Compliance usually means protecting your company’s assets and your professional reputation, but with ITAR, lives may be at stake. The International Traffic in Arms Regulations makes manufacturers, exporters, and brokers of defense products and services partly responsible for their nation’s security. Companies that fail to secure defense data can find themselves on the hook for millions of dollars in fines, and responsible for putting dangerous information in the hands of our country’s enemies.
ITAR compliance rules are complex, and it can be difficult to even determine which of your products fall under the regulations. If your organization is part of a high-tech industry, you could be on the hook without even knowing it.
Who Needs to Be Compliant?
In spite of its name, ITAR compliance isn’t just for arms dealers. According to Max Aulakh, Chief Security Architect at MAFAZO Digital Solution, anyone who buys, sells, or distributes anything on the United States Munitions List (USML) is on the hook for compliance. The USML has pretty broad categories, and it’s not always easy to understand what qualifies as military equipment. The USML includes most technology used for spaceflight, for example, along with a wide range of aircraft technology, software, and technical data.
“Many of these items were developed originally for military purposes but have evolved into mainstream commercial products – in the electronics, navigation, computer security, maritime, aviation and other industries. Today it is often very difficult to determine if a product is subject to ITAR, and this presents a challenge for business executives. However it is important to understand this distinction, especially for firms that provide products and services to government customers, to avoid costly legal violations.”
Category XXI of the USML is especially confusing, because it covers, “any article not specifically enumerated in the other categories of the U.S. Munitions List which has substantial military applicability and which has been specifically designed, developed, configured, adapted, or modified for military purposes.”
That covers a lot of ground. Without an ITAR compliance expert, it can be very difficult for an organization to tell for sure what products, if any, fall under that category. That’s why, as Max Aulakh points out, ITAR impacts universities, large commercial enterprises like Amazon, and other institutions who aren’t directly involved in the defense industry.
Why is ITAR Compliance So Important?
ITAR compliance is meant to keep potentially dangerous products, techniques, and data out of the hands of people who could use them against the United States. However, even technologies that aren’t directly regulated by ITAR could threaten American interests and foreign policy.
For this reason, organizations need to enforce a compliance policy that goes beyond ITAR, regulating any assets that could have a military use. In particular, they need to adhere to Export Administration Regulations (EAR) in addition to ITAR compliance rules. EAR regulates a large range of software, including data encryption software. As Aulakh points out, both ITAR and EAR “attempt to control the flow of sensitive information from the US to foreign countries.”
What Happens When You Violate ITAR
Violating ITAR compliance can lead to both civil and criminal penalties. In practice, the fines are really unlimited — often, companies are subject to prosecution for hundreds of violations at once, and penalties have run into the hundreds of millions.
In 2004, for example, General Motors and General Dynamics (which owns assets that were formerly part of GM) received 248 separate violations for exporting light armored vehicles and technical data to nationals of China, Syria, Iran, and Afghanistan, in defiance of ITAR. Not only were they fined a total of $20 million, but they also had to participate in a wide range of costly compliance training, auditing, and infrastructure upgrades to prevent future violations.
ITAR can also do major damage to your organization’s reputation and ability to do business. ITAR violations and penalties are added to a publicly available list, maintained by the State Department. Individuals and organizations can even be debarred from exporting defense services and materials in the future.
In 2011, this nearly happened to BAE. It was initially subject to statutory debarment, although the state department rescinded the order. As it was, the consequences were hefty: BAE had to pay a whopping $400 million in criminal costs for violating ITAR and the Foreign Corrupt Practices Act, along with another $79 million in civil penalties — the biggest civil penalty ever imposed by the State Department at the time.
What Does ITAR Compliance Entail?
ITAR compliance starts with registering with the Directorate of Defense Trade Controls (DDTC) and paying a registration fee. Once registered, a company will need permission for every deal that falls under ITAR compliance rules. According to McVey, registered companies need to obtain state department licensing for:
- Importing USML items
- Exporting USML items
- Brokering the sale of USML items
- Providing defense services
- Providing software or technical data
Companies need a system that builds ITAR compliance checks into every sale. According to McVey, they should systematically review all data, products and contracts, to see which fall under the USML. Then, they should apply for licenses or authorization for each applicable item.
Finally, any organization subject to ITAR need to appoint an officer to create and enforce an organization-wide compliance program. The officer should enforce written policies governing training, auditing, and responding to violations, if they are discovered.
Like HIPAA, PCI, and other regulatory regimes, ITAR compliance requires companies to carefully control sensitive data. As such, email encryption, firewalls, and other data security best practices need to be used to protect sensitive information. Aurora IT recommends classifying data into four categories: Public Use, Internal Use Only, Confidential, and Top Secret. This can help organizations implement Data Loss Prevention (DLP) techniques to control access and prevent unauthorized access to classified information.
How and Why is Encryption Important to ITAR?
