Archive for the ‘DDTC’ Category

Aug

20

The Consolidated Screening List Isn’t

Posted by at 9:01 pm on August 20, 2014
Category: BISCompliance Programs and ProceduresDDTCDebarred ListDenied Party ListEntity ListOFACRussia SanctionsSanctionsSDN ListUnverified List

PortShip by USDA (cropped) via https://www.flickr.com/photos/usdagov/9715983721 [CC BY 2.0 https://creativecommons.org/licenses/by/2.0/]The U.S. Government, over at export.gov, provides a so-called Consolidated Screening List, which you might think would be a one-stop shopping list for your screening needs, something that might be useful if you or your company does not subscribe to or implement one of the commercial screening solutions. Unfortunately, the Consolidated Screening List doesn’t consolidate all the lists you should review and has other significant limitations.

The good news is that the list now does include the Foreign Sanctions Evaders List, which was not included for some time after the list was adopted by Treasury back in February of this year. The description of the list still does not mention the FSE list, but the entries on that list have been quietly added.

However, two other Treasury Department lists are still not included. The relatively new Sectoral Sanctions Identifications List is missing as action. U.S. persons are forbidden from engaging certain transactions with entities on this list, including providing credit in excess of ninety days. Part of the reason for this is probably that the “consolidated” list is infrequently updated. The last update of the list was almost two months ago, on June 26, 2014.

In addition, the Palestinian Legislative Council List, adopted back in 2006, is not included. U.S. financial institutions must reject (not block) transactions with people on the PLC list.

Not only is the “consolidated” list not complete or consolidated, but also it is dangerous to rely on it alone for another significant reason. The search page for the list only retrieves literal matches and does not allow address searching. In addition to searching the consolidated list, you should also rely on OFAC’s sanction list search tool. That tool uses, fairly successfully, “fuzzy logic” to retrieve similarly spelled names. Because many of the names on the list are transliterated versions of Arabic names, meaning that there are many alternate spellings, the “fuzzy logic” will be somewhat more successful in identifying alternate spellings.

Permalink Comments (1)

Bookmark and Share


Copyright © 2014 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)
Aug

19

Chinese Hacker Nabbed on Export Charges

Posted by at 9:20 pm on August 19, 2014
Category: Arms ExportCriminal PenaltiesDDTCDeemed Exports

Stephen Su photo taken by CBP during U.S. transit in 2011 via http://www.cbc.ca/news/canada/british-columbia/su-bin-chinese-man-accused-by-fbi-of-hacking-in-custody-in-b-c-1.2705169 [Public Domain]
ABOVE: Stephen Su

Well, we all know, or should know, that hacking is a criminal violation of the Computer Fraud and Abuse Act, at least when it entails unauthorized access to another party’s computer. What you may not know is that if you’re a foreign national and if the data accessed is technical data controlled by the International Traffic in Arms Regulations, hacking can also be a violation of the Arms Export Control Act.

Back in June, Canadian authorities arrested, at the request of the FBI, a Chinese citizen and Canadian permanent resident named, variously, Su Bin, Stephen Su and Stephen Subin, who we’ll refer to simply as Su for convenience.  Su , the owner of Lode-Tech, a Chinese company with an office in Canada, was accused of conspiring with several Chinese nationals to hack into U.S. defense contractors’ computer systems and to exfiltrate data about military aircraft back to China.  Last Friday, Su was indicted by a federal grand jury in California.

One of the charges in the indictment is a violation of the Arms Export Control Act.  The theory behind this charge is that Su, with his PRC-based co-conspirators, conspired to break in the U.S. computer systems and to disclose ITAR-controlled technical data to foreign nationals among whom were, of course, themselves.

The criminal complaint filed back in June, which served as the basis for Su’s arrest, contains some fascinating details.  First, it appears that access was gained to the defense contractors’ systems by sending emails to employees of the contractors containing infected attachments or links to infected websites that installed malware on the systems which allowed the hackers to control the systems, to view files on the system, and to send the files back to themselves.   Interestingly, the files were then transferred to hop points or servers in Hong Kong and Macao and from there were physically carried back into the PRC.   Interestingly, it appears that as the Internet becomes easier for security agencies to surveil, modern spies have started to revert back to older methods of spycraft such as smuggling documents, document drops, and, conceivably, even encrypted Morse code shortwave radio transmissions.  One wonders if the NSA is training folks in Morse Code and invisible ink.  What’s next?  Microdots?

