- Export Administration Regulations (EAR)
- International Traffic in Arms Regulations (ITAR)
- Federal Acquisition Regulations (FAR and DFAR)
- Office of Foreign Assets and Control (OFAC)
- Foreign Corrupt Practices Act (FCPA), Sanctions, and Anti-boycott
- Visa Sponsorships
- University Export Compliance
- Internal and External Threat Analysis
In the past, only businesses that supported military (such as ITAR) technology and economic restrictions (such as EAR) had to deal with U.S. export regulations. That is no longer the case.
The complex export control regimes have been expanded over time to cover many items and technology that once was freely exchanged. In response, governments, companies, and people, both abroad and domestic have become highly sophisticated at “economic espionage” whereby they acquire intellectual property that “makes” controlled items and even foundational and emerging technology before it becomes subject to export restrictions.
We don’t have to worry about economic espionage in my small business, do we?
Most people do not appreciate that economic espionage is prevalent in our society. There are so many “gaps” in the law and company protections that stealing intellectual property is easy.
There is no need to steal an item, just steal the plans. If they cannot steal the plans, they just get the plans for the individual parts. Or, they hire your employees with incentives to bring your intellectual property with them. Or, they send their employees to apply for work at your company to steal your company secrets. Or, they will simply purchase your product or trade secrets before you realize that your information is controlled technology (thus also making you liable for export violations). More than ever a bad actor will invent a product and sell it to the mass market that secretly has spying and recording capabilities (see drone spying software and Huawei).
In response to this, the federal government has expanded export regulations dramatically over the last ten years from merely military defense to now also include economic defense. Further, the government has increased scrutiny of the worker Visa program address abuse of the program.
I don’t have to worry about restricted persons, do I?
Every day, hundreds of new people, new companies, and even governments are added to the various U.S. restriction lists. It may even be legal to exchange some info with the party but not all info. A business owner may not employ persons or companies on those lists without permission from the U.S. Government. The FCPA list are companies that are not restricted but have been cited for corruption such as bribery or theft. It may or may not be illegal to hire or host persons/on that list, but a business or University should assess how this affects risk, audit violations, and public perception. One recent audit found 1% of all persons applying to a company for employment were either on the Restricted Party List, the FCPA list, or had fraudulent background info to conceal existing employment contracts with bad actors.
What is a typical computer export regulation that may affect me?
Take for example the DFARS 7012 clause (that became prevalent after December 31, 2017) that makes all information about the project “Controlled” requiring your I.T. systems (and email system) to be compliant with the hyper complicated NIST 171 protocols.
What type of sharing agreements could be indicative of foreign theft and spying?
One example is “mirror labs” or one-way contracts where, in the fine print, the U.S. company is required to freely exchange their company’s private information with a second lab abroad (and must sponsor Visa workers from that lab) but where the second lab does not have to reciprocate. Another example is where a company sponsors a non-U.S. worker but that person brings uncleared friends, family, and associates into your offices. Businesses must balance all of these regulations with the intent to be
The feds don’t care about minor, theoretical, export risk, right?
CFIUS, along with Homeland Security, the FBI, and many others investigate possible export risks more than ever. All the new federal export restrictions taken along with historically lax federal enforcement often give people a belief that they are in a safe harbor and beyond federal prosecution. Nothing is further from the truth. This puts your company or University at significant risk for fines, penalties, and persons’ in jeopardy of significant prison time. In 2017, the federal government drastically increased funding to CFIUS, the government department tasked with auditing and investigating federal contractors.
If I don’t ask and don’t look, only the employee is at risk, right?
Nothing could be farther from the truth. Willful blindness is not a defense. Export Control regulations are “strict liability” laws meaning, if it happens, you are guilty. Intent, or lack of intent, is immaterial. One recent university accidentally mailed some hardware to another country and was fined $200,000, even though the hardware never made it to its non-US recipient! Your company or University can and will be cited for violations and people can, and do, go to prison. In fact, lack of auditing and oversight will reduce any likelihood of getting federal contracts. Conflicts of interests at companies and Universities must be addressed. Making money from a venture is a direct conflict of interest when the contract restricts how you must act or audit or control exports. Audits and compliance must be free to do their job and protect your entity without threat of losing their jobs if they actually do their job. This requires significant ethical standards and independence of leadership.
Since my University is “fundamental research” only, I don’t have to worry about export controls, right?
University environments make export controls hyper complex. Often, many or even most of a University’s agreements have international exchanges. Universities, even those that strive to be “fundamental research” (non-export controlled) institutions, still have export-controlled technology on campus and have limited means to stop persons on the restricted party list from getting access. Even if not, many items that may be legally purchased and used on a campus may not be shared via email or shipped abroad. This challenge is exacerbated by the fact that on some campus’ 70% of students in areas of high risk of theft are not U.S. persons thus any exchange of export-controlled items and tech (and even access to those items) becomes an “export.” All of these taken together with the historically lax federal enforcement often give people a belief that they are in a safe harbor and beyond federal prosecution. Nothing is further from the truth. This puts a University at significant risk for fines, penalties, and persons’ in jeopardy of significant prison time. Universities must balance all these risks to not only their own financial security but also risks to the security of the U.S., risk of violating contract terms, while also balancing human rights, free speech, international good will, the promotion of science, and the free exchange of fundamental ideas.