company’s employees (both U.S. and foreign) located abroad. Further, foreign national employees of the recipient company may use this license exception to reexport operation technology and software to third parties so long as the equipment has been, or will be, legally exported. Per the above, operation software can only be exported and reexported in object code.
© F-Secure Confidential16
License Exceptions ECN/TSU:
Practical Steps For unrestricted (consumer) items:
file/receive Encyrption Registration Statement/Number from Commerce Dept./BIS
(Self) classify and file annual report for each item For restricted items:
file/receive encryption classification ruling (CCATS) from BIS if gov’t end user outside of ”license free zone”, obtain export
license from BIS File semi-annual US export sales reports with BIS
Online filing via SNAP-R
© F-Secure Confidential17
Cybersecurity & Wassenaar
© F-Secure Confidential18
Wassenaar Arragement
= multilaterally-agreed control list of dual use goods with possible military applications that are subject to export licensing In 2013, dual-use list was expanded to include tools related to the
development of ”intrusion software” and ”IP network surveillance systems” such tools can be used by police and other authorities against their citizens and thus
there is a (perceived) needs to regulate the cross-border trade in ”Spyware” New rule potentially covers many malware and bug reporting tools which are the
lifeblood of security R&D EU has implemented this addition to Wassenaar list BUT the US has not
Due to this imbalance EU security sw companies are placed at a potential disadvantage Mandatory export licensing will have a chilling effect on R&D in the global
security software sector and could potentially cripple the EU security industry
© F-Secure Confidential19
“Intrusion software”Def: software that is specially designed to avoid detection by security monitoring tools (such as antiviruses or firewalls) or to defeat protective countermeasures (namely the memory protection functions of operating systems) in order to (a) extract or modify data of the device, or (b) allow the execution of externally provided instructions. Intrusion Software itself is not an item controlled under the Wassenaar Arrangement by itself. Rather, this control focuses on
items that have a specified relationship with Intrusion Software, specifically: “equipment” [4. A. 5.] or “software” [4. D. 4.] specially designed or modified to be used for the generation, operation, or delivery of, or
communication with Intrusion Software?; or, ‘technology,’ such as technical schematics or technical assistance, necessary for the development of an Intrusion Software product. [4. E. 1. c.]
Intrusion Software does not include: debuggers and software reverse engineering tools, digital rights management systems, asset recovery software that is installed by manufacturers, administrators, or users, Software that is generally available to the public (is available for free or purchase through unrestricted retail-style sales
and does not require substantial support from the seller) Most common malware R&D tools (remote control sw, penetration testing tools, vulnerability reports)
potentially fall under new Wassensaar list and would be subject to (national) export licensing requirements
© F-Secure Confidential20
The Debate European Commission (2015): Human rights and security are ”inexorably interlinked” European export control regime(s) must find a balance which allows for the free flow and use of day
to day security-sectory R&D w/o bad sw getting into the hands of bad people. Activities of ceratin European vendors providing cyberseciurity services to respressive governments & law
enforcement agencies has come under close scruitiny (eg HackingTeam/Egypt; FinFisher) Restrictions on the free exchange of malware tools etc. will have a chilling effect on cybersecurity
R&D Effective Implementation of new Wassenaar rules requires at a minimum:
clear guidelines from EC & establishment of Help Desk for inquiries- Narrow application of Wassenaar by national authorities Express carve-out for day-to-day R&D tools
Recent lobbying efforts from Finland Sept. 2015: FSC attends European Parliament public hearing Oct. 2015: FSC, SSH, Nixu all individually participated in in public commentary to European Commission Nov 2015: Finnish cybersecurity companies submit joint position paper to EC
© F-Secure Confidential21