Archive for May, 2009


May

8

Old Hard Drives Never Die (or Even Fade Away)


Posted by at 8:43 am on May 8, 2009
Category: BISDDTC

Thermite Destruction MethondAccording to an article that appeared yesterday in the Daily Mail, a London daily, test launch procedures for Lockheed Martin’s Terminal High Altitude Area Defense (THAAD ) ground-to-air missile defense system were found on a hard drive purchased on eBay. The disk also contained security policies, blueprints of facilities and social security numbers for individual employees

The disk was purchased by British researchers as part of a research project which scrutinized 300 hard drives purchased from public sources such as computer auctions and eBay. The researchers found that Lockheed Martin may not have been alone in disposing of insufficiently sanitized hard drives. Thirty-four percent of the 300 hard drives examined had identifiable personal or company data. Among the discoveries was a hard-drive with security logs from the German Embassy in Paris.

The article cited a spokesman from Lockheed Martin who stated:

Lockheed Martin is not aware of any compromise of data related to the Terminal High Altitude Area Defense programe. Until Lockheed Martin can evaluate the hard drive in question, it is not possible to comment further on its potential contents or source.

A good point and, it should be remembered, it’s possible that the hard drive was not one disposed of by Lockheed Martin but rather was a hard-drive from an employee’s home computer, although that would raise a different set of issues.

But the point here is not really whether THAAD program details were or were not on hard disk drives, or even what steps the researchers took to recover data, but rather to ask this question: “What does your compliance program say about disposal of hard-drives that may have ITAR-controlled or ECCN-controlled data? And what steps does your company take when disposing of hard-drives? Most companies probably contract those responsibilities to third-party contractors who promise to wipe or destroy the drives, a promise that, as this case may illustrate, may not always be kept.

The National Industrial Security Procedures Operating Manual, DoD 5220.22-M (“NISPOM”), which contains DoD procedures for protection of classified data, requires that disks with such data be “sanitized” prior to disposal, but the NISPOM doesn’t provide a description of satisfactory sanitization techniques. Vendors who sell disk-wiping programs, such as this one, describe the NISPOM procedure as requiring multiple overwrites of all sectors of the drive with random data, but this appears to be a reference to a 1997 version of a separate DoD document entitled “Cleaning and Sanitization Matrix.” The January 2007 edition of that matrix stated: “Overwriting is no longer acceptable for sanitization of magnetic media; only degaussing or physical destruction.” (The matrix appears to have disappeared from the Internet; if anyone has a current link, please let me know.)

There are no standard procedures mandated by DDTC or BIS for pre-disposal sanitization of hard disks containing non-classified, but ITAR-controlled or ECCN-controlled, technical data. However, a good resource for developing these procedures is a document released by the Department of Commerce’s National Institute of Standards and Technology entitled “Guidelines for Media Sanitization.” The document indicates that encryption is not a sufficient sanitization technique and recommends various other methods, including multiple overwrites, degaussing and physical destruction.

This gives companies a variety of options. Companies that would rather be safe than sorry can destroy magnetic media, and companies that would rather be green can degauss such media. And, at a very minimum, there is no excuse for not downloading a disk-wiping program and overwriting magnetic media prior to disposal or sale if the company is not going to destroy or degauss it. My personal favorite method for destroying hard drives is blowing them up with thermite, but that might not be feasible in most corporate settings.

Permalink Comments (7)

Bookmark and Share


Copyright © 2009 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

May

7

To Arm or Not to Arm?


Posted by at 7:34 pm on May 7, 2009
Category: Piracy on the High Seas

Somali PirateEarlier this week Philip Shapiro, the CEO of Liberty Maritime, testified before the Senate subcommittee with oversight over merchant marine infrastructure and argued that Congress should take action to permit merchant ships to arm themselves either by arming their crews or by hiring armed security guards for the voyage. Currently the only effective countermeasure that merchant marine ships can use against pirate attacks is the U.S. of high pressure hoses to prevent boarding.

