New BIS Encryption Regulation Contains Good and Bad News for U.S. Exporters
Today's guest post on BIS's recently issued encryption regulation was written by Felice Laird, a consultant on encryption and other export control issues and founder of Export Strategies, LLC.
By Felice Laird, Export Strategies, LLC
In response to industry pressure and a Presidential Directive issued earlier this year, the Bureau of Industry and Security (BIS) published an interim final rule on October 3, 2008 modifying the Export Administration Regulations (EAR) governing the export of hardware, software and technical data using encryption technology. The rule makes some marginal changes to the regulations but falls short of any significant restructuring of the regulatory regime which as been in place for almost a decade. Despite the limited nature of the changes, many U.S. companies will need to tweak their compliance practices immediately in order to comply with the new rules –– there is no “grace period” for implementation.
The new rule, ironically entitled “Encryption Simplification” takes up eighteen pages in the Federal Register. BIS plans on developing additional guidance to be posted on its website as questions will inevitably be raised regarding the correct interpretation of certain provisions contained in the final rule.
Good News for Some
Companies in the business of making products for the consumer market will benefit from the regulatory changes. For example, companies that make mass-market products using weak cryptography (now defined as using key lengths not exceeding 80 bits; for asymmetric algorithms with key lengths not exceeding 1024 bits; and for elliptic curve algorithms with key lengths not exceeding 160 bits) no longer have to submit a notification of self-classification prior to export. These products can be classified as 5X992 and exported under “NLR”.
The new regulation introduces a category of products performing “ancillary cryptography” and exempt them from review and reporting requirements. Examples provided by BIS in its definition of ancillary cryptography in section 772.1 of the EAR include “business process modeling and automation (e.g., supply chain management, inventory, scheduling and delivery); industrial, manufacturing or mechanical systems (including robotics, other factory or heavy equipment, facilities systems controllers including fire alarms and HVAC); automotive, aviation and other transportation systems. Relief from the review and reporting requirements is also given to companies making products using short-range wireless technology.
BIS has also raised the thresholds that allow some network infrastructure equipment to be exported under the unrestricted provisions of ENC. As a consequence, low-end virtual private network (VPN) hardware and other wide area networking products can now potentially qualify for license-free shipment to both commercial government end-users worldwide.
All exporters will benefit by the inclusion of Bulgaria, Canada, Iceland, Romania and Turkey to the “License Free Zone” (also known as the “Supplement 3 countries”). Both government and commercial entities in these countries may receive product under ENC once a review request is submitted.
Bad News for Others
BIS has made a change affecting the classification of mass-market products that could present a compliance challenge for companies who may conduct a limited international release of product coincident with the submission of a technical review. Companies had previously been allowed to self-classify mass-market products as 5x992 and export under NLR (no license required) pending a 30 day BIS review. The new rules require that future products be temporarily classified as 5x002 pending a final BIS determination and export be made according to the provisions of ENC. This change is viewed as a roll-back of an existing liberalization and will undoubtedly be cited in comment letters to BIS. Companies will likely claim that expensive system change requirements in their order processing, export documentation and ERP systems will be required to comply with the new rule.
BIS is actively working on a long range plan to further modify the encryption regulations. However, given the fact that this is an election year and that fundamental changes to U.S. encryption export rules will require Wassenaar Arrangement approval there will likely be no further changes for at least a year to eighteen months.