Exports of technology and items containing technical information are regulated by the United States government. United States export control regulations exist to help protect national security, economic, and political interests. United States defense industry companies manufacture products and develop technologies and information that the United States has a particular interest in protecting. Therefore, defense industry companies must comply with United States export control regulations when exporting items and information to their international partners and customers. An “export” not only includes shipments of hardware or other tangible assets to foreign end-users but also includes the sharing of certain types of information with foreign recipients in the form of phone conversations, emails, meetings, conferences, presentations, and so on. Many employees of defense industry companies travel internationally with company issued laptops and cellphones containing company information that could be viewed by foreign persons. All of these activities are considered exports and may require prior authorization from the United States government under export control regulations. Failure to follow export regulations could result in a violation requiring a report to the United States government that may result in civil penalties or criminal charges. Additionally, intentional as well as unintentional releases of information to certain foreign persons could be detrimental to a defense industry company’s business and reputation and may even result in security concerns for the United States. Although the government has an interest in regulating defense industry companies’ technology and information, critics argue that strong export control regulations may result in invasions of privacy, violations of free speech, and a displacement of the United States as a leader in a world of technological advancement. However, despite current regulations, defense industry information is still at risk of cyberattacks and inadvertent data releases, creating potential threats to national security and the security of company technology and information. In an effort to secure company and sensitive information while exporting, defense industry companies utilize encryption and other cybersecurity measures. Advancing technologies in cybersecurity can help the government and defense industry companies by bolstering the security of their information. These same advancements can also aid attackers in breaking through cybersecurity defenses. Some advances in technology are even preventing law enforcement from gathering necessary information to conduct investigations when cyber-attacks occur, making it difficult to identify criminal actors and seek justice.The United States government faces challenges in creating and up- dating regulations to keep up with consistently advancing technology. Likewise, defense industry companies must adhere to government regulations by creating robust compliance programs, but they should also implement security and compliance measures above and beyond what the government requires to ensure more effective security for their technology and information. This Article discusses the effect of advancing cyber technology; United States export regulations; reporting requirements related to the export of encrypted items; and encryption technology in the defense industry. First, the Article defines encryption and encrypted items. Second, the Article explains United States regulations of ex- ports and specifically, regulations related to encryption and encrypted items. Third, the Article explains the need for defense industry companies to export and to use encrypted items. Fourth, the Article analyzes criticisms of export regulations and the differing views on United States controls. Fifth, the Article will discuss the complexities of com- plying with export regulations and defense industry compliance pro- grams. Sixth, the Article examines the outlook for encryption technology, the future of regulations related to cybersecurity, and the outlook for defense industry security measures and compliance with regulations.
The United States government is beginning to recognize the need for more advanced security measures to protect domestically produced technology and information, especially information that puts national security at risk. Specifically, the technology and information produced by United States defense industry companies should be protected from getting into the hands of our foreign adversaries at all costs. In response to the growing need for security measures, the United States government has implemented new programs, commissions, agencies, and projects to create more robust security systems and regulations. The United States should employ the most talented and experienced cybersecurity professionals to innovate and produce security systems that protect our nation’s most sensitive information. The government should then provide these systems to its defense industry companies at minimal cost and should require companies to use the best technology in its security measures.
With or without the government’s assistance, defense industry companies within the United States must also implement their own measures of protection. Current policies offer little protection of sensitive and export controlled information including encrypted items and in- formation. In addition, the government should also provide the defense industry companies better guidance and access to resources in order to assist them in protecting the important information and encrypted items.207 For example, any new systems or software purchased by the United States should be made available to defense industry companies as the standard. If the government truly wishes to protect its most important technology and information, it should provide the new systems at minimal cost to the defense industry. Advancements in security programs should be shared with defense industry companies as soon as they are available and ready for use. Nevertheless, the government may not want to provide defense industry companies with the best security technology because in the event that the government needs to conduct an investigation, a company utilizing strong cyber- security and encryption software is much more difficult to investigate.
Alternatively, the United States could update current regulations to require that defense industry companies must utilize specific security measures or face a penalty for failing to do so. Such regulation could require defense companies to implement more robust security pro- grams with updated security software. This is a less effective solution as the advancement in cyberattack technology increases so rapidly, and reformed regulations will likely be outdated as soon as they are implemented. It makes more sense to require that defense companies must implement the most updated software and programs determined by government security experts and cyber-security experts. Also, by allowing defense companies to decide which security companies it will work with, the defense companies obtain the option to shop for the best and most expensive program, or the company could choose the cheapest option, resulting in less efficient security. Cybersecurity regulations that are too specific run the risk of being outdated quickly, whereas broad requirements leave the option for companies to implement the lowest of security measures.
Even if the government declines these suggested measures, defense industry companies should make the protection of their sensitive in- formation and encrypted items top priority. This method would re- quire complete buy-in from the senior management within the company and a thorough flow-down of cultural beliefs among its employees. A change in norms must be implemented, and defense industry personnel should be inundated with reminders on the importance of information security. Companies should provide employees with easy access to guidance, training, and assistance in handling, sharing, protecting, and exporting sensitive and export controlled information. Changing company culture takes time, and failure to change personnel beliefs will result in a lack of understanding and potential violations of export control regulations. In the worst cases, data spills and cyberattacks could result in the loss of sensitive or even classified in- formation that could jeopardize national security. Huge unauthorized data releases of sensitive information will negatively affect a company’s reputation thus affecting its ability to generate revenue.
The risks in using and exporting encryption technology and sensitive information should be a major concern for defense industry companies. This concern should motivate the government to invest significant resources into compliance programs. Resources such as dedicated and qualified personnel can create policy and procedure to ensure compliance with United States government regulations, and the procedures will provide guidance and training to all employees. In addition, companies should employ IT security, data security, and counterintelligence personnel to work with the compliance team in innovating preventive measures and in addressing any potential data releases and export violations. Immediate actions and counter measures should be prioritized not just among the compliance and security teams but should be a known, expected response from all employees. In other words, cybersecurity norms should be instilled company-wide and thoroughly policed from within the company. How a company chooses to implement such measures remains discretionary, but a better resourced compliance department dedicated to implementing effective policies and responding quickly to potential issues will prevent export control violations and data releases of important information. Defense industry companies transfer export controlled information that may subject the United States to security risks. The United States responds to this risk by implementing regulations to control the high- risk exports. Defense industry companies must comply with these regulations. Therefore, defense industry companies should approach exports and cybersecurity from the standpoint that technology is always advancing—failure to simultaneously advance security and compliance measures will leave the country and the company vulnerable to attack.
Rose Richerson Eichler,
Cybersecurity, Encryption, and Defense Industry Compliance with United States Export Regulations,
Tex. A&M J. Prop. L.
Available at: https://scholarship.law.tamu.edu/journal-of-property-law/vol5/iss1/2