Permalink Comments Off on Chinese Hacker Nabbed on Export Charges

Bookmark and Share


Copyright © 2014 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)
Jun

24

It’s Good To Be The King

Posted by at 11:15 pm on June 24, 2014
Category: DDTCITARUSML

Intersil Low Dose Irradiator via http://www.intersil.com/en/applications/rad-hard/eldrs.html [Fair Use]Last week the Directorate of Defense Trade Controls (“DDTC”) announced that it had fined Intersil Corporation, a California-based manufacturer and developer of semiconductors and integrated circuits, $10,000,000 of which $6,000,000 goes to Uncle Sam and the remaining $4,000,000 goes to Intersil’s compliance program and remedial measures. Along with the fines, DDTC has required Intersil to jump through a number of now-typical compliance and re-education hoops, including appointing an ombudsman, hiring a special compliance officer, rewriting its compliance programs, engaging in audits, making frequent reports to DDTC and writing “I will not violate the ITAR” three million times on a blackboard after school. Well, of course, only the last item was not actually required.

According to the Proposed Charging Letter, Intersil incurred the ire of DDTC by classifying certain of its products as ECCN 3A001.a.1, 3A001.a.2, and EAR99 even though the items were radiation hardened and space qualified and, therefore, covered instead by USML Category XV(e). Why Intersil made this mistake is not revealed in the documents but since Intersil was applying for BIS licenses for the goods when required, it is hard to imagine that it was anything other than a good faith mistake (which is, probably, the reason why this information is omitted.) As a result, there were 3,152 unauthorized exports of Intersil’s products, although, due to the statute of limitations, only 339 exports were actually charged, with DDTC swearing left and right that although it couldn’t help mentioning the 3,152 exports it was paying absolutely no attention whatsoever to those in formulating the $10 million penalty.

But here is the most interesting part of the charging documents:

Several of the unauthorized exports were subsequently re-exported or retransferred without authorization due in part to the misclassification of the ICs.On August 20, 2010, a DDTC official misinformed Intersil that for any ICs that “HAVE already been exported under EAR jurisdiction, these [ICs] ARE NOT retroactively subject to the retransfer provisions of 22 CFR 123.9.: Intersil was further misadvised that Intersil did not need to inform its foreign customers to submit ITAR re-export authorization for these items and that this “decision to not retroactively aply USML controls for these already exported [ICs] will continue to be applicable even if a future formal CJ determination asserts USML controls apply.”

Interestingly, notwithstanding this bad advice, Intersil is charged with causing various unauthorized re-exports from, and retransfers in, foreign countries due to its misclassification of the integrated circuits. Whether or not any of these were the result, at least in part, of DDTC’s admittedly bad advice that the retransfer provisions would not apply to items exported under the EAR is not clear, but let’s give DDTC the benefit of the doubt and assume that these were all unrelated.

Even so, there is still an interesting moral to this story. Exporters who make mistakes have to pay large fines and engage in burdensome remediation activities. DDTC officials who make mistakes have to do, er, well, nothing at all because, well, you know, mistakes happen. As they say, it’s good to be the king.

Permalink Comments (3)

Bookmark and Share


Copyright © 2014 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)
Jun

11

DDTC Deflates Cloud Puffery

Posted by at 5:25 pm on June 11, 2014
Category: DDTCDeemed ExportsEncryption

Lonely Cloud by Kate Haskell https://www.flickr.com/photos/fuzzcat/32487111/ CC BY 2.0 [https://creativecommons.org/licenses/by/2.0/] (cropped)One of the most frustrating ways in which the Luddites at DDTC have made life difficult for exporters in the 21st century is by taking the position that encrypted technical data is the same thing as unencrypted technical data for purposes of the ITAR. So if you put encrypted technical data on a cloud server outside the United States, you’d better get measured for an orange jumpsuit, because you’ve just exported technical data. Never mind, of course, that no one outside the United States can actually read or decrypt the data; you’ve still exported it.

Even the DoD, hardly a progressive force in these matters, thinks this position is nonsense. As we reported a while back, the DoD defended its decision to use Chinese satellites to transmit its own data on the grounds that all the data encrypted and thus meaningless to our friends in Beijing. Since DoD has guns, and DDTC does not, you won’t be surprised as to who would win any argument between DoD and State on the efficacy of encryption for these purposes.

So earlier this month, you might have been surprised to see this press release from Perspecsys:

Perspecsys, the leader in enterprise cloud data protection, announced today that it received a written ruling from the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) confirming that technical data secured using Perspecsys tokenization can be processed outside the U.S. through the cloud without obtaining an export license under the International Traffic in Arms Regulations (ITAR).

