Welcome to Baker McKenzie Stockholm Fifth Annual Trade Day 7 November 2017
Software Classification and Security Alison Stafford Powell and Olof König 3
4 Alison J. Stafford Powell Partner Baker McKenzie Palo Alto CA +1 650 856 5531 alison.stafford-powell@bakermckenzie.com Olof König Senior Associate Baker McKenzie Stockholm +46 (0) 8 566 177 44 olof.konig@bakermckenzie.com
Software Security Encryption is used everywhere and is the flip side of cyber security threat It is important to understand and control/own the encryption functionality used by you company Note that there is a revised structure in the new Dual use list which restructure Category 5 Part 2 into a more positive control list. Note 4 (decontrol note to Category 5, Part 2) has been removed, and is now incorporated into 5A002.a. This session will focus on encryption functionality. Note that the new proposed General Export Authorisation ( GEA ) for encryption and the proposed GEA for intra group transfers will take time before it is implemented 5
Regulators, Banks and Cryptography Crypto controls for electronic transfers Increased use of FinTech Regulators' focus on banks Increasing security and use of cryptography Export control rules apply to transfer of software / hardware using encryption Previously not a priority for banks, increased attention in last 1-2 years Regulatory audits by Export Control Organizations Other side of the coin for cyber risk 6
Encryption functionality 5A002 "Information security" systems, equipment and components, as follows: Designed or modified to use 'cryptography for data confidentiality using: a) A "symmetric algorithm" employing a key length in excess of 56 bits. or; b) An "asymmetric algorithm" where the security of the algorithm is based on any of the following: 1. Factorisation of integers in excess of 512 bits (e.g., RSA); 2. Computation of discrete logarithms in a multiplicative group of a finite field of size greater than 512 bits; or 3. Discrete logarithms in a group other than mentioned in paragraph b.2. in excess of 112 bits. 7
Decontrols and Exemptions What is the primary function of the product and its encryption functionality; Cryptographic activation" Decontrol parameters and easy routes: Banking use, authentication only, ancillary cryptography, OAM, and mass market Is the product available for free or sold to the general public? Presenting reasons to persuade ISP to want to treat an application as decontrolled 8
How to Achieve Compliance Key Aspects of Process Dedicated Team Minimising impact on operations Classification How does client get it right? Audit Licensing Record Keeping 9
EU Import Controls on Cryptography No EU-wide import control requirements on cryptography. Some exceptions: Bulgaria (registration requirements for imports from outside the EU) France (registration requirements, plus reporting requirements for exports) Latvia (import licensing requirements for certain goods) Poland (reporting requirements) Croatia 10
Encryption Requirements by Country* Country Import Export Argentina No Yes Australia No Yes Austria No Yes Belgium No Yes Belarus Yes Yes Brazil No No Bulgaria Yes Yes Canada No Yes Chile No No China Yes Yes Croatia Yes Yes Cyprus No Yes Czech Republic No Yes Denmark No Yes Egypt Yes No Estonia No Yes Finland No Yes France Yes Yes Germany No Yes Greece No Yes 11 Country Import Export Hong Kong Yes Yes Hungary No Yes India Yes Yes Ireland No Yes Israel Yes Yes Italy No Yes Japan No Yes Kazakhstan Yes Yes Latvia Yes Yes Lithuania No Yes Luxembourg No Yes Malaysia No Yes Malta No Yes Mexico No Yes Netherlands No Yes New Zealand No Yes Norway No Yes Poland Yes Yes Portugal No Yes *Baker & McKenzie Survey March 2012
Encryption Requirements by Country* (2) Country Import Export Romania No Yes Russia Yes Yes Singapore No Yes Slovakia No Yes Slovenia No Yes South Africa Yes Yes South Korea Yes Yes Spain No Yes Switzerland No Yes Taiwan No Yes Thailand No No Turkey Yes Yes United Arab Emirates Yes Yes United Kingdom No Yes Ukraine Yes Yes United States No Yes Venezuela No No Vietnam No Yes *Baker & McKenzie survey March 2012 12
US Origin Content
EAR De Minimis Rule Basic Rule Foreign made items incorporating or bundled with certain US origin content are subject to US jurisdiction and may require licenses even without any US involvement Compare apples to apples ; oranges to oranges Bundled the US software is re-exported together with a foreign item and is " configured for" that item (even if not necessarily physically integrated into it); and the " bundled" US software content is either classified EAR99 or controlled for " AT" (antiterrorism) reasons only on the US Commerce Control List in the EAR treat only bundled portion of software as part of overall hardware
De Minimis Value Thresholds > 10%: Iran, North Korea, Sudan, Syria > 25%: Other countries (inc. Crimea and Cuba) 0%: 600 series/9x515 content and certain others ( see through carve-out) Special encryption de minimis rules Must meet value thresholds and be notified/classified under encryption rules in EAR Encryption carve-out foreign products produced/developed from US encryption items not previously subject to review under License Exception ENC subject to EAR
De Minimis Rule Controlled Content What is controlled content? Cuba, North Korea, Syria, Crimea: Anything (inc. EAR99) Iran/Sudan: non-ear99 items Others: Depends on ECCN and Reason for Control on CCL Decision Tool: https://www.bis.doc.gov/index.php/de-minimis-directproduct-rules-decision-tool
De Minimis Caution on bundling for Iran! EAR (BIS) General rule: no commingling of values as between hardware/software/technology ( apples to apples ) Exception - Bundling Rule: Certain controlled software can be counted against the value of foreign hardware ( apples to oranges ) if: bundled (configured for item) and EAR99 or AT controlled only Threshold: over 10% ITSR (OFAC) Must be below threshold on both non-commingled basis and bundled basis (cumulative): Must meet value tests for each of the following: 1) hardware-hardware 2) software-software 3) technology-technology 4) AND for complex products compare software to entire foreign item Threshold: 10% or more
www.bakermckenzie.com Baker & McKenzie Advokatbyrå KB is a member firm of Baker & McKenzie International, a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organisations, reference to a "partner" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as Attorney Advertising requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.