Archive for the ‘DDTC’ Category

May

28

Georgia Arms Exports on Hold: Fact or Rumor?

Posted by at 4:44 pm on May 28, 2009
Category: Arms ExportDDTC
Tbilsi, Georgia
ABOVE: Tbilsi, Georgia

Worldnet Daily, a highly partisan and potentially unreliable source, reports that the Obama administration

placed a hold on all U.S. military exports to Georgia due to a “policy review,” with no indication as to when it will be completed or what defensive military items will be allowed to be exported ….

U.S. sources [said] that such a review has been so “close-hold” that even the Defense Department, which also reviews license applications for national security reasons, was unaware of the action. DOD has been recommending approval of munitions license applications for Georgia

The whiff or partisanship, however, is ripe. The article claims that the Obama administration was “bowing to Russian pressure” and cited an un-named U.S. official saying this:

“The Obama administration is caving to the Russians,” one official said. “It means that we’re letting the Russians control U.S. foreign policy interests.”

Leaving aside that Worldnet Daily, which is still claiming that Obama isn’t a U.S. citizen, may have a partisan axe to grind with the Obama administration, the notion that the U.S is caving to Russia on the Georgia issue isn’t terribly consistent with recent statements from Secretary of State Clinton, who has continued to emphasize in public that the U.S. and Russia don’t see eye-to-eye on Georgia. In her joint statement with Russian Foreign Policy Minister Sergey Lavrov on May 7, Secretary Clinton emphasized that Georgia was an issue on which U.S. and Russian “views may diverge” and on which the countries have a disagreement. More recently, Secretary Clinton said in an interview with Russian television outlet RTR that Georgia remained an “area of disagreement” between the two countries.

So my vote is for rumor. But I’d be interested to hear from any readers who have licenses for exports to Georgia held up.

Permalink Comments (1)

Bookmark and Share


Copyright © 2009 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)
May

13

The Sincerest Form of Flattery?

Posted by at 7:44 pm on May 13, 2009
Category: BISDDTCOFAC

ThiefA helpful reader emailed me earlier today that some guy was so impressed with this blog that he decided to start his own site* (pdf image file of site – safe) by stealing each and every one of my posts — text, images, links and all. If you click on the link to the site, it doesn’t look exactly like it did earlier today. I utilized the geeky magic of the htaccess file to change the images on his site from the images taken from my site to a new image that I felt was a more appropriate illustration to the stolen posts. (You may need to refresh your browser when you return here to clear the alternative image from your browser’s cache.) Of course, I can’t wait to see if this post shows up on the site in question.

While poking around in the links of the site in question to see if I could figure out the identity of Export Law Blog’s new BFF, I discovered a document posted at California’s Centers for International Trade Development that reinforces my long-held belief that these state centers provide atrocious advice on export matters. My favorite bit of “advice” from these “Export FAQs” was this:

1. Do I need any special permits or approvals to start an export business in the U.S.?

The U.S. Government does not require a company to have a license or permit to engage in the import/export business. Contact your appropriate state or local city hall regarding requirements and procedures for obtaining business permits.

I think that deserves the Export “Epic Fail” award of 2009. Exporters of defense articles certainly need to register under Part 122 of the ITAR to export those items. But perhaps the author of the document said what he did because he was totally unfamiliar with the Directorate of Defense Trade Controls (“DDTC”). Although he discusses the Bureau of Industry and Security and the Office of Foreign Assets Control, there is not one reference in these “Export FAQs” to the DDTC. Oops.

UPDATE: The blogger has taken down his site and replaced them with pornography links. I’ve removed all links to the site and will link to a pdf of the file I captured yesterday.

UPDATE: More on this here.

*I’ve changed the link to the offending site to a tinyurl link in order to make sure that the site doesn’t get search engine credit for my having linked to it. Also it appears that our “friend” has two addresses for his site. One is hosted on blogbugs, a Ukrainian porn-centered blog hosting service, and can be found here (link removed). This explains why some readers haven’t been able to get on the site. So he/she has another site which uses the same porno sites nameservers but has a URL that might sneak past porn filters. That’s the URL linked in the post above. You know that the person behind the sites in questions is up to know good when he’s operating namelessly from Ukrainian porn site.

