According to this Reuters report, the Russians are demanding from U.S. companies the right to view source code of software that these companies wish to sell in Russia. The software at issue includes software with encryption capabilities, anti-virus software and firewalls. You don’t have to be a rocket (or computer) scientist to figure out why Vladimir and his spy master buddies want to look at such software. They are looking for vulnerabilities that would allow the Russians to continue to hack into U.S. networks and infrastructure. Surprisingly, Reuters suggests that some big names in U.S. software are actually complying.
That’s surprising because, as many readers probably know, handing over the source code of programs with encryption functionality to the Russian government requires a license from the Bureau of Industry and Security (“BIS”). Normally, I would expect BIS, at least for the moment, to grant such a license when hell freezes over or, as Vladimir himself might say, когда рак на горе ÑвиÑтнет (“when crawfish whistle in the mountains.”)
Here’s why a license is necessary. First, keep in mind that BIS controls the export of software with encryption functionality. This includes software that does not contain any encryption algorithms but calls those algorithms from an external source to perform the actual encryption. Although the language of the EAR is far from making it clear, BIS makes it quite clear here on its website:
Almost all items controlled under Category 5, Part 2 of the EAR are controlled because they include encryption functionality. Items may be controlled as encryption items even if the encryption is actually performed by the operating system, an external library, a third-party product or a cryptographic processor. If an item uses encryption functionality, whether or not the code that performs the encryption is included with the item, then BIS evaluates the item based on the encryption functionality it uses.
Most programs, in fact, call encryption from the operating system. Some browsers, such as Firefox, incorporate their own encryption, and programs may utilize browser encryption when sending and retrieving date from the Internet. In any event, the vast majority of software has some encryption functionality either by using the operating system or native encryption in certain browsers.
Second, source code does not fall under EAR section 740.17(b)(1) and is not eligible for self-classification and export under License Exception ENC. Rather source code that is not publicly available falls under 740.17(b)(2)(i)(B). Items that fall within (b)(2), such as source code, can be exported thirty days after the filing of a classification report to “non-‘government end users’ located or headquartered in a country not listed in supplement no. 3.” See Section 740.17(b)(2)(i). As a result, license exception ENC does not authorize exports to government end-users outside Supplement 3 countries. As Russia is not a Supplement 3 country, a license is required to provide source code with encryption functionality to the government of Russia.
I have no way of knowing whether the U.S. companies that have let Vlad peek at their source code bothered with, or even knew of the requirement for, licenses.  And although not so long ago, BIS would probably have said “nyet” to any such license request, it is altogether possible that BIS is now saying “da” instead.  In any event, companies should think long and hard before spilling their source code for software with encryption functionality to the Russkis without getting a license from BIS first.
Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)