Second Annual Impact of Export Controls on Higher Education & Scientific Institutions

The following presentation was presented at the Second Annual Impact of Export Controls on Higher Education & Scientific Institutions Hosted by Georgia Institute of Technology In cooperation with Association of University Export Control Officers (AUECO) Pre Conference Export 101 May 5, 2014 Conference Program May 6 & 7, 2014 Georgia Tech Hotel & Conference Center, Atlanta, Georgia

Cloud Computing and Encryption Chris Smoak, Georgia Tech Research Institute Technical Explanations of Cloud Computing & Encryption T. Scott Cowperthwait, Shipman & Goodwin LLP Overview of export control laws as they relate to Cloud Computing and Encryption Randy Wheeler, BIS Guidance updates Pat Schlesinger, UC Berkeley & Will Metcalf, UofL Practical applications in the university environment including examples of effective compliance program

Cloud Computing Definition: A distributed computing environment orchestrated over a network As a general marketing term, something in the cloud refers to software, technology, or other solutions sold as a service to customers For example, Cloud storage equates to storage as a service In general, you ll find that a service in the cloud implies large scale and infinite capacity/performance, but that s not always the case

Cloud Services Such services are often communicated as more cost efficient than building and maintaining one s own computing infrastructure If taken at face value, this is often true However, there are several implications that are often overlooked For example, maintaining the confidentiality and integrity of data becomes challenging Where we would once have complete control of our data at rest and in motion, we now give up some level of that control

The Cloud Can you tell me where your data resides? No? Often, neither can your cloud provider But that s the point it s anywhere and everywhere when it s in the cloud How can we be sure our data is protected?

Encryption in the cloud So how do we go about leveraging cloud resources while maintaining data confidentiality and integrity? Answer: very careful use of encryption (and potentially a lot of frustration) Sometimes its not as simple as encrypting everything before being placed in the cloud Simple storage/retrieval models will work, but What if we need to search or process the data? Minimize time spent unencrypted when doing work in the cloud Possible in some applications but not in others Clear understanding of the risks involved is critical to being successful

University focused Examples Cloud mail All email within a university handled by a cloud provider Potentially a great cost savings from a maintenance perspective How should sensitive information (e.g. FERPA, HIPAA, etc.) be handled? Any additional implications? Cloud computing Due to performance requirements, research within a department is moved to the cloud Again, can sensitive information be processed in the cloud? How can its access be controlled?

Legal Overview T. Scott Cowperthwait Shipman & Goodwin LLP One Constitution Plaza Hartford, CT 06103 (860) 251 5134 SCowperthwait@goodwin.com 7

Overview: Regulating Exports/Services Provided Through The Cloud International Traffic in Arms Regulations (ITAR) Controls on military items and technology Department of State, Directorate of Defense Trade Controls (DDTC) Arms Export Control Act (AECA) 22 CFR Parts 120 130 Export Administration Regulations (EAR) Controls on dual use goods and technology (items with both commercial and military utility) and purely commercial items Department of Commerce, Bureau of Industry and Security (BIS) Export Administration Act (EAA) 15 CFR Parts 730 774 Foreign Assets Control Regulations U.S. economic embargoes (principally Cuba, Iran, and Sudan) and prohibitions on dealing with terrorists and drug traffickers Department of the Treasury, Office of Foreign Assets Control (OFAC) Various statutes and executive orders 31 CFR Parts 500 597 8

Overview: Regulating U.S. Trade Controls Provided Through The Cloud Inherent conflict between export controls/economic sanctions and cloud computing Export controls generally involve controls over the export of goods, technology and services Economic sanctions generally seek to influence, alter and restrict international behavior through various financial and commercial restrictions against targeted activities, countries, governments, individuals and organizations Cloud computing generally serves as a model for enabling network access to a shared pool of computing resources (National Institute of Science and Technology, NIST) Significant facilitation concerns exist regardless of applicable U.S. trade controls regulatory regime 9

