Encryption Technology Connected Car Autonomous Vehicles Export Control Implications Maher Shomali maher@t-b.com Wes Demory wes@t-b.com
What is an Export? Shipments of Physical Items Electronic Transfers Information Sharing Deemed Exports
What is Subject to U.S. Export Controls? U.S.-Origin Items AND Foreign Made Items Inside the United States Foreign Made Items Containing U.S.-Origin Components or Made from U.S.-Origin Technology
U.S. Agencies & Regulations Directorate of Defense Trade Controls (DDTC) Bureau of Industry and Security (BIS) Bureau of the Census Office of Foreign Assets Control (OFAC) International Traffic in Arms Regulations (ITAR) Export Administration Regulations (EAR) Foreign Trade Regulations (FTR) Sanctions Programs
United States Munitions List [ITAR]
Commerce Control List [EAR] 0 - Nuclear Materials, Facilities & Equipment 1 - Materials, Chemicals, Microorganisms & Toxins 2 - Materials Processing 3 - Electronics 4 - Computers 5 - Telecommunications & Information Security 6 - Lasers & Sensors 7 - Navigation & Avionics 8 - Marine 9 - Aerospace & Propulsion
Reasons For Control
EAR99 is the Catch-all Classification 3A001 5A991 5A002 6A005 EAR99
ENCRYPTION CONTROLS
How Did We Get Here? License Exception ENC ITAR Licenses EAR Licenses No License Required
What is an Encryption Product? A product that includes encryption functionality - Can be proprietary or from third-party source - Even dormant encryption functionality may be controlled
What is an Encryption Product? A product that uses encryption functionality without including the encryption code - An application that relies on the web browser to encrypt data between the device and server
Encryption Algorithms: - AES, DES, RC4, Blowfish, RSA, DSA, Diffie-Hellman, Elliptic Curve... Encryption Protocols: - SSL/HTTPS, TLS, SSH, IPsec, VPN, IKE, SNMPv3, WPA, Wi- Fi, Bluetooth... Encryption Uses: - Data Confidentiality, Key Management, Authentication, Digital Signature, IP Protection... Encryption Terms
Why is Encryption Important? Consumers will be reluctant to use connected cars if invehicle systems are vulnerable to cyberattacks. Comprehensive IT security solutions that cover the connected car s entire lifecycle can ease these concerns. - In-vehicle security - Cloud-based security
Authentication/Tamper Protection Trusted identity of all parts to the system TPM-based solutions for the ECU - Secure key storage - Only releases keys once parts to the system are authenticated
Infotainment Systems
Connectivity Systems
Data Applications Applications transmitting sensor or user data... - In-vehicle AND - To the cloud
EAR Controls on Encryption Items Is my item an encryption product? Is my item controlled under Category 5, Part 2 of the EAR? What is the appropriate ECCN and License Exception? - 5x002 for data confidentiality - 5x992 for mass market - EAR99 for limited use encryption What are my pre-shipment requirements? - No pre-shipment requirements - Notification - Formal Classification - Licensing What are my post-shipment reporting requirements?
Data Confidentiality Designed or modified to use cryptography for data confidentiality, including: - Items having information security as a primary function; - Digital communication or networking systems, equipment and components; and - Computers and components therefor... What about automotive applications?
Data Confidentiality Does Not Include... Authentication Digital Signature Data Integrity Non-repudiation DRM Entertainment, mass commercial broadcasts, or medical records
Other Decontrols... Smart cards and smart card readers Specially designed and limited for banking use or money transactions Portable or mobile radiotelephones for civil use Cordless telephone equipment Wireless Personal Area Network equipment Disabled crypto Mobile telecommunications Radio Access Network equipment Operations, Administration or Maintenance items
Mass Market Note Note 3 Category 5, Part 2 - Generally available to public - Crypto cannot be easily changed - Designed for install without support - Can include components - Must consider target market and price Automotive items have generally been considered mass market
Formal Classification Requirements - Network infrastructure commodities - Encryption source code that is not publicly available - Encryption technology - Chips, chipsets, and other components - Cryptographic libraries, modules, development kits and toolkits - Non-standard encryption items - Network or computer forensics items
Encryption Checklist Develop an encryption checklist for internal company use - Request encryption details from product team - Algorithms? Uses? Protocols? Sources? Thomsen & Burke Encryption Checklist @ www.t-b.com Make it a mandatory step in the new product introduction process
Pre- and Post-Shipment Reporting Requirements There are three types of pre- and post-shipment reporting requirements: 1. Yearly Encryption Registration Report for products selfclassified 2. Semi-Annual ENC Report for more restricted products formally classified 3. Pre-Shipment Notifications for products exported under a bulk encryption license Maintain reports throughout the year to avoid stress at reporting deadline
Foreign Import Control Requirements Transparent Rules - France - Israel Opaque Rules - Russia - China Key Points of Trans-shipment - Hong Kong - Singapore Other countries to consider - UAE - India - Poland - South Africa - Malaysia - Turkey THIS IS NOT AN EXHAUSTIVE LIST
OTHER TECHNOLOGIES
Light Detection and Ranging (LIDAR)
Light Detection and Ranging (LIDAR) ITAR Category XII(b)(6): LIDAR specially designed for a military end user EAR 6A008.j: LIDAR equipment having any of the following: 1. Space-qualified 2. Employing coherent heterodyne or homodyne detection techniques and having an angular resolution of less (better) than 20 µrad (microradians) 3. Designed for carrying out airborne bathymetric littoral surveys... Note: 6A008 does not control Civil Automotive Radar
Cameras EAR 6A003.b: Imaging cameras Note: 6A003.b.4.b and.c do not control imaging cameras having any of the following: The camera is specially designed for installation into a civilian passenger land vehicle and having all of the following: 1. The placement and configuration of the camera within the vehicle are solely to assist the driver in the safe operation of the vehicle; 2. Is operable only when installed in any of the following: a. The civilian passenger land vehicle for which it was intended and the vehicle weighs less than 4,500 kg (gross vehicle weight); or b. A specially designed, authorized maintenance test facility; and 3. Incorporates an active mechanism that forces the camera not to function when it is removed from the vehicle for which it was intended.
Camera Technology EAR 6E001/6E002: Technology for 6A003 cameras License Exception TSR may not be used, unless it is for the integration of 6A003 cameras into camera systems specially designed for civil automotive applications
Artificial Intelligence / Machine Learning EAR 3A001.a.9 Neural network integrated circuits NOTE: The control status of integrated circuits described in 3A001.a.9 that are unalterably programmed or designed for a specific function for other equipment is determined by the control status of the other equipment.
Data Privacy Issues Who owns the data that is collected or generated? To whom is data sent and how is it stored? How is the data being secured?
Key Compliance Considerations Determine if the item/project is controlled under the ITAR or EAR Classify the item/technology Does is matter if it is specially designed for civil automotive vs generic? Does it use encryption in a non-exempt manner? In what ways will there be an export? Physical shipment Electronic transmission Sharing of information Who will receive the export? Internal parties Third-parties Foreign persons
Questions? Maher M. Shomali maher@t-b.com 410.539.6336 Wes Demory wes@t-b.com 410.539.2691 Two Hamill Road, Suite 415 Baltimore, Maryland 21210