DDTC IT Modernization

Transcription

1 DDTC IT Modernization Anthony Dearth Directorate Defense Trade Controls Acting Managing Director

2 AGENDA DECCS Release 2 Features and Industry Batch Filing/Testing DECCS Cyber Security DTAG Recommendations for DECCS Release 3 DECCS Release 2 Timeline DECCS Release 2 Screenshots

3 DECCS INDUSTRY FEATURES RELEASE 2 Single user portal for approved DDTC data collections Interactive web-based interface Implementation of Pay.gov for registration fee payments via: Credit cards Paypal ACH (Automated Clearing House)g House Confirmation of application receipt with tracking number Status tracking of all applications & submission types Continued batch filing of license applications with minimal changes

4 LICENSING BATCH FILING TESTING PLAN Licensing batch filing will be available for industry testing this month. How to submit test batch filings? Review the batch specification document: f Send the principal information of your digital certificate to PM_DDTCProjectTeam@state.gov to be granted access to the test system. A Conditions of Use for Batch Filing must be signed and returned to PM_DDTCProjectTeam@state.gov. Further details on how to access the system will be provided once we receive your testing request and signed Conditions.

5 BATCH LICENSE FILING TECHNICAL DETAILS RELEASE 2 Submissions use SOAP with Attachments message format XML Signature used for signing Authenticate with IdenTrust ACES client certificates The schemas will be the same Current functionality will stay the same o Filing upload and Status download

6 LICENSING BATCH FILING KEY BUSINESS AND TECHNICAL DIFFERENCES RELEASE 2 DECCS will support multiple records (submissions) per batch The URL will be different and will likely require industry security firewall changes DECCS batch filing is implemented using SAAJ APIs included with Java8 JDK and uses no third party libraries. Submissions will require multipart/related content type

7 DECCS CYBER SECURITY Encryption FIPS Encryption Use of TLS (NIST SP r1) TLS 1.2, TLS 1.1, TLS 1.0* Multifactor authentication Access Certificates for Electronic Services (ACES) Currently evaluating DoD External Certification Authority (ECA) Report security inquiries/concerns/incidents to DDTC Service Desk at (202) , or at * Restricted to supporting external connections to non-government entities.

8 INDUSTRY TESTING - CYBERSECURITY Industry Test Environment Security Environment is completely segregated from DDTC production systems. Users required to submit digitally signed Usage Agreement. DDTC will provide test user accounts. Fake Registration Numbers Fake Usernames No IP Access Restrictions at this time. Do not submit any real data including personally identifiable information (PII), other sensitive proprietary information, or ITAR data in the testing environment. Use your standard ACES certificate for all operations that would require digital cryptography.

9 DTAG RECOMMENDATIONS FOR DECCS RELEASE 3 Suggests that Corporate Admin be assigned by letter request (not through the Form 2032 Registration filing). DDTC has decided to allow both options (through 2032 or by letter request) Concerned about use of digital certificates as the exclusive mechanism for authentication in DECCS. For Release 3, we will implement other appropriate DOS approved two-factor authentication methods DECCS user roles and responsibilities must match organizational structure, comply with OCI, SSA and other legal and organizational firewalls including protecting sensitive personal information in DS-2032 We will work with industry to implement firewalls and protection of sensitive data for Release 3. For Release 2 we will not implement ability to view applications by industry users. DDTC site needs modifications to support industry We are planning an external stakeholder session to further define industry requirements

10 DTAG RECOMMENDATIONS FOR DECCS RELEASE 3 (CONTINUED) Suggests that General Correspondence for freight forwarder name and address changes remain the responsibility of the freight forwarder. DDTC will continue to accept freight forwarder name and address changes by General Correspondence and will post notices to the web However, it will be the responsibility of the licensee to update its licensing records in DECCS either: Through the web interface or Through batch filing

11 DECCS HIGH LEVEL TIMELINE RELEASE #2 Development Government and Industry Testing Ends 5/31/2017 4/2017-8/2017 Authorization to Operate Approval Package submitted 5/31/2017 Training & Onboarding 5/2017 8/2017 Deployment 9/2017

12 NOTE: All speaker comments are off-therecord and not for public release DECCS: LOGIN

13 NOTE: All speaker comments are off-therecord and not for public release DECCS: REGISTRATION DS-2032

14 NOTE: All speaker comments are off-therecord and not for public release DECCS: REGISTRATION DS-2032 BLOCK 2

15 NOTE: All speaker comments are off-therecord and not for public release DECCS: REGISTRATION BLOCK 4 VALIDATION

16 NOTE: All speaker comments are off-therecord and not for public release DECCS: LICENSING HOME PAGE

17 NOTE: All speaker comments are off-therecord and not for public release DECCS: LICENSING DSP-5

18 NOTE: All speaker comments are off-therecord and not for public release DECCS: LICENSING DSP-5 BLOCK 5

19 NOTE: All speaker comments are off-therecord and not for public release DECCS: LICENSING TRACK STATUS

20 NOTE: All speaker comments are off-therecord and not for public release DECCS: LICENSING APPLICATION DETAIL

21 Questions?

22 Developments in Cloud Computing, Intrusion Software and Network Surveillance Controls Aaron Amundson Director, Information Technology Controls Division Bureau of Industry & Security May 2, 2017

23 BIS GUIDANCE ON CLOUD COMPUTING Three directly relevant, published, Advisory Opinions, Definitional changes published in June 3 FR notice, in effect as of September 1, including the encryption carve-out. Encryption carve-out provisions were not included in ITAR bookend of definitional changes to be published separately. 23

24 ADVISORY OPINIONS ON CLOUD COMPUTING Jan a cloud provider that provides access to computational capacity is not the exporter of data derived from the computations because they are not the principal party in interest. Jan if the cloud provider is not the exporter, the cloud provider is not making a deemed export if their foreign national network administrators access the data. Nov remotely using controlled software is not an export itself, unless there is a transfer of 24 controlled software or technology.

