An overview of ITAR
The International Traffic in Arms Regulations (ITAR) is a strictly enforced U.S. government export regulation and it has some of the stiffest civil and criminal penalties that no individual or business wants to endure. The law covers the manufacture, sales, and distribution of defense and space-related articles and services on the United States Munitions List (USML). Administered by the U.S. State Department Directorate of Defense Trade Controls, the legislation is designed to control access to specific types of technology and associated data.
Penalties for ITAR violations
There are substantial penalties, both criminal and civil, for violations of ITAR. Civil fines can run as high as $500,000 per violation, and criminal penalties can include 10 years imprisonment and fines of up to $1 million per violation. In 2014, Intersil was fined $10 million for allowing radiation-hardened semiconductors to be re-exported to China. That is to say, Intersil exported the electronics to a country that is approved under ITAR and the semiconductors were then transferred to China. That same year, Esterline was fined $20 million for failing to implement proper oversight and safeguards, leading to aircraft technology being improperly exported.
Who must comply with this law
The law primarily applies to defense contractors that manufacture and/or export products on the USML, but all companies in the supply chain for such products must register to obtain the appropriate import or export license and meet the ITAR requirements. ITAR has a complex set of requirements, and because of the consequences of non-compliance, it’s recommended that companies that even think they fall under its purview should seek legal clarification of their obligations.
The munitions list includes items that are specifically designed, developed, configured, adapted or modified for a military application. However, the law also covers applicable data and information about the items on the list; for example, product blueprints. With the federal government having little tolerance for offenses, it’s critical to know your ITAR compliance requirements if your company deals with information pertaining to defense systems or technology including:
- Tanks and military vehicles
- Aircraft and associated equipment
- Military electronics including radar, radios, sonar, and computers
- Space systems including satellites, GPS equipment, and ground station equipment
- Firearms, close assault weapons, and combat shotguns
- Ammunition and ordinance
- Launch vehicles, guided missiles, ballistic missiles, rockets, torpedoes, bombs, and mines
- Explosives, propellants, incendiary agents, and their constituents
- Military equipment training and training equipment
- Personnel shelters
Top requirements of ITAR
ITAR stipulates that regulated technical data – regardless of its form – may be used solely by U.S. persons employed by the U.S. government or a U.S. company. A U.S. person is defined as a U.S. citizen, permanent resident, political asylee, government agency, or corporation. Furthermore, all U.S. companies that manufacture, export, or handle data for items on the USML are required to register with the government and obtain prior authorization to export USML items to a foreign person or government. They must also obtain a specific license exemption to export the data to a U.S. person located outside the U.S., such as to share it with a U.S. employee stationed in another country.
There are several types of export authorizations:
- Foreign military sales (FMS) – in which the U.S. government sells items on the USML to a foreign government
- Export license (e.g. DSP-5) – a temporary or permanent export of technology or technology data to a foreign person, but not technical services
- Warehouse and Distribution Agreement – allows a company to establish a warehouse to export USML items to approved foreign entities
- Technical Assistance Agreement (TAA) – authorization to provide defense-related services to foreign entities
- Manufacturing License Agreement (MLA) – authorization to export manufacturing knowledge to a foreign entity
The regulated items on the USML change over time. For example, at one point in the 1990s, ITAR classified strong cryptography as arms and prohibited their export from the U.S., although this is no longer the case. Technical data pertaining to items on the USML is considered to be regulated. Data that is covered under ITAR generally pertains to the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. The law also regulates software that includes system functional design, logic flow, algorithms, application programs, operating systems and support software for design, implementation, test operation, diagnostics, and repair.
Sensitive information may take the form of computer files, documents, blueprints, photos, plans, instructions and so on. In the early days of ITAR, these items were in physical format. Today, however, information is much more likely to be in digital form, and this complicates how the information must be secured and protected.
In order to meet ITAR requirements, experts recommend that companies:
- Ensure that controlled data is encrypted with strong encryption at all times, such as FIPS 140-2. Data should be persistently encrypted during transmission to the cloud and at rest on cloud storage servers.
- The data owner must maintain complete control over the encryption keys at all times, and no personnel from the cloud service provider should have access to the keys.
- Only authorized individuals can access controlled data.
- Individuals are uniquely identified and access to data is protected by strong authentication of the individual.
- Individual access rights are routinely reviewed for ongoing need.
- An individual’s access to data is promptly de-provisioned when it is no longer needed.
- All events pertaining to data access are captured and logged for monitoring and reporting purposes. This includes who, what, when, and where.
- Notifications or alerts are sent to individuals or work group members when a change to data records or files occurs.
Regulated data in the cloud
This calls into question whether or not regulated data can be legally stored in the public cloud. The underlying dilemma is that cloud service providers utilize shared and distributed resources that might cross national borders, and this distribution of resources is not transparent to the user. Data replication and backup, which are normal functions of cloud systems, can cause inadvertent, unlicensed exports if/when data is sent to servers outside the U.S. What’s more, in many cases cloud providers have employees with access to data who are not U.S. citizens.
The State Department has taken the position that technical data may be stored or maintained on cloud-based servers outside the United States if the conditions of the applicable ITAR license exemption are satisfied and “sufficient means” are taken to prevent foreign persons from accessing such data.
Tokenization and encryption as means of securing data
A key question asked by companies that hold ITAR-regulated data is whether encryption or tokenization of data would be “sufficient means” to maintain ITAR compliance when data is stored in the cloud. Tokenization is a technique in which a sensitive data element is substituted by a “token,” a non-sensitive data element that has no extrinsic or exploitable meaning or value. The token electronically maps back to the sensitive data element.
With regards to tokenization, the State Department issued an advisory opinion that states, subject to the conditions of the exemption, “tokenization may be used to process controlled technical data” in the cloud without a license, even if the “tokenized data” moves to servers located outside the United States. Thus, tokenization satisfies the ITAR requirement because, in effect, the sensitive data is never present in the cloud instance, only the tokens are there.
The law is less clear where encryption is concerned. In May 2013, the Defense Trade Advisory Group (DTAG) Cloud Computing Working Group considered whether encryption provides sufficient means to protect data in the cloud. The working group even cited the military’s use of strong encryption to protect classified data in electronic form as a justification for why the technology should be approved for use with ITAR-regulated data.
The working group recommended in a white paper that the U.S. government modify ITAR such that “unclassified, encrypted technical data being transmitted or stored, regardless of location, is not controlled under this provision provided that the data remains encrypted and the ability to decrypt the information is not disseminated.” The argument is that ciphertext, in itself, is not actual information or any type of regulated article as long as it can’t be reversed back to the original text. Under this provision, encrypted data would be permitted in the cloud, as long as the keys to decrypt the data are not available to unauthorized personnel. Companies that use cloud services need to be cautious about the storage of ITAR data on cloud servers and should consider seeking guidance from the State Department on these issues and evaluating a CASB. The penalties for non-compliance are stiff, and ignorance of the law is no excuse.