What Can Hold Up Your International Project?

Uploaded on 2020-06-05 in GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-IT & Telecoms

The term “export controls” is enough to send most people either to sleep or running for the hills.  In the cybersecurity world it can have often unforeseen consequences. Let’s take a look at why this is. In Britain, Export Controls apply to cryptography in a very strange way and the impact can be overlooked until that unfortunate call that tells you your goods have been seized by customs.    By David Hayes
 
How the Controls Work
The easiest way to look at the controls is on a “catch and release” basis. 
Start by considering that any item that uses cryptography, effectively with a key length in excess of 56 bits, called a “described security algorithm” for “data confidentiality” is subject to export licensing.
 
It is tempting to dismiss this as being ridiculous – your phone would be export licensable! This is where the releases or “decontrols” come in.  Depending how they are counted, there are around fifteen separate decontrols. 
 
One of the main decontrols is what Americans call “mass market” and the UK calls the “Cryptography Note” or “Note 3”.  The American expression gives a clear indication of what the term means – it is sometimes informally called the “PC World test” in the UK.
 
There are many other, more specific, decontrols, ranging from items designed for a limited to banking or money transactions to devices limited to certain types of remote industrial monitoring. However, many items that cybersecurity professionals encounter daily are subject to export licensing, including many enterprise servers, firewalls, switches etc.
 
There are a number of assumptions that are made by exporters that often result in practical problems: 
  • I am only upgrading my employer’s global network – not selling the equipment, so I don’t need a licence.
  • I can buy this thing on the internet, so it must meet this Note 3 thing
  • It only uses readily available cryptography, like SSL
  • It’s my laptop and I’m carrying it with me

Only one of these, number four, means that the item does not require a licence.  Even then, any technology stored on the laptop, or accessed from overseas by using the clean laptop, may require a licence in its own right.

Note 3: Cryptography Note
The main provision of the Note relates to items that are generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following:
  • Over-the-counter transactions;
  • Mail order transactions;
  • Electronic transactions; or
  • Telephone call transactions;
There are other elements, relating to whether the cryptography can easily be changed and to ease of installation but availability is the primary driver.
 
Different EU regulators take very different positions on the cryptography note, with some offering significantly more flexibility to exporters than others. The note is notoriously subjective and the UK’s interpretation is equally notoriously conservative, e.g. most satellite communications items are regarded as being export licensable. 
 
In classifying or decontrolling under Note 3, or more specifically the so-called “Note to Note 3”,  a regulator can take into account any factors it considers relevant - in essence, if the regulator wants an item to be controlled it is controlled.  Factors that may be considered include price and typical user - but not in isolation and not on a level playing field between products.  Product A at £10k may be ruled No Licence Required (NLR) under Note 3, while product B at £7k is ruled controlled, depending on the position of each in the market for that type of product and who are the typical purchasers of each.
 
Cryptography Exports – A suggested approach
Firstly, develop an understanding of your equipment, software and technology against the dual-use control list.  The current UK list can be found at: UK Strategic Export Control Lists
 
Look at Category 5, Part 2 Information Security: If you have a need to export from the UK items that use cryptography with a key length in excess of 56 bits, start from the position that, prima facie, these are export controlled. Can you document a rationale for why the item you are assessing meets a decontrol? If not, your item is licensable.  It may be that you are upgrading your own company infrastructure or exporting temporarily to a trade fair or a multitude of other “innocent” uses; it matters not! 
 
When exporting cryptography, a major arms manufacturer, a supermarket company and the world’s largest manufacturer of rubber ducks are all equals.
 
Finally, when dealing with the plethora of cryptographic items exported from the United States as “mass market”, or with a US Export Control Classification Number of 5*992 (where * is A-E), it is NOT safe to assume that the UK regulator will agree with the US decision.  You may well need a licence. Don’t forget that US origin items are often subject to US law outside the US.  US law ‘attaches’ to the item and compliance with US law by foreign nationals is expected and enforced.
 
David Hayes has many year’s experience in export controls, from the varied perspectives of regulator, Head of Compliance for global companies and is a highly as a successful independent consultant:  https://davidhayes-exportcontrols.com/
 
You Might Also Read:
 
Killer Robots For Export:
 
 
« US Police Display Powerful New Surveillance Tools
Taiwan's Entire Population Database Stolen »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

General Dynamics Information Technology (GDIT)

General Dynamics Information Technology (GDIT)

General Dynamics IT delivers cyber security services to defend critical information and infrastructure.

Mi-Token

Mi-Token

Mi-Token is an advanced two-factor authentication solution that offers unparalleled security, flexibility, cost-effectiveness and ease of use.

Lutech

Lutech

Lutech is an Italian ICT engineering and services company. Business solution areas include cyber security.

Karlsruhe Institute of Technology (KIT)

Karlsruhe Institute of Technology (KIT)

KIT is a leading research and education institutions with strong capabilities in information systems and security.

eResilience

eResilience

eResilience is a division of Referentia Systems, a pioneer in an ultra-secure information safeguarding technique known as “Enclaving”, in which data can be segmented and protected within a network.

Digital Beachhead

Digital Beachhead

Digital Beachhead has the expertise to provide a range of Cyber Risk Management and other Professional Services with specifically tailored solutions at competitive prices.

Akito

Akito

Akito was set up to become a point of reference in the ICT market for issues related to Security and in particular Cyber Security.

ARIA Cybersecurity Solutions

ARIA Cybersecurity Solutions

The ARIA ADR Automatic Detection & Response solution was designed to find, verify, and stop all types of attacks - automatically and in real time.

Input Output (IOHK)

Input Output (IOHK)

IOHK is one of the world's pre-eminent blockchain infrastructure research and engineering companies.

Retruster

Retruster

Protect your users against phishing emails, ransomware & fraud with the most advanced, user-friendly, non-intrusive solution available.

FortiGuard Labs

FortiGuard Labs

FortiGuard Labs is the threat intelligence and research organization at Fortinet. Its mission is to provide Fortinet customers with the industry’s best threat intelligence.

Onyxia Cyber

Onyxia Cyber

Onyxia's unique dynamic cybersecurity platform identifies gaps and prioritizes recommendations for proactive cybersecurity strategy, performance, remediation and management.

Technoware Solutions

Technoware Solutions

Technoware Solutions is a global company committed to helping entities navigate the digital waters of modernizing their system processes in an ever changing cybersecurity landscape.

PDQ

PDQ

PDQ helps IT professionals to manage and organize hardware, software, and configuration data for Windows- and Apple-based devices.

SentryMark

SentryMark

Stay a Step Ahead of Emerging Threats. Deviate from the traditional siloed defenses and get the proactive and responsive cybersecurity solutions and services you deserve with SentryMark today.

Hicomply

Hicomply

Hicomply simplifies compliance management with smart, user-friendly tools, helping you scale your processes and stay in control - no matter how complex.