Permalink Comments (11)

Bookmark and Share


Copyright © 2009 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)
May

8

Old Hard Drives Never Die (or Even Fade Away)

Posted by at 8:43 am on May 8, 2009
Category: BISDDTC

Thermite Destruction MethondAccording to an article that appeared yesterday in the Daily Mail, a London daily, test launch procedures for Lockheed Martin’s Terminal High Altitude Area Defense (THAAD ) ground-to-air missile defense system were found on a hard drive purchased on eBay. The disk also contained security policies, blueprints of facilities and social security numbers for individual employees

The disk was purchased by British researchers as part of a research project which scrutinized 300 hard drives purchased from public sources such as computer auctions and eBay. The researchers found that Lockheed Martin may not have been alone in disposing of insufficiently sanitized hard drives. Thirty-four percent of the 300 hard drives examined had identifiable personal or company data. Among the discoveries was a hard-drive with security logs from the German Embassy in Paris.

The article cited a spokesman from Lockheed Martin who stated:

Lockheed Martin is not aware of any compromise of data related to the Terminal High Altitude Area Defense programe. Until Lockheed Martin can evaluate the hard drive in question, it is not possible to comment further on its potential contents or source.

A good point and, it should be remembered, it’s possible that the hard drive was not one disposed of by Lockheed Martin but rather was a hard-drive from an employee’s home computer, although that would raise a different set of issues.

But the point here is not really whether THAAD program details were or were not on hard disk drives, or even what steps the researchers took to recover data, but rather to ask this question: “What does your compliance program say about disposal of hard-drives that may have ITAR-controlled or ECCN-controlled data? And what steps does your company take when disposing of hard-drives? Most companies probably contract those responsibilities to third-party contractors who promise to wipe or destroy the drives, a promise that, as this case may illustrate, may not always be kept.

The National Industrial Security Procedures Operating Manual, DoD 5220.22-M (“NISPOM”), which contains DoD procedures for protection of classified data, requires that disks with such data be “sanitized” prior to disposal, but the NISPOM doesn’t provide a description of satisfactory sanitization techniques. Vendors who sell disk-wiping programs, such as this one, describe the NISPOM procedure as requiring multiple overwrites of all sectors of the drive with random data, but this appears to be a reference to a 1997 version of a separate DoD document entitled “Cleaning and Sanitization Matrix.” The January 2007 edition of that matrix stated: “Overwriting is no longer acceptable for sanitization of magnetic media; only degaussing or physical destruction.” (The matrix appears to have disappeared from the Internet; if anyone has a current link, please let me know.)

There are no standard procedures mandated by DDTC or BIS for pre-disposal sanitization of hard disks containing non-classified, but ITAR-controlled or ECCN-controlled, technical data. However, a good resource for developing these procedures is a document released by the Department of Commerce’s National Institute of Standards and Technology entitled “Guidelines for Media Sanitization.” The document indicates that encryption is not a sufficient sanitization technique and recommends various other methods, including multiple overwrites, degaussing and physical destruction.

This gives companies a variety of options. Companies that would rather be safe than sorry can destroy magnetic media, and companies that would rather be green can degauss such media. And, at a very minimum, there is no excuse for not downloading a disk-wiping program and overwriting magnetic media prior to disposal or sale if the company is not going to destroy or degauss it. My personal favorite method for destroying hard drives is blowing them up with thermite, but that might not be feasible in most corporate settings.

Permalink Comments (7)

Bookmark and Share


Copyright © 2009 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)
Apr

14

DDTC Asks NSC For Guidance on Foreign National Rules

Posted by at 10:06 pm on April 14, 2009
Category: BISDDTCDeemed Exports

NSC Meeting During the Ford AdministrationAn article (paid subscription required) in this week’s Washington Tariff & Trade Letter reports that at the Defense Trade Advisory Group (“DTAG”) meeting held on April 7, Frank Ruggiero, the Deputy Assistant Secretary of the Directorate of Defense Trade Controls (“DDTC”) announced that the agency had asked the National Security Council to review the treatment of foreign nationals under U.S. export laws. The DDTC request was sent at the end of March, but there is no current timetable for its consideration by the NSC inasmuch as the Obama administration is still putting together and organizing the new NSC.

