The International Traffic in Arms Regulations (ITAR) is a strictly enforced U.S. government export regulation and it has some of the stiffest civil and criminal penalties that no individual or business wants to endure. The law covers the manufacture, sales, and distribution of defense and space-related articles and services on the United States Munitions List (USML). Administered by the U.S. State Department Directorate of Defense Trade Controls, the legislation is designed to control access to specific types of technology and associated data.
There are substantial penalties, both criminal and civil, for violations of ITAR. Civil fines can run as high as $500,000 per violation, and criminal penalties can include 10 years imprisonment and fines of up to $1 million per violation. In 2014, Intersil was fined $10 million for allowing radiation-hardened semiconductors to be re-exported to China. That is to say, Intersil exported the electronics to a country that is approved under ITAR and the semiconductors were then transferred to China. That same year, Esterline was fined $20 million for failing to implement proper oversight and safeguards, leading to aircraft technology being improperly exported.
The law primarily applies to defense contractors that manufacture and/or export products on the USML, but all companies in the supply chain for such products must register to obtain the appropriate import or export license and meet the ITAR requirements. ITAR has a complex set of requirements, and because of the consequences of non-compliance, it’s recommended that companies that even think they fall under its purview should seek legal clarification of their obligations.
The munitions list includes items that are specifically designed, developed, configured, adapted or modified for a military application. However, the law also covers applicable data and information about the items on the list; for example, product blueprints. With the federal government having little tolerance for offenses, it’s critical to know your ITAR compliance requirements if your company deals with information pertaining to defense systems or technology including:
ITAR stipulates that regulated technical data – regardless of its form – may be used solely by U.S. persons employed by the U.S. government or a U.S. company. A U.S. person is defined as a U.S. citizen, permanent resident, political asylee, government agency, or corporation. Furthermore, all U.S. companies that manufacture, export, or handle data for items on the USML are required to register with the government and obtain prior authorization to export USML items to a foreign person or government. They must also obtain a specific license exemption to export the data to a U.S. person located outside the U.S., such as to share it with a U.S. employee stationed in another country.
There are several types of export authorizations:
The regulated items on the USML change over time. For example, at one point in the 1990s, ITAR classified strong cryptography as arms and prohibited their export from the U.S., although this is no longer the case. Technical data pertaining to items on the USML is considered to be regulated. Data that is covered under ITAR generally pertains to the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. The law also regulates software that includes system functional design, logic flow, algorithms, application programs, operating systems and support software for design, implementation, test operation, diagnostics, and repair.
Sensitive information may take the form of computer files, documents, blueprints, photos, plans, instructions and so on. In the early days of ITAR, these items were in physical format. Today, however, information is much more likely to be in digital form, and this complicates how the information must be secured and protected.
In order to meet ITAR requirements, experts recommend that companies:
This calls into question whether or not regulated data can be legally stored in the public cloud. The underlying dilemma is that cloud service providers utilize shared and distributed resources that might cross national borders, and this distribution of resources is not transparent to the user. Data replication and backup, which are normal functions of cloud systems, can cause inadvertent, unlicensed exports if/when data is sent to servers outside the U.S. What’s more, in many cases cloud providers have employees with access to data who are not U.S. citizens.
The State Department has taken the position that technical data may be stored or maintained on cloud-based servers outside the United States if the conditions of the applicable ITAR license exemption are satisfied and “sufficient means” are taken to prevent foreign persons from accessing such data.
A key question asked by companies that hold ITAR-regulated data is whether encryption or tokenization of data would be “sufficient means” to maintain ITAR compliance when data is stored in the cloud. Tokenization is a technique in which a sensitive data element is substituted by a “token,” a non-sensitive data element that has no extrinsic or exploitable meaning or value. The token electronically maps back to the sensitive data element.
With regards to tokenization, the State Department issued an advisory opinion that states, subject to the conditions of the exemption, “tokenization may be used to process controlled technical data” in the cloud without a license, even if the “tokenized data” moves to servers located outside the United States. Thus, tokenization satisfies the ITAR requirement because, in effect, the sensitive data is never present in the cloud instance, only the tokens are there.
The law is less clear where encryption is concerned. In May 2013, the Defense Trade Advisory Group (DTAG) Cloud Computing Working Group considered whether encryption provides sufficient means to protect data in the cloud. The working group even cited the military’s use of strong encryption to protect classified data in electronic form as a justification for why the technology should be approved for use with ITAR-regulated data.
The working group recommended in a white paper that the U.S. government modify ITAR such that “unclassified, encrypted technical data being transmitted or stored, regardless of location, is not controlled under this provision provided that the data remains encrypted and the ability to decrypt the information is not disseminated.” The argument is that ciphertext, in itself, is not actual information or any type of regulated article as long as it can’t be reversed back to the original text. Under this provision, encrypted data would be permitted in the cloud, as long as the keys to decrypt the data are not available to unauthorized personnel. Companies that use cloud services need to be cautious about the storage of ITAR data on cloud servers and should consider seeking guidance from the State Department on these issues. The penalties for non-compliance are stiff, and ignorance of the law is no excuse.