BIS Update 2007, Day 2, Breakout Session: Technology, Software & Encryption
The Technology, Software and Encryption breakout session was chaired by Bernard Kritzer, Director of BIS’s Office of National Security Controls and Technology Transfer. He noted that while his office has been around for 15 years, technology has changed dramatically during that time. Mr. Kritzer indicated that his office reviews and process 8,200 license applications per year, 5,000 of which are for three basic technologies: deemed exports (1,100), encryption (1,300) and sensors (3,000).
He also noted that there have been numerous geopolitical changes affecting technology over the past few years, including much greater foreign availability, less reliance on the military to generate new technology, more global sourcing and production, and migration of capital, management and technology across international borders.
Mr. Kritzer also discussed the evolution of the products controlled by the final “China Rule”. He also discussed the evolution and analysis of the deemed export rule proposing the use of country of birth. In both cases, BIS took note of the public comments that led to significant changes in the final rule that was issued. With respect to deemed exports, Mr. Kritzer noted that the Deemed Export Advisory Committee final report should be issued later this year with recommendations on how to change and improve the deemed export process.
Mr. Kritzer also noted that BIS is also looking at conducting a review of the Commerce Control List, which is long overdue. For example, he noted that there have been 10 product cycles in semiconductor manufacturing technology since the last CCL review was conducted in 1991.
With respect to encryption, Mr. Kritzer noted that there has been double-digit growth in encryption reviews and mass market determinations. BIS is considering an inter-company licensing program for companies with stellar track export compliance track records. This proposal is a work in progress and BIS hopes to circulate a draft to other agencies in the near future.
Next, Anthony Koo, a licensing officer in Mr. Kritzer’s office that is is responsible for reviewing numerous commodity classifications and export license applications each year, spoke on licensing issues and changes to the CCL.
Regarding the CCL review, he noted that the CCL is made up of several multilateral and unilateral control regimes. Thus, BIS is trying to update the CCL to make it reflect the real world. BIS is also trying to make the CCL more consistent with multilateral regimes, such as updating temperature ranges.
Mr. Koo noted that the final rule modifying the EAR to reflect the December 2006 Wassenaar plenary changes will be published in the FR on Monday November 5, 2007. The final rule can be found here. There will be a 30 day savings provision to reflect pending shipments. The rule implementing the 2006 Wassenaar makes a number of changes to the EAR. For example, the final rule revises the EAR by amending certain entries that are controlled for national security reasons in CCL categories 1, 2, 3, 5 Part I (telecommunications), 6, 7, 8 and 9. The final rule also adds a number of new ECCNs to the CCL, amends and adds some EAR definitions and adds a new Statement of Understanding on source code.
Mr. Koo was followed by Ms. Randy Pratt, Director of the Information Technology Controls Division. Ms. Pratt noted that the there has been an increase in encryption licensing, and BIS saw a 20% increase in encryption licensing activity from FY 2006 to FY 2007, noting that most licenses are issued for exports to government end-users in emerging markets. The average encryption export license is issued in 42 days. There has been a 10% increase in encryption reviews and classification requests. This has resulted in the average processing time for encryption classifications to increase to 46 days from 31 days. The average processing times for mass market encryption reviews has increased to 35 days from 29 days.
Ms. Pratt discussed three major issues regarding encryption.
- Noted that licenses for the export of components containing encryption are reviewed on the basis of the product’s design. She also noted that BIS does not classify components incorporating mass market software as mass market.
- Reiterated that it is not necessary for classifications to be submitted for new versions of previously classified software, if the name of the software changes or if a software producer is acquired. Companies should therefore limit the submission of classification reviews.
- Advised that exporters can self-classify their products if they contain weak encryption (ECCN 5E002). Exporters are encouraged to self-classify, if possible. Noted that BIS has the authority to classify weak encryption items without NSA review.
With respect to the next steps in encryption, Ms. Pratt noted that BIS is aware that the encryption regulations need to be updated and streamlined and BIS is working on an EAR amendment package to amend encryption controls, including reporting and notification requirements.
Following the presentation, the panel took questions from the audience, which included the following:
1. Mr. Kritzer noted that the U.S. does not coordinate implementation of Wassenaar changes with other countries. Each country implements the changes made at the December plenary sessions on their own schedule. Thus, U.S. changes are implemented on a different schedule than the E.U. and Japan.
2. Stated that if a data server is located in China containing data used to produce EAR 99, no license is required. However, if that server contains controlled technology a license is required to export the controlled technology to China.
3. Medical devices containing encryption algorithms are exempt from licensing pursuant to the Wassenaar medical exception set forth in the EAR.
4. Ms. Pratt noted that Microsoft has obtained from BIS a Letter Authorization that permits Vista to be exported worldwide in a manner similar to mass market software (authorized for export, reexport, resale and transfer worldwide, except to Country Group E:1 countries and to parties denied export privileges).
5. BIS is considering changes to license exception ENC.
Labels: BIS Update Conference