It had been a while since I had seen a administrative fine imposed on a U.S. company for the unlawful of export of encryption technology. According to the Department of Commerce, Bureau of Industry and Security press release posted earlier this week:
Wind River Systems of Alameda, Calif., a wholly-owned subsidiary of Intel Corporation, has agreed to a $750,000 civil penalty to settle charges that it sold encryption software products to foreign government customers and to organizations identified on the BIS Entity List without the required Department of Commerce licenses.
While the fine may seem steep, it could’ve been a whole lot worse. The company submitted a voluntary disclosure and must have cooperated with BIS. That goes a long way in mitigating potential administrative penalties as well as the chances of having your matter referred to the Justice Department for criminal prosecution.
Over at the Schneier on Security blog in a post titled, “The Return of Crypto Export Controls?”, Schneier pens that no one appears to know if the recent BIS fine is a trend or an anomaly (since administrative fines in this area of export controls enforcement are really not all that common). If cryptography issues interest you, the thread that follows Schneier’s post is worth read.
My general answer Schneier’s question is that crypto controls never really disappeared from the enforcement arena. I also think it just happens to be one of the export control are that, at least from an administrative law and licensing standpoint, tends to work better than other sectors subject to controls. However, because of the fast-paced and ever-changing nature of the technology, there may be a whole lot more violations than the government knows about and that people are not reporting.
At some point, possibly in the near future, there will be a major prosecution that will better set the tone for lawyers and compliance officers. And, one thing is certain, thanks to traitors such as Edward Snowden, expect a lot more scrutiny than maybe in prior years, to potential encryption-related export control violations.
Under current export control laws, with some few noted exceptions, exporting this technology is a fairly straightforward process and licenses are routinely granted by BIS without much fuss. By the way, some folks in Congress believe the controls are too lax. While a subject for another post, I’ve come to the realization after several years of studying this issue that the Congress, indeed most of the federal government, is way behind the eight ball on these matters. And, with a few exceptions, will be for some time to come.
Just as companies need encryption technology to protect corporate secrets from competitors, the federal government will always need this technology to protect the nation as well as advance U.S. interests.
Whether you’re looking at the Cold War-era case of the Walkers, the father and son spy team that provided encryption know-how to the Russians; the Chi Tong Kuok prosecution; or traitors such as Edward Snowden (yes, that is what he is, no matter how much his supporters sugar coat it), there will always be people trying to steal, sell, swap, or simply just share controlled encryption technology to friends and foes.
While companies hue and cry about the feds requesting back door access to these programs, I can guarantee that they will be the first ones to come running to the federal government asking for help (and political cover) when a competitor (or foreign nation) breaches a firewall or backdoor and causes catastrophic damage that results in millions of dollars, or more, in damages.
The export control regime may not be perfect, but it is better than any other system in the world these days. To make sense of it, however, you need to look beyond the laws and regulations. What can make the U.S. system work better is the collaborative public-private process that balances industry needs with national security priorities.
While most market activities should be hands off by the feds, when the product or service directly affects the national security of the United States, all bets are off. It should be one of the biggest exceptions to that general rule. This is especially true when it comes to the Internet. Without national security, there is no nation (or the free markets that come with them).