ITAR: DDTC Jurisdiction and Guidance Essentially, goods or technical data with military uses, as defined by the International Traffic in Arms Regulations (ITAR) Defense Articles Items or technical data on the United States Munitions List (USML) Items not specifically enumerated on the USML but which have a substantial military utility and have been specifically designed or modified for military purposes Technical data: Information required for the design, development, manufacture, operation, and maintenance of items on the USML Defense Services Furnishing assistance to foreign persons in the design, development, manufacture, operation, maintenance, or demilitarization of items on the USML 10

ITAR: DDTC Jurisdiction and Guidance Guidance: DDTC has provided no formal written guidance on the application of the ITAR or DDTC s enforcement policies to cloud computing Defense Trade Advisory Working Group (DTAG) on Cloud Computing The ITAR does not adequately address intangible transfers or use of the Cloud as a storage method The ITAR does not address the use of encryption as an adequate means for the transmission or storage of ITAR controlled technical data in the Cloud 11

EAR: BIS Jurisdiction and Guidance Dual use items items that have both commercial and military or proliferation applications. Short supply items Subject to the EAR Items in the U.S. U.S. origin items wherever located U.S. origin items incorporated into foreign made products unless de minimis Not items exclusively controlled for export or re export by other agencies, e.g. DDTC Classified on CCL or as EAR99 Guidance: BIS has issued two Advisory Opinions (2009 and 2011) on the application of the EAR and BIS s enforcement policies to cloud computing 2009 Advisory Opinion: Provision of cloud computing services is not an export 2011 Advisory Opinion: Cloud computing service providers employing foreign person IT staff are not deemed exports 12

EAR: BIS Jurisdiction and Guidance 2009 Advisory Opinion addressed five questions: 1. Whether grid and cloud computing services, in the absence of any transfer of software or technology subject to the EAR, is subject to the EAR under part 734; 2. Whether grid and cloud computing services constitute an "activity unrelated to exports" under section 744.6 of the EAR; 3. Whether grid and cloud computing service providers are "exporters" or any derivative data resulting from the use of the computational capacity and liable for export screening on that basis alone; 4. Whether computational access restrictions found in section 740.7(b)(2) of License Exception APP apply to grid and cloud computing service providers; and 5. Whether the grid or cloud computing service provider must inquire about the nationality of the customer (or user). 13

EAR: BIS Jurisdiction and Guidance 2009 Advisory Opinion key conclusions: Providing computational capacity (cloud computing services) is not by itself an export subject to the EAR Shipping or transmitting controlled software or technology to a foreign destination, or a foreign person in the U.S., to enable cloud computing (e.g., manuals or instructions) or technical services to show a user how to access and use the computational capacity of a cloud is an export and subject to the EAR Transmitting controlled software or technology to and from the cloud is an export and subject to the EAR Cloud computing service providers in the U.S. are generally not the exporter under the EAR Cloud computing users not located in the U.S. are generally not the exporter under the EAR 14

EAR: BIS Jurisdiction and Guidance 2011 Advisory Opinion focused on whether cloud computing service providers are required to obtain deemed export licenses for their foreign national information technology (IT) administrators who service and maintain their cloud computing systems Cloud computing service provider did not monitor or screen user generated content stored and/or shared in the cloud Cloud computing service provider acknowledged that certain data stored in the cloud may constitute EAR controlled technology Key conclusion: Cloud computing service providers are not exporters and therefore not required to obtain deemed export licenses for non U.S. person IT administrators 15

Economic Sanctions: Jurisdiction and Guidance The U.S. adopts and maintains economic sanctions for a variety of diplomatic, criminal enforcement, economic, humanitarian, and national security reasons OFAC is the primary regulatory authority that administers the U.S. sanctions program, which applies to a wide variety of transactions involving: Targeted countries and foreign governments (Cuba, Iran, Sudan, or Syria) Organizations Individuals (Specially Designated Nationals and Blocked Persons list) Activities (exports, reexports, imports) Guidance: OFAC has provided no formal written guidance on cloud computing, but 16

