A New Landscape for Information Technology Export Controls: Part 3 – Export Controls on Information Security

Part 3 of a Three Part Series by Felice Laird, Export Strategies, LLC

There is no question that the EAR is as clear as mud when it comes to establishing and maintaining controls on hardware and software used for information security.  Even the officials at the Bureau of Industry and Security admit that the rules are exceedingly complex.  We’ve had basically the same structure of controls (i.e., Category 5 Part II, 740.17, odds and ends sprinkled over a few more sections of the EAR) since 2010.   We also have had the Department of Defense, the Intelligence Community, the Department of Justice and the FBI joining the export control party at various times asserting their jurisdiction over licensing and classification matters.  The Information Technology Controls Division at BIS, and the NSA remain the two primary decision makers. 

At the end of the day, most products in Category 5 Part II can be exported under license exception, but reaching that conclusion requires specific understanding of technical issues and attention to recordkeeping requirements.   

In addition to the regulations, BIS has relied on charts, notes, decision trees, FAQ’s, and Advisory Opinions posted on its website to help companies to understand the rules.  These tools often reflect unwritten policy and interpretations that have proved to be somewhat fluid over the past 10 years.  Anyone trying to classify and determine licensing requirements for infosec products should review all of this guidance. 

There have been a few changes to Cat. 5 Part II in the past year and a half.   A new rule adding controls on “Post Quantum Cryptography” was added in May 2019.  This rule recognizes the fact that quantum computing is being developed in the R&D communities in academia, government labs and industry.  Computing leaders are building chips and system prototypes as quantum computing designs become realized.  The thought is that this technology will make today’s commonly used encryption vulnerable to brute force attacks.  This has been one of the first examples of actually amending the CCL to cover an “emerging technology” . 

Two other changes to 5x002 this past year clarify and codify de-control notes.  The first is a Decontrol Note added to 5A002 (Technical Note 2.j.) for ”Items specially designed for a ‘connected civil industry’ application”.  The other relates to items designed to use encryption only if it has been activated (usually by way of a software key).   

For more on these changes, and a newly revised Encryption Classification Worksheet, sign up for the DIY Encryption Classification webinar coming up on October 28, 2020 at 1 PM EDT with Felice Laird.

For even more in-depth instruction, Advanced Encryption Classification webinar will be offered on November 17, 2020.