I have in earlier posts told you that I am currently working at the commercial military department at GKN Aerospace and since I am part of the International Graduate scheme I will be at this department until the end of March. That means that I am right in the middle of the export control project that I am currently managing. The project is going forward and we´re in a stage where the project team is mapping current state and future state of the processes, meaning that we look at how it is today and compare it with how we want it to be with a focus on export control and how the information flows through the company. This way we can identify holes in the processes that we need to fill, risks that we need to eliminate and unnecessary work that we can cut away. It is a great experience and sometimes a challenging task to manage a project.
Export control is a complex area that I am slowly beginning to navigate. On Monday the 9th of January the export control society had invited its members to attend a one day education held by Scott Gearity. Scott has worked within the field of export control for over 20 years and has during that time educated and helped many companies and many people to get a better understanding of the complex, but very important, regulations that surround us who work with export control. The education was held in Odd Fellow´s building in Stockholm, a very old and beautiful building constructed in the 1620´s. The education focused on EAR (the European regulation) and ITAR (the American regulation) within the fields of crypto and the licenses and agreements that exist.
He brought up many interesting questions like how to handle the fact the more and more information is being stored in cloud based storage options. Within the area of export control it is very important to keep full track of which piece of information ends up where and who handles it. A cloud can have servers in many countries and it is practically impossible to keep track on who handles the servers. If a person stores data in a cloud that has servers located in several countries, can this then be considered an export of information? And in that case, who is liable for that export?
The Commerce department in the US decided that the servers’ providers cannot be held responsible for that export just as a phone company cannot be held responsible if one person decides to call another person and reveal classified information over the phone. Commerce also stated that it cannot be considered an export if a person sends, takes or stores data that is:
- Secured using end-to-end encryption
- Secured using cryptographic modules
- Not intentionally stored in a country listed in the D5 country group
The D5 list of countries contains the US Arms Embargoed Countries:
Afghanistan, Burma, Central African Republic, China, Cuba, Cyprus, Eritrea, Haiti, Iran, Iraq, Congo, North Korea, Lebanon, Libya, Somalia, Sudan, Syria, Venezuela, Belarus and Zimbabwe.