Economic Sanctions: Jurisdiction and Guidance OFAC issued guidance on its licensing policy concerning exports to Iran of software and services incidental to personal communications General License D permits the export to Iran, free of charge, of software and services that permit and facilitate personal communications. For example: messaging clients, non fee based Skype, Web browsers, document readers, personal cloud storage, etc. OFAC sanctions may limit or restrict the export or reexport of any goods, services, software or technology from the U.S. to an embargoed country (e.g., Cuba, Iran, Sudan or Syria) or targeted person (e.g., SDNs or Blocked Persons), as well as the ability to provide cloud computing services in sanctioned countries or to sanctioned entities Prohibition on facilitation acting on behalf of or assisting in a transaction that is in violation of U.S. economic sanctions presents a compliance risk 17

BIS Guidance Randy Wheeler, Director Department of Commerce, Bureau of Industry and Security Information Technology Controls Division Ph: 202 482 5303 E mail: catherine.wheeler@bis.doc.gov 18

Cloud Computing As electronic data transmissions, cloud services are an extension and variant of longstanding services and technology. Cloud applications renew focus on a number of regulatory issues that have arisen in other contexts. When is technology or software released? When is technology or software exported?

New Issues What is new is that cloud provider resources (servers and storage) may be in one or more countries. Data is moved within provider infrastructure for technical reasons (e.g., resource availability, power consumption, etc.). Data may be processed and relocated dynamically without the immediate knowledge or control of the service user.

Cloud Computing and U.S. Export Controls Under a traditional interpretation of definitions in the regulations, U.S.-origin technical data transmitted across national borders within a cloud infrastructure or to a non-u.s. cloud service provider is subject to U.S. export and reexport controls. Consider parties to a transaction in a cloud context

Deemed Export Implications U.S.-origin technical data that is released to a non-u.s. national who is an employee of a cloud service provider is subject to U.S. deemed export and reexport controls. incidental exposure

Cloud Computing Issues Determining appropriate definitions and regulatory applicability for exports in the context of cloud services Is technology released to a foreign cloud services provider? Is data storage abroad an export to the foreign country? Is use of encryption relevant as a regulatory matter? How should foreign technology stored in the United States be treated? Determining regulatory treatment of software as a service offerings

University Compliance Patrick Schlesinger, Assistant Vice Chancellor UC Berkeley & Will Metcalf, Director of Export & Secure Research Compliance University of Louisville 24

Best Practices Determine if any or all of data is subject to export control, and if stored or routed outside the U.S., or exposed to foreign nationals, if it would constitute an export that requires a license; Determine the physical routing and destination of any export controlled technical data uploaded to the cloud in order to know whether export restrictions or licensing requirements apply; Seek assurances from providers that any export controlled data will be located entirely on U.S. servers, and that it will not be accessible by foreign nationals employed by the providers, including specific contractual provisions in service level agreements; Even with assurances or contractual commitments, exercise continuing diligence regarding any indication that export controlled data is being maintained, or routed, outside the U.S. or made accessible by foreign nationals;

Continued Be aware that cloud deployment of software utilizing or enabling certain types of encryption, or some types of networking technologies, can trigger export restrictions and licensing requirements not present when running that same software on a local network or U.S. located private cloud; When unsure of the export implications of a cloud service arrangement, consider seeking a license under the EAR (or determining if a license exception applies) for single or multiple transactions involving potential exports of such data from the cloud; Impose restrictions on creation of copies of data by cloud service providers, and require that providers delete all copies (including backups) of such data once cloud services are terminated; Review and modify export compliance policies and practices, and technology control plans, and inform and update employees on export issues arising from use of cloud services; and

Continued Ensure that cloud service agreements address the respective responsibilities of the parties for export compliance, and the penalties and other consequences of failure to comply with applicable export laws. Understand all the terms of the cloud service provider agreement that you are subject to. Increase the security of your data by adding passwords or encryption to access. Before entering into an agreement with a cloud provider, check with the University Technology Transfer department to see what resources are already available.

Thanks You! Questions?