25 JUNE 3 FR NOTICE ON DEFINITIONS Opportunity to address the issue; relevant changes in multiple locations in the proposed language. The term cloud not used in regulatory text changes affect cross-national data transmission and release to non-u.s. nationals. Primary citation in EAR is in a new section, , Activities that are not exports, reexports, or transfers. Three basic requirements for the carve-out: end-toend encryption, applicability of FIPS standards, and 25 prohibition on storage in D:5/Russia

26 END-TO-END ENCRYPTION Defined as uninterrupted cryptographic protection between and originator (or the originator s incountry security boundary) and an intended recipient (or the recipient s in-country security boundary). Definition is intended to be flexible enough to accommodate different technical approaches (e.g. IPSEC VPN, SSL VPN, etc.) Definition is not intended to preclude service provider involvement (i.e., security can be delegated to a third party). 26

27 BOUNDARY TO BOUNDARY In the June 3 FR notice, definition of end-to-end was changed from system to system encryption (e.g., PGP) to security boundary to security boundary. Reflects common industry practice and provides more flexibility. Allows necessary services to be performed within the security boundaries while meeting the objectives of the rule. Caveat: boundary must be in-country data cannot cross a national border in the clear. 27

28 STORAGE RESTRICTIONS Intentional storage prohibited in D:5 and Russia. Temporary storage on Internet servers while in transit not considered intentional storage. Storage on PC s while in D:5 is considered intentional ; in such circumstances, another authorization (e.g., TMP) is required. As a practical matter, cloud providers serving western customers (including those owned by the PRC) have not located their resources in these countries. 28

29 KEYS AND OTHER ACCESS DATA Release of keys, passwords or other data (access information) with knowledge that such release or transfer will result in release of underlying technical data is a controlled event. An unauthorized release of access information would be a violation to the same extent as unauthorized release of underlying data. Keys and other access data are not considered technical data, and can thus be managed independently. 29

30 ISSUES RELATED TO EXECUTION Decryption outside the U.S. does not, of itself, constitute an export or release. Storage in the clear (after decryption) outside the U.S. does not, of itself, constitute an export or release. When transmission is decrypted and re-encrypted, end-to-end no longer applies. Subsequent transmission is a separate, new transmission. A user may delegate security to a third party provider, but must ensure that such provider meets carve out criteria (e.g. encrypts between cloud resources). 30

31 CONCLUSION ON CLOUD COMPUTING Changes are intended to provide maximum flexibility to providers and users. BIS will provide additional guidance as more fact patterns emerge and technology evolves. 31

32 SUMMARY OF 2013 WASSENAAR CYBER CONTROLS Controls on network communications and surveillance equipment for carrier class IP networks (5.A.1.j). Drafters contemplated that controls would apply to a narrow range of specific products. Controls on network intrusion (4.A.5, 4.D.4, and 5.E.1) focused on command and delivery platforms for network intrusion software (e.g., exploits/payloads). Included hardware/software command and control platforms and associated technology. While defining intrusion software, controls did not apply to such software itself. Controls did apply to technology for such software (5.E.1.c). 32

33 U.S. IMPLEMENTATION EFFORTS The U.S. published a rule implementing these controls in the Export Administration Regulations in proposed form in May, We originally anticipated that the reach of the new controls would be quite narrow, as the discussions in Wassenaar focused on products of a few companies such as FinFisher/Gamma, Hacking Team and Vupen. As a result, the proposed rule required individual licenses for exports to all countries except Canada and for release to all non-u.s. and non-canadian nationals. Public comment was extensive, focused primarily on network intrusion, and was overwhelmingly negative. 33

34 CURRENT STATUS OF U.S. IMPLEMENTATION Due to comments received and subsequent extensive outreach to cybersecurity stakeholders, including Government cybersecurity organizations, we decided to delay implementation. Nature of the commentary revealed differences between the original intent of the controls and the actual impact of the language. These issues must be clarified in order to create a level playing field within Wassenaar and to limit potential negative impact on Member States critical cybersecurity activities. The U.S. returned to Wassenaar in 2016 with proposals to address some of the more important issues, and met with only limited success; we are continuing this discussion in this year s session. 34

35 UNIQUE FEATURES OF THE CYBERSECURITY ENVIRONMENT Cybersecurity activities are highly globalized. Cybersecurity employs a fundamental Red Team/Blue Team approach. Participants vary widely and fluctuate as needs demand Cyber activities are now only lightly touched by export control or other regulations. Cybersecurity activity can be extremely time sensitive 35

36 QUESTIONS FOR WASSENAAR DISCUSSION High level issue: how to control target products without impeding defensive work Problem: in order to effectively prevent a small subset of transactions, all transactions involving network intrusion command and control platforms (including technology) must be touched in some way: Classification deciding what is caught and what is not IT solutions (firewalls, access controls) Procedures Training While U.S. corporations with pre-existing compliance programs are equipped to execute such controls, non-u.s. enterprises, small companies, academic entities, and individuals are not; the latter are big players in cyber defense. 36

37 Questions?