Encryption is the only reliable way to secure data from hackers, cyber-spies, and internal threats. When a file or email is encrypted, it can only be read by someone who has the cryptographic key. ITAR compliant companies need to use strong encryption standards, and carefully control their cryptographic keys to ensure unauthorized parties can’t decrypt classified information.
Data traveling over the Internet is especially vulnerable to attack, and even some types of email encryption, such as SSL/TLS, are vulnerable to hackers. Only when encryption takes place on the client, before content hits the network, are robust enough to protect email from the time of creation until the time of consumption. Because Virtru encrypts messages as they leave your computer, and only decrypts them once they reach your recipient’s inbox, your emails and attachments can’t be compromised in transit.
Email encryption is also the only practical, ITAR compliant way to communicate with overseas employees or US government officials. As Nick Espinosa (@NickAEsp), ITAR compliance expert and CIO of IT consultancy at BSSi2 LLC says:
“Essentially, you cannot have ITAR compliance without encryption. The regulations regarding data transmission to the cloud basically say that data transmission to a foreign country can happen without an export license providing that the data is securely sent and received by personnel that are employees of the US government or directly employed by a US corporation and not a subsidiary.
All phases of the data transfer must be secure. Sending, routing and receiving must all be secure. The primary method for securing and sending this data, whether it’s email or technical data would be to encrypt the email or data and the send it via an encrypted tunnel to the foreign recipient. AES256 or better encryption is standard.”
In other words, without strong, client-side email encryption, there’s no practical way to send information subject to ITAR compliance rules overseas. You wouldn’t be able to communicate with overseas offices, partners, or US government employees without applying for an export license each time. And even with an export license, you’d still need to come up with some other way of communicating securely.
Coming Changes to the ITAR Regulation
In June of 2015, the U.S. Department of Commerce’s Bureau of Industry and Security and the U.S. Department of State’s Directorate of Defense Trade Controls published proposed rules which allow for the use of cloud computing services for ITAR regulated data. This would mean massive opportunity for defense industry companies to leverage the benefits of the cloud, while still complying with ITAR.
When the new rules are passed, expected in the first half of 2017, ITAR regulated data can be shared using cloud services, provided that it meets certain criteria. This data must be:
(2) secured using end-to-end encryption;
(3) secured using cryptographic modules compliant with FIPS 140-2, supplemented by software implementation, key management and other procedures and controls in accordance with NIST publications and guidance. Note that BIS would also allow “similarly effective cryptographic means,” while the DDTC would strictly require FIPS 140-2-compliant cryptography; and
(4) not be stored in a country subject to a U.S. arms embargo (i.e., EAR Country Group D:5 or ITAR Section 126.1) or Russia.
Under this proposal, “end-to-end encryption” requires “uninterrupted cryptographic protection of data between an originator and an intended recipient, including between an individual and himself or herself.” Also, the “means to access the data in unencrypted form is not given to any third party, including to any Internet service provider, application service provider or cloud service provider.” Therefore, qualifying cloud providers may not store the data unencrypted or decrypt/re-encrypt the data anytime before delivery to the intended recipient.
Is Encryption Enough?
Email encryption alone won’t prevent a well-meaning employee from forgetting to encrypt a sensitive message, or sending out sensitive data by mistake. As Nick Espinosa puts it:
“The biggest problem facing ITAR compliance is user error. Too often people forget to enable the option for encryption when sending an email. Taking the options out of the users’ hands ensures that no human error can factor into the secure transmission of email.”
This is where data loss prevention, or DLP, comes in. Virtru DLP, for instance, provides your organization with an easy-to-use console that controls what information users can send and how it is secured. You can set automatic email encryption, or pop up a warning when employees are about to send an unencrypted email. You can automatically strip attachments from emails sent to addresses outside your company, to prevent employees from accidentally disclosing sensitive data. You can even have Virtru CC your ITAR compliance expert on certain emails, so that they can monitor sensitive communications for data breaches.
Virtru and EAR / ITAR Compliance
Organizations can currently use Virtru to meet EAR regulations in the cloud, but they’ll have to wait until proposed regulations are passed before using Virtru for ITAR compliance.
Once the ITAR regulations change, which is expected in mid-to-late 2017, Virtru will vastly simplify ITAR compliance for organizations who have moved to the cloud. By combining Virtru client-side encryption with the Virtru Customer Key Server (CKS), organizations will be able to protect ITAR regulated content and still reap the cost and collaboration benefits of the cloud.
Virtru allows users to rescind email messages, even after they’ve been read, which can be a lifesaver when someone accidentally shares the wrong information. It even lets users disable forwarding, or set time limits on sensitive information so that it doesn’t sit in the recipient’s inbox where it could be vulnerable to attack.
Combined with Virtru DLP, Virtru encryption can play a key part in enabling EAR compliance – and we hope it will soon do the same for organizations who have made a move to the cloud.