Access Denied: How Export Controls Are Hurting IT Security

Updated: April 30, 2009

It's a post-9/11 reality: Most countries have enacted export-control laws that prohibit the unlicensed transfer of technologies and technological information to specific nations. Controls usually arise because a government believes that the export has actual or potential military applications. Governments are particularly concerned about how a specific country, organization or individual may use a product or service. Many nations are worried, for example, that terrorist groups may use sophisticated encryption software to establish secure communication networks with members around the world.

As the world's technology leader, the U.S. has strong technology-export controls governing the shipment of certain technologies and related information to places such as Cuba, Iran and North Korea. Other major technology-producing nations, including Japan, South Korea and the United Kingdom, have also enacted stringent technology-export laws.

Rules of the Game

In the U.S., export restrictions are generally based on the technological capabilities of a particular product or service, as well as the location and nationality of the intended user. Therefore, many high-tech products and services can't be exported without government approval.

Incidentally, the term "export" refers not only to technology leaving the nation's shores, but also to providing items to an individual other than a U.S. citizen or permanent resident within the United States — a practice the government describes as a "deemed export." Even a discussion with a foreign researcher or student in a campus laboratory can be considered a "deemed export."

Benefits and Drawbacks

U.S. technology-export controls cover a wide range of products, services and intellectual property , including computers, applications, operating systems , security devices and even ideas for better securing systems and data.

Encryption products are an export-control hotspot, particularly for firms working on IT security technology products and services. In fact, special restrictions apply to encryption products, software and technologies. The U.S. Departments of State, Treasury and Commerce maintain lists of companies, organizations and individuals with which U.S. companies are prohibited from trading. Encryption-software vendors — as well as the makers of various other products with potential military or terrorist applications — are required to screen all export sales against these lists. Sales to Cuba, Iran, North Korea, Sudan and Syria are completely forbidden.

A major downside to technology-export controls is the way the rules hinder the research and development of security technologies. Export controls preclude the participation of all foreign nationals in research that involves covered technology without first obtaining licenses from the appropriate government agencies — a difficult, time-consuming and sometimes fruitless undertaking.

Export controls can also stifle competition by making it more difficult for U.S.-based security-technology vendors to sell their wares in the international market. U.S. security vendors are, for example, forbidden to sell any type of technology to Cuba. Meanwhile, competitors in Western Europe and most other technologically advanced nations are not only free to market their offerings in Cuba, but are often actively urged to do so by their governments.

U.S. security-technology companies are also often frustrated by the sheer amount of paperwork and coordination they face when shipping their products internationally. Technology-export controls are supervised by an array of government organizations. The U.S. Bureau of Industry and Security, the Directorate of Defense Trade Controls, the Office of Foreign Asset Controls, the Bureau of Customs and Border Protection, the Departments of Defense and Homeland Security, and the U.S. Congress all play roles in creating, maintaining and enforcing technology-export controls.

The situation isn't entirely gloomy, however. Technology-export controls actually work to enhance IT security by keeping potentially dangerous technologies out of the hands of hostile governments, organizations and individuals that may wish to harm U.S.-based computer systems. In a world that at times seems on the brink of Armageddon, the last thing most Americans want is enemy forces equipped with high-performance computer, network and telecommunications technologies capable of crippling the nation's technology infrastructure.

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more