In its groundbreaking decision, DDTC reinterpreted the ITAR to authorize the use of Perspecsys tokenization to process ITAR technical data in the cloud without a license, even where the tokenized technical data may be transferred to servers located outside the United States. DDTC’s new interpretation shifts the regulatory landscape – opening the cloud to companies subject to the ITAR.

Tokenization is a process whereby a random token is issued to replace sensitive data such as a credit card number. Unlike encryption, there is no algorithm to decode the token back into the credit card number. Rather the token and the original data are maintained on a secure server which can be used to replace the token when necessary. Thus, if the press release were to be believed, if the translation server remained in the United States, the token for technical data could be transferred to a cloud outside the United States without need for an export license.

Of course, before you get too excited, I regret to inform you that this is not what the DDTC advisory opinion actually said. Instead, it said that section 125.4(b)(9) might exempt tokenized data if it was sent by by a U.S. employee overseas to another U.S. employee and no foreign person had access to the tokenized data. In other words, tokenized data would be treated exactly the same as its non-tokenized counterpart and was eligible only for export subject to exceptions that would be applicable to all technical data, whether encrypted, tokenized or in plain text.

DDTC was not amused by Perspecsys’s suggestion in its press release that the agency had finally entered the 21st century.  So the agency “requested” that Perspecsys post a statement that amounts to a retraction of Perspecsys’s earlier press release. In that statement, DDTC clarified (a) that only transfers from a U.S. corporation to its own U.S. national employees was covered by the advisory opinion, (b) that steps must be taken to assure that no foreign persons had access to the data and (c) that the advisory opinion did not hold that tokenization constituted sufficient steps to prevent foreign access to the technical data.

All this makes me wonder: if you shred controlled technical data into a million tiny bits of paper do you have to make sure that the garbage collector is not a foreign person and that no foreign persons are allowed to visit the garbage dump?

[Thanks to an alert reader who pointed out the two press releases to me!]

Permalink Comments (2)

Bookmark and Share


Copyright © 2014 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)
Jun

10

Spanish Night Vision Dealer Debarred for Unauthorized Re-Exports

Posted by at 6:19 pm on June 10, 2014
Category: DDTCPart 122

By Spc. Jeffery Sandstrum via http://usarmy.vo.llnwd.net/e2/-images/2007/11/01/9792/ [Public Domain]Carlos Dominguez and his Madrid-based company Elint SA have been administratively debarred by the Directorate of Defense Trade Controls in connection with his unauthorized re-exports and re-transfers of night vision equipment shipped to him from the United States pursuant to DDTC licenses. The unauthorized re-exports and re-transfers were discovered by so-called Blue Lantern checks conducted by foreign embassy staff at the request of the DDTC to determine the ultimate disposition of items exported from the United States pursuant to DDTC licenses. (Interestingly, the cables requesting the Blue Lantern transfers had been previously disclosed when they were leaked by WikiLeaks.)

As a result of the unfavorable Blue Lantern checks, DDTC first imposed in 2009 a policy of denial on Dominguez and Elint. In 2010, DDTC followed up by sending a directed disclosure demand to Elint and Dominguez. A directed disclosure is a DDTC demand that the recipient investigate its export practices and provide to DDTC a list of all its export violations, a request that Dominguez and Elint not surprisingly ignored. A charging letter followed, also ignored, which led to a finding of default by an administrative law judge and the instant order of debarment.

Although section 127.7 of the ITAR specifies that such administrative debarments are “generally” for a period of three years, the order against Dominguez and Elint mentions no time period and is, presumably, permanent. It is safe to say that DDTC is not amused with Dominguez, and this appears to be in large part because of considerable evidence alleged by DDTC that Dominguez tried to evade the policy of denial by setting up shell companies and acting through third parties.

Interestingly, DDTC claims that it has the authority to issue “directed disclosures” under section 122.5(b) of the ITAR, which is, at best, a rather fanciful construction of that section. That section requires that records “maintained” under section 122.5 must be made available to DDTC, but says nothing about any obligation to create new records at the request of DDTC and then provide them. More interestingly, section 122.5 applies to “persons required to register” under Part 122. That obligation is imposed on persons who engage “in the United States in the business of manufacturing or exporting” defense articles. That, of course, does not cover foreign end users of U.S. exports, so it is not at all clear how DDTC can justify issuing the directed disclosure to Dominguez under section 122.5(b).

Permalink Comments Off on Spanish Night Vision Dealer Debarred for Unauthorized Re-Exports

Bookmark and Share


Copyright © 2014 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

« Older Entries
Newer Entries »