Indeed, Shapiro described in his testimony how such hoses helped defeat a recent pirate attack on one of his companies ships. A crew member captured video of the thwarted attack.

Even so, Shapiro called for arming merchant ships and described existing barriers to doing so:

Today’s U.S. legal framework actually prevents ship owners from arming thier vessels for self-defense. While the maritime right of self defense is enshrined in U.S. law in a statute dating from 1817, more recently enacted State Department arms export regulations effectively prohibit the arming of vessels.

Although the International Traffic in Arms Regulations do not prohibit the arming of merchant marine ships, an export license would be required permitting the temporary export of the weapons to each port that the ship will visit prior to its return to the United States. This would not only be time consuming but would, for example, not permit weapons on ships destined for Chinese parts due to the arms embargo against China in section 126.1.

The narrow exemption in section 123.17(c) for crew members to temporarily export non-automatic firearms and 1,000 rounds of ammunition without a license is probably insufficient to arm properly a merchant ship against pirates with RPG launchers and AK-47s. And it entails an additional burden of a declaration by each crew member to a Customs officer prior to each departure by the crew with non-automatic firearms

Beyond the hurdles imposed by the ITAR, the bond requirement imposed by 22 U.S.C. § 463 is also a practical barrier to arming merchant ships. That statue requires that the owners of armed ships post a bond prior to leaving a U.S. port in an amount equal to double the value of the ship and its cargo

Additional Congressional action may not be required, however, to permit the arming of merchant ships. Under 10 U.S.C. § 351, the President may authorize the arming of merchant ships upon determination that the national security is threatened by the application of physical violence by foreign governments or agencies against U.S. commercial interests. Presumably, foreign pirates would fit within the definition of agencies. Ships armed under this provision are exempted from the double-bond requirement.

Even if U.S. barriers to arming merchant ships can be overcome, that’s not the end of the story. The governments of any ports visited by the merchant ship in question may forbid that the vessel be armed. Or, as in, the case of Germany and other countries that have signed the U.N. Firearms Protocol, the port countries may require that a “transit permit” for the weapons be granted prior to the arrival of the ship.

It appears likely that merchant marine ships are going to have to continue to rely on high pressure water hoses for the immediate future to rebuff pirate attacks.

Permalink Comments (5)

Bookmark and Share


Copyright © 2009 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

May

6

New Jersey Man Arrested on ITAR Brokering Charges


Posted by at 4:03 pm on May 6, 2009
Category: General

RD-180 Rocket Booster EnginesA 68-year-old New Jersey man, Juwhan Yun, was arrested last month and pleaded not guilty to charges that he illegally brokered the sales of rocket engines and related technology from Russia to South Korea in violation of Part 129 of the International Traffic in Arms Regulations. Under Part 129, a license from the Department of State is required before any U.S. person can broker the sale of Category I Missile Technology Control Regime Annex items regardless of value and regardless of destination. (License requirements for other defense articles and defense services depend upon, among other thing, the value of the brokered items and the destination of those items). The defendant, who had previously been convicted for attempting to export sarin nerve gas to Iran, had not obtained such a license.

I’ve reviewed the criminal complaint filed against Juwhan Yun and can only say that the government doesn’t appear to have a slam-dunk case here. The complaint details a number of emails and face-to-face meetings between Yun and a confidential government informant which explored the possibility of the informant obtaining RD-180 rocket engines and technology from Russia for the South Korean government. Since the engines and technology were to be transported from Russia, and not the United States, to South Korea, no illegal export would be involved and the only possible charges would be under the brokering regulations in Part 129.

The prosecutors, however, appear to have completely misunderstood the definition of brokering set forth in Part 129. Section 129.2(a) defines brokering as acting as an agent for others in the transfer of defense articles or services in exchange for a commission or other consideration. Allegations from the criminal complaint indicate that Yun wasn’t acting as an agent for the South Korean government in exchange for a commission or other consideration from the government. Rather he was acting in an individual capacity and was intending to purchase the items for his own account for later resale to South Korean government.

