The Bureau of Industry and Security recently issued a $750,000 fine against Intel subsidiary Wind River Systems for the unlawful exportation of software products that enable encryption. This is a sharp departure from BIS’s historical practice and suggests the agency may take a tougher stance on such violations in the future. Among restricted foreign government end-users and organizations on the BIS Entity List, Wind River Systems shipped to China, Russia, Israel, Hong Kong, South Africa, and South Korea.
The controversial move means the US Department of Commerce appears to be coming down heavily against the export of encryption, even in cases where no export to sworn enemies of the US (Iran, Cuba and North Korea etc.) is involved. The Intel subsidiary was fined for failing to get Department of Commerce licenses for business valued at under three million dollars. The fine represents a slap on the wrist, but it seems to be a clear signal that priorities are changing.
Previously self-reported cases of crypto export used to be handled with only a warning, and the multinational commercial law firm Goodwin Procter warned its clients to expect potentially being penalized, like Wind River, and that this would be the “new normal” (Standard Operating Procedure). Per Goodwin Proctor:
Wind River Systems exported its software to China, Hong Kong, Russia, Israel, South Africa, and South Korea. BIS significantly mitigated what would have been a much larger fine because the company voluntarily disclosed the violations.
[Goodwin Proctor] believe[s] this to be the first penalty BIS has ever issued for the unlicensed export of encryption software that did not also involve comprehensively sanctioned countries (e.g., Cuba, Iran, North Korea, Sudan or Syria). This suggests a fundamental change in BIS’s treatment of violations of the encryption regulations.
Historically, BIS has resolved voluntarily disclosed violations of the encryption regulations with a warning letter but no material consequence, and has shown itself unlikely to pursue such violations that were not disclosed. This fine dramatically increases the compliance stakes for software companies — a message that BIS seemed intent upon making in its announcement.
Senior FBI and US government law officers have repeatedly complained over recent weeks about plans by Apple and Google to incorporate enhanced security into smartphones. Techdirt notes the conflict between government regulation and the tech industry is moving onto the renal original turf of the first crypto wars of the late 90s – the export of strong encryption.
Strong cryptography was classified as a weapon and subject to export controls back in the 90s, but the approach fell into disfavor for a number of reasons. Among those is that cryptography is essentially applied mathematics and the knowledge is available, and that decent cryptography is a fundamental component of any computing system that aspires to be secure. This includes an increasing number of consumer devices with built-in processors, spanning everything from smart-meters to electronic car locks and insulin pumps. Encryption is one of the best ways to safeguard against these devices getting hacked. Clamping down on the export of cryptography creates a huge competitive disadvantage for US tech companies trying to offer products and services worldwide. Foreign competitors, most likely from China, will inevitably step in and fill the breach. If the Snowden revelations hurt US-based cloud providers, then what effect is stymieing the US tech industry as a whole likely to have? At best, the tougher line is an extra bureaucratic burden.
In a statement BIS provided an essentially bureaucratic justification for its enforcement action – Wind River had failed to apply for an export permit:
Wind River Systems "voluntarily disclosed that between 2008 and 2011 the company made 55 exports of operating software valued at $2.9 million to governments and various end users in China, Hong Kong, Russia, Israel, South Africa, and South Korea. The operating software is controlled under Export Administration Regulations for national security reasons, and some of the export recipients in China are on the BIS Entity List."
“I approved penalties in this case because the violations were ongoing over a period of several years,” said assistant secretary of commerce for enforcement, David W. Mills. “Because the violations were voluntarily disclosed, the company received significant mitigation. This penalty should serve as a reminder to companies of their responsibility to know their customers and, when using license exceptions, to ensure their customers are eligible recipients."
BIS controls exports and reexports of commodities, technology, and software to support national security and foreign policy, including nuclear, chemical and biological weapons, and missile non-proliferation, human rights, regional stability, and curbing terrorism. Criminal penalties and administrative sanctions can be imposed for violations of the Export Administration Regulations. For more information, please visit www.bis.doc.gov.
It's beginning to feel like history is repeating itself as related articles document the US government's increasingly hostile stance against some recent moves to enhance privacy through more widely usable encryption, but now we're reaching the stage of the game where the government also starts attacking the "export" of cryptography. A key part of the original cryptowars was over whether or not strong cryptography could be classified as a weapon, and subject to significant export controls. That idea was mostly scrapped and it appears encryption flourished, though it appears strategies may have moved to covert subversion of standards instead of outright efforts for control.
The report understates the simple fact that "encryption is ubiquitous in software products" these days, and that trend will continue as encryption is increasingly important. If the Commerce Department has suddenly decided to pick a fight over this issue, it could create a grave competitive disadvantage for American tech companies trying to offer products around the globe as, Cisco has discovered. It may be seen as though the United States government wants to cede technology leadership to other countries.