Access Denied: How Export Controls Are Hurting IT Security

Updated: August 20, 2012

It's a post-9/11 reality: Most countries have enacted export-control laws that prohibit the unlicensed transfer of technologies and technological information to specific nations. Controls usually arise because a government believes that the export has actual or potential military applications. Governments are particularly concerned about how a specific country, organization or individual may use a product or service. Many nations are worried, for example, that terrorist groups may use sophisticated encryption software to establish secure communication networks with members around the world.

As the world's technology leader, the U.S. has strong technology-export controls governing the shipment of certain technologies and related information to places such as Cuba, Iran and North Korea. Other major technology-producing nations, including Japan, South Korea and the United Kingdom, have also enacted stringent technology-export laws.

Rules of the Game

In the U.S., export restrictions are generally based on the technological capabilities of a particular product or service, as well as the location and nationality of the intended user. Therefore, many high-tech products and services can't be exported without government approval.

Incidentally, the term "export" refers not only to technology leaving the nation's shores, but also to providing items to an individual other than a U.S. citizen or permanent resident within the United States — a practice the government describes as a "deemed export." Even a discussion with a foreign researcher or student in a campus laboratory can be considered a "deemed export."

Benefits and Drawbacks

U.S. technology-export controls cover a wide range of products, services and intellectual property , including computers, applications, operating systems , security devices and even ideas for better securing systems and data.

Encryption products are an export-control hotspot, particularly for firms working on IT security technology products and services. In fact, special restrictions apply to encryption products, software and technologies. The U.S. Departments of State, Treasury and Commerce maintain lists of companies, organizations and individuals with which U.S. companies are prohibited from trading. Encryption-software vendors — as well as the makers of various other products with potential military or terrorist applications — are required to screen all export sales against these lists. Sales to Cuba, Iran, North Korea, Sudan and Syria are completely forbidden.

A major downside to technology-export controls is the way the rules hinder the research and development of security technologies. Export controls preclude the participation of all foreign nationals in research that involves covered technology without first obtaining licenses from the appropriate government agencies — a difficult, time-consuming and sometimes fruitless undertaking.

Export controls can also stifle competition by making it more difficult for U.S.-based security-technology vendors to sell their wares in the international market. U.S. security vendors are, for example, forbidden to sell any type of technology to Cuba. Meanwhile, competitors in Western Europe and most other technologically advanced nations are not only free to market their offerings in Cuba, but are often actively urged to do so by their governments.

U.S. security-technology companies are also often frustrated by the sheer amount of paperwork and coordination they face when shipping their products internationally. Technology-export controls are supervised by an array of government organizations. The U.S. Bureau of Industry and Security, the Directorate of Defense Trade Controls, the Office of Foreign Asset Controls, the Bureau of Customs and Border Protection, the Departments of Defense and Homeland Security, and the U.S. Congress all play roles in creating, maintaining and enforcing technology-export controls.

The situation isn't entirely gloomy, however. Technology-export controls actually work to enhance IT security by keeping potentially dangerous technologies out of the hands of hostile governments, organizations and individuals that may wish to harm U.S.-based computer systems. In a world that at times seems on the brink of Armageddon, the last thing most Americans want is enemy forces equipped with high-performance computer, network and telecommunications technologies capable of crippling the nation's technology infrastructure.