At issue is the difference between the way the Bureau of Industry and Security (“BIS”) and DDTC treat foreign nationals with respect to approving transfer of controlled technical data to them. For example, DDTC may use the country of birth of a foreign national to deny licenses or agreements involving transfer of technical data to that individual. BIS, on the other hand, considers the individual’s current citizenship in evaluating his or her ability to receive controlled technical data regarding dual use items.

DDTC’s policy of considering country of birth has created some concern within the export community because it has been applied inconsistently and without any clear statement of applicable guidelines. In some formulations, it appears that the DDTC would automatically apply the policy to bar access to technical data by persons born in, but not citizens of, countries subject to arms embargos under section 126.1 of the International Traffic in Arms Regulations. At other times, DDTC has suggested that a case-by-case consideration would be applicable to foreign nationals born in proscribed countries, an approach that makes more sense when you consider situations such as a child of French diplomats born in China.

The policy has also drawn criticism from abroad. Human rights commissions in Canada and Australia have pointed out that the DDTC’s policy is, in effect, an illegal discrimination based on national origin. This has put U.S. contractors doing business in those countries in a difficult position since it is impossible for them to comply both with DDTC requirements and local laws.

Although a review of these issues for the purposes of achieving uniformity is laudable, DDTC’s motive in requesting that review is somewhat hard to determine. On the one hand, perhaps DDTC is looking for administrative cover to back away from its stricter rule and provide some relief from U.S. defense contractors with overseas operations. On the other hand, DDTC might simply be seeking to have its own narrower view imposed on BIS and other export agencies.

Permalink Comments (2)

Bookmark and Share


Copyright © 2009 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)
Mar

12

Another Overachiever

Posted by at 7:22 pm on March 12, 2009
Category: DDTC

ITARThis must be the season for press releases from companies reporting that they have “achieved” ITAR “certification.” I reported on one of those just a few days ago and along comes another one, this time from California-based SigmaQuest. And I would have let this newest one slide by without comment if there wasn’t something particularly unusual about it.

The ITAR certification specifically demonstrates that SigmaQuest has met requirements pertaining to organization structure, documentation, corporate policy, training and procedures to permit it to handle, use and transfer information controlled by ITAR and the U.S. Munitions List. Moreover, this demonstrates that SigmaQuest has the knowledge and understanding to fully comply with the Arms Export Control Act (AECA) and International Traffic in Arms Regulations as well as having corporate procedures and controls in place to ensure compliance.

Regular readers will by now know that not a single word of that paragraph is even remotely true (and that includes “and” and “the”). But something else might sound, oh, strangely familiar about this paragraph. You might even say it’s “dejà vu all over again,” particularly if you remember a press release from another company I blogged about back in 2007

Meeting ITAR Certification certifies that CIMTEK has met requirements pertaining to organization structure, documentation, corporate policy, training and procedures to permit it to handle, use and transfer information controlled by ITAR and the U.S. Munitions list.

Companies receiving this certification demonstrate that they have knowledge and understanding to fully comply with the Arms Export Control Act (AECA) and International Traffic in Arms Regulations as well as having corporate procedures and controls in place to ensure compliance.

Now those similarities can’t be entirely coincidental, can they? I mean the paragraphs are almost word-for-word identical. It just goes to show that one of the dangers of copying some other company’s press release is that what you copy just might not be accurate.

Maybe SigmaQuest even copied it from my earlier blog entry quoting the press release. In that case, I am going to perform the public service of providing, absolutely free of charge and for unrestricted use, language that can be used in all future press releases by companies that have just received their ITAR Part 122 registration numbers:

Company A has just been notified by the Directorate of Defense Trade Controls (“DDTC”) that it is now registered with that agency as required by Part 122 of the International Traffic in Arms Regulations (“ITAR”) for all companies in the United States that manufacture or export defense articles or services. Registration also means that Company A can now legally export defense articles listed on the United States Munitions List. Although Company A prides itself on its rigorous compliance program and knowledge of the ITAR, registration is available to any company that fills out a form and pays a fee and should not be taken as an independent certification of the Company by the DDTC or any other government agency.

I’m not holding my breath that we will see this new version of the registration press release any time soon.

Permalink Comments (7)

Bookmark and Share


Copyright © 2009 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

« Older Entries
Newer Entries »