By: Felice Laird
I must admit to a shudder of excitement and disbelief when I visited the BIS homepage recently and noticed a banner ad announcing a fine against an “Intel subsidiary for violations of encryption export regulations.” I am one of the original crypto export geeks, having followed the tortured evolution of the controls from the late 1990′s through the creation and mutations of License Exception ENC, to today’s largely self-policing paradigm. And I had never heard of a company being investigated or fined for violations in connection with an encryption export–until now. And so, I wonder, why this, why now?
First, let me give the standard disclaimer; I have no knowledge of this case other than what I have read in the documents released by BIS last week, namely, the Press Release, the Proposed Charging Letter, the Settlement Agreement and the Order. These documents were prepared and issued by BIS, and they reflect only Commerce’s side of the story. In fact, BIS has ordered the companies involved not to say anything publicly about the case, especially not to deny any of the charges, so we will never get the other side of the story. The documents give clues as to what the violations were, when they occurred, how the Department found out about them and what the specific punishment is. What is not clear is why, for the first time in 15 years, BIS came out with a public and painful punishment of a large US company for encryption software exports.
For the export compliance professional, there are several really important things to note when reading the documents. Here are some of them:
* Wind River Systems is a subsidiary of Intel that was formed after Intel bought Wind River’s assets (and liabilities!) in 2009. So, the important take away is that there is “successor liability,” and the government will go after a company for an acquisition’s export violations. So, ask to be at the table in M&A talks.
* The statute of limitations for the early violations had run out, but BIS made the company waive the statute somewhere along the line, so that the violations count.
* The company submitted a Voluntary Self Disclosure that up until now (when done in connection with an encryption violation) usually leads to a nasty gram from BIS but no fines.
* BIS issued a gag order in the Settlement Agreement prohibiting Wind River from saying anything about the case.
* The Settlement agreement states that Wind River has to pay up in 30 days, or else they won’t be allowed to use any licenses or exceptions.
From my perspective, enforcement actions are useful training tools. It is always a “better sell” when I am talking to companies about the risks involved in non-compliance when I have a good enforcement case to present as an example. And indeed, I have had more than one awkward moment when talking with tech executives and developers who ask me to come up with evidence that the encryption controls are worth compliance measures. Sometimes, I have to appeal to their patriotism as a last resort. It is good to know that BIS cares enough about encryption export controls to go after non-compliant companies.
Lately though, I have been seriously questioning the rationale for maintaining export controls on commercial products that use encryption, since the disclosures made regarding NSA surveillance by Edward Snowden last year. If NSA can intercept and decipher 99 percent of data transmissions, how can the USG continue to maintain that the encryption regs are necessary to support the intelligence community?
The better answer is that Category 5 Part II is synced in most respects to the Wassenaar list and the US is obligated to maintain controls to honor commitments made to the Wassenaar member states. And it is clear that efforts have been made by at least three of the most powerful delegations (US, France and the UK) to shore up controls on “cyber security” products, as they actively considered this at the December 2013 Plenary. (BIS deferred publication of CCL changes agreed to at the December 2013 plenary affecting “cyber security” products – indicating that these would be published in September, which has come and gone with no reg in sight.)
So, Wassenaar member states have had controls on encryption too. But no country has a byzantine regulatory scheme comparable to that maintained by the US. Over the years, License Exception ENC has morphed into a virtually inexplicable licensing loophole. And so we wonder–should companies really have to continue funneling information to BIS and NSA by way of Classification Requests and Classification reports? Does NSA really use any of the information? Does anyone actually read the self-classification reports? ENC shipping reports?
In the few cases over the years that someone from NSA has shown up in daylight to an industry meeting, I always ask the question and I get the answer that, yes, the information it gleans from the classification requests and reporting process is still necessary. I must admit I have never really bought that story, but that remains part of the answer to the why question.
That brings us back to the timing issue. The press has widely reported the steps that the information technology industry has been taking to harden products and networks using cryptography and other security technologies to protect customer information from access by government agents. Perhaps the Wind River case was meant to be a reminder to the industry that the US Government still has the power to regulate which technologies are deployed internationally.