Session 6A: Export Controls and Cloud Computing. Key Regulatory Issues

Transcription

1 Export Controls and Cloud Computing Bureau of Industry and Security U.S. Department of Commerce Key Regulatory Issues Control system was devised before the development of highbandwidth telecommunications, the Internet and intensively globalized business. Controls on transmission and deemed export were included in the 1979 Export Administration Act. Controls apply whether data is encrypted (or otherwise inaccessible) or not. System is based on the physical location of data within national borders and the nationality of individuals with access. Electronic transmission has become the dominant form of export and release of technical data. Page 1 of 8

2 Export Controls are Particularly Problematic for Cloud Computing Cloud Service Providers (CSP s) typically offer services internationally. CSP s often locate servers and storage in different countries. User data can be processed and moved within the CSP infrastructure dynamically and without knowledge of the user. In order to comply, users must monitor control status of what is given to CSP s, and ensure that CSP data centers are located in countries for which no license is needed. BIS Guidance on Cloud Computing Three directly relevant, published, Advisory Opinions, Definitional changes published in June 3, 2016, FR notice, in effect as of September 1, including the encryption carve-out. Encryption carve-out provisions were not included in ITAR bookend of definitional changes to be published separately. Page 2 of 8

3 BIS Guidance on Cloud Computing 2009 Advisory Opinion To the extent that U.S. origin technical data or code crosses national borders though use of the service, the EAR applies. CSP s prohibited from offering services intended to support proliferation (nuclear, missile, CBW) activities. As the user knows the control status of the data/software transferred to the provider, the user is responsible for compliance. BIS Guidance on Cloud Computing 2011 Advisory Opinion Dealt with release U.S. technical data to foreign national network administrators or other IT or support employees. While specific to the factual circumstances of the request, this AO did establish principles relevant to incidental access and release. Under the EAR (unlike historical ITAR) mere access by non-u.s. nationals is not a controlled event without a release. Note ITAR is now consistent (a)(1) defines "release" as visual or other inspection by a foreign person of items that reveals technology or source code subject to the EAR to a foreign person;... BIS interprets inspection as an active process by the foreign person that actually reveals technology or source code. BIS assumes that incidental inspection of controlled data or source code by IT support staff is not a release unless an entity has knowledge to the contrary. Page 3 of 8

4 BIS Guidance on Cloud Computing 2014 Advisory Opinion Addressed cloud-based storefronts: unless the data transmitted to and from a cloud application is controlled of itself, remote use of controlled software is not an export. Primarily addresses cross-national SaaS June 3, 2016 FR Notice on Definitions Opportunity to address the issue; relevant changes in multiple locations in the proposed language. The term cloud not used in regulatory text changes affect cross-national data transmission and release to non-u.s. nationals. Primary citation in EAR is in a new section, , Activities that are not exports, reexports, or transfers. Three basic requirements for the carve-out: endto-end encryption, applicability of FIPS standards, and prohibition on storage in D:5/Russia Page 4 of 8

5 End-to-End Encryption Defined as uninterrupted cryptographic protection between and originator (or the originator s incountry security boundary) and an intended recipient (or the recipient s in-country security boundary). Definition is intended to be flexible enough to accommodate different technical approaches (e.g. IPSEC VPN, SSL VPN, etc.) Definition is not intended to preclude service provider involvement (i.e., security can be delegated to a third party). Boundary to Boundary In the June 3 FR notice, definition of end-to-end was changed from system to system encryption (e.g., PGP) to security boundary to security boundary. Reflects common industry practice and provides more flexibility. Allows necessary services to be performed within the security boundaries while meeting the objectives of the rule. Caveat: boundary must be in-country data cannot cross a national border in the clear. Page 5 of 8

6 Standards Requirements Government has an interest in requiring some basic level of quality in cryptographic execution while providing as much flexibility as possible. EAR version asks for effective encryption FIPS compliant or similarly effective means. FIPS is a baseline used for Federal procurement and is internationally recognized. Includes consideration of NIST publications for elements of cryptographic execution (e.g., key management) that are not directly addressed by the standard. For EAR purposes, the exporter is ultimately responsible for preventing unauthorized release. FIPS FIPS deals only with the proper way by which a cryptographic module (hardware or software) must operate and be protected from attacks. Modules can be compliant with or without the NIST validation participation in the validation program is required for procurement (and other reasons) under some circumstances (e.g., DoD). For the carve out, BIS does not specify the level (1-4) of security. Other standards (e.g., ISO 19790) may be used, or internal network systems never offered for sale (or combinations thereof) provided that they are similarly effective. The NIST standard with annexes can be accessed at: Page 6 of 8

7 Storage Restrictions Intentional storage prohibited in D:5 and Russia. Temporary storage on Internet servers while in transit not considered intentional storage. Storage on PC s while in D:5 is considered intentional ; in such circumstances, another authorization (e.g., TMP) is required. As a practical matter, cloud providers serving western customers (including those owned by the PRC) have not located their resources in these countries. Keys and other Access Data Release of keys, passwords or other data with knowledge that such release or transfer will result in release of underlying technical data is a controlled event. Necessary complement to the encryption carve-out. For EAR data, unauthorized release (as opposed to mere access) would actually have to take place to cause a violation. Such release would be a violation to the same extent as unauthorized release of underlying data. Keys and other access data are not considered technical data, and can thus be managed independently. Page 7 of 8

8 Issues Related to Execution Decryption outside the U.S. does not, of itself, constitute an export or release. Storage in the clear (after decryption) outside the U.S. does not, of itself, constitute an export or release. When transmission is decrypted and re-encrypted, endto-end no longer applies. Subsequent transmission is a separate, new transmission. A user may delegate security to a third party provider, but must ensure that such provider meets carve out criteria (e.g. encrypts between cloud resources). Conclusion Changes are intended to provide maximum flexibility to providers and users. BIS will provide additional guidance as more fact patterns emerge and technology evolves. Page 8 of 8