Here’s the relevant passage from the criminal complaint:

On February 25, 2009, JW Yun sent an email to the [Confidential Informant] and asked the [Confidential Informant] how much commission the [Confidential Informant] and the people in Moscow wanted as he would include that in the sale price to Korea.

If Part 129 is read to cover Yun’s activities, then every person or company that distributes defense articles is a broker and required to register under Part 129, a position that the DDTC has so far not taken.

The criminal complaint also reveals that the Confidential Informant requested that Yun provide him with a letter from the South Korean government indicating that Yun was authorized to act on their behalf. Yun responded by stating that he didn’t have such a letter and that the South Koreans would never give him such a letter.

Even supposing that a person selling defense items that he owns can ever be considered a broker under the definition set forth in Part 129, a questionable proposition at best, the prosecution still has to prove a scienter element, i.e., present some evidence that Yun knew that his actions were unlawful. Leaving aside the issue that a reasonable person might not read the definition of brokering to cover what Yun was doing, Yun went to considerable pains to stress to the Confidential Informant that everything in the transaction must be legal because he wanted this to be a long-term relationship, not simply a one-shot sale of rocket engines.

On February 11, 2009, JW Yun sent an email . . . advising the [Confidential Informant] that “all of our business should be legitimate and lawful because our business should be continued one after another in the future.”

Nor is their any indication in the criminal complaint that Yun tried to conceal his activities or otherwise indicated that he thought they were illegal. Yun discussed the proposed sale of the rocket engines with the Confidential Informant in front of third parties that Yun did not know. He indicated that he was seeking to enlist the services of a rocket engineer from the University of Central Florida to assist him in the transaction. He even sent the confidential informant a signed and notarized written agreement authorizing the informant to act on Yun’s behalf in obtaining the engines and technology from Russia for export to South Korea. That certainly doesn’t seem to be something that would be done by someone who thought that he was breaking U.S. law by attempting to buy Russian rocket engines for resale to South Korea.

Permalink Comments (3)

Bookmark and Share


Copyright © 2009 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

May

5

Will Burma Sanctions Get Shaved?


Posted by at 7:50 pm on May 5, 2009
Category: Burma Sanctions

Shwedagon TempleWith all the talk of relaxing Cuba sanctions and possible talks with Iran, it’s not surprising that Burma is showing up at the “me too” table asking for service. Today at Bloomberg, Frank Smithius, Burma country director for Médecins Sans Frontières, is quoted saying this:

Because of sanctions there is a lot of suffering, and we see that particularly in the humanitarian-aid field. There’s definitely hope in the aid community that the policy will be reconsidered. The Myanmar people are victims of a humanitarian boycott. There is enormous pressure on politicians in the West to look politically correct, and they get human rights brownie points by being very strict on aid.

In the same article, Bloomberg provides a chart showing that Burma ranked dead last in foreign aid per capita in 2007, receiving $4.07 per capita, which compares to the $52.32 per capita aid received by Sudan. Indeed, in February, Secretary Clinton stated that the Obama administration’s policy toward Burma’s military junta was undergoing a “major review.”

The EU at the end of April renewed its sanctions against Burma for another year. The EU foreign ministers voting to extend the sanctions indicated that they were nonetheless willing to hold consultations with the junta during the Asia-Europe Meeting (ASEM) in Hanoi, Vietnam, in May.

The current EU sanctions involve visa restrictions, asset blocking and an arms embargo. U.S. sanctions are broader and include, in addition to asset blocking and an arms embargo, a ban on imports, a ban on new investment, and a ban on exports of “financial services” which are broadly defined to include funds transfers, insurance services and investment and brokerage services. The U.S. regulations provide for a general license permitting exports of financial services in support of NGO activity in Burma.

Permalink Comments (1)

Bookmark and Share


Copyright © 2009 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)