"Rule Change to Ease Export Controls in the Cloud"Compliance Week
John Eustice commented on new amendments to U.S. export control regulations impacting licensing requirements when storing or transmitting data or software in the cloud. The State Department's Directorate of Defense Trade Controls (DDTC) and the Department of Commerce's Bureau of Industry and Security (BIS) rules amend the International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR). With respect to encryption standards, DDTC strictly requires certification by the National Institute for Standards (NIST) and BIS allows alternative approaches. "It's basically saying, 'Buyer beware,' Eustice said. "If you're going to use encryption outside the [NIST] standard, it better work is what they're saying."
Companies can inadvertently violate U.S. export laws under the proposed rules if a foreign person gains access to controlled data in the cloud. Specifically, the rules state that sending or releasing encrypted data would trigger an export control violation. What the rules don't discuss is standards for password security, "which is kind of like closing the back door but leaving the front door wide open," Eustice said. Cloud users need to get certification from the cloud service provider. "Having seen some of these contracts, some of them are ridiculously simplified, and they need to cover a little more area," he added.
Until the proposed rules, little guidance has been issued for cloud computing and export control violations. Enforcement action on this front has been non-existent, which is "not necessarily surprising, given that a lot of that stuff happens behind closed doors through internal investigations," Eustice said.