If you work in the aerospace and defense industry, you’ve almost certainly heard of the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR). These U.S. regulations strictly control the import and export of defense-related equipment, software, and technology. With complicated rules and time-consuming compliance requirements, the ITAR and EAR pose a challenge for every organization that does business with the U.S. military.
But it’s not just companies working directly with the U.S. military that need to care about these regulations. You need to consider ITAR and EAR requirements if any of the following are true:
- Your company is part of the global supply chain for an organization that works with the U.S. military. This includes suppliers who develop military components for larger aerospace and defense organizations. It can also include suppliers involved in non-manufacturing activities, such as translating manuals and designing product brochures.
- Your (non-U.S.) company sends defense-related information to U.S. recipients, even if the information was developed completely outside of the U.S.
- You are an individual who decides to start selling on eBay the military equipment that your brother stole from the U.S. Marine Corps (see story here, and eBay export control regulations here).
The consequences for non-compliance are high: fines, possible jail time, and potential debarrment from exporting defense articles (a business killer for any aerospace and defense company).
So where do you start?
It may help to think of ITAR and EAR regulations as being similar to airport security regulations. Everyone hates airport security, just like no one particularly enjoys complying with ITAR and EAR. But the stakes are high: public safety, national security, and in some cases, global security.
With millions of travelers passing through airport security each day, the potential for security violations is high. Likewise, with employees exchanging technical information through electronic media such as email and web sites, the possibility of ITAR and EAR violations is enough to keep most export control officers up at night. As one ITAR official said about her company, “We have 91,000 potential violations per day – otherwise known as employees.”
The only scalable way to enforce the regulations is to involve the users. By starting with the user, you can drastically cut down on the number of inadvertent policy violations.
Airport security measures provide us with important lessons for how to do this:
- Educate users up front. Throughout the airport, prominent signs remind travelers what they can and can’t bring in their luggage. Travelers are given several chances to remove any forbidden items before they enter the security line. Similarly with export control, users can be reminded before they send an email or document that they need to comply with export policy. This provides users with an opportunity to fix any problems before the information is sent.
- Allow users to identify sensitive content. Maybe you really do need to bring that firearm to your next destination. But to avoid fines and a possible criminal charge, you had better identify your restricted luggage contents before you check your baggage. Similarly, there are many reasons why you may need to send export-controlled information through email or web collaboration tools. For example, your organization may need to communicate design details to multiple suppliers involved in a military project. That information needs to be properly identified and marked to establish that it is export controlled and requires special handling.
By involving the user up front, it is now easier to take the following steps to enforce policy downstream in the process:
- Apply special handling based on the content. Once the traveler has identified their restricted content, special handling rules can be applied. In the firearm example above, there are specific rules for how the firearm must be packaged and transported. Similarly, restricted content in email and documents can be given special protection, such as encryption and digital rights management.
- Examine the sender and destination. Before you fly, your name is checked against the No Fly list. You will also be asked about your destination – where you are going, where you’re staying, the purpose of your trip. Similarly, with export control, you can enforce policy based on both the sender and recipient. Does the sender have clearance to send this export-controlled information? Are any of the recipients a “foreign person”? Is the email going to a high-risk destination?
- Use technology to catch mistakes and intentional violations. It’s not enough to rely on the user 100%. People make mistakes, and sometimes they intentionally violate policy to achieve their goals. That’s why it’s not enough to declare that you are carrying no restricted items in your luggage; your luggage has to be screened by machines. It’s the same with export control; there is still a role for automated scanning of email and documents to detect restricted content before the information is sent. This serves as an extra check for the user, and deters malicious users from intentionally violating policy.
- Audit user behaviour. Just as a traveler’s travel history can be used to assess risk, an employee’s behaviour while handling email and documents can identify unusual activities and/or opportunities for education. By involving the user up front, you can also avoid the excuse of “I didn’t know” and make the user more accountable for their actions.
Let’s not kid ourselves: ITAR and EAR compliance, just like airport security, is not easy and it’s not cheap. But when you involve the user, you have the potential to dramatically lower the cost and increase the effectiveness of your compliance program.
In my next post, I will discuss specific technologies for how you can involve your users in your export compliance program. In particular, I will show how Titus security and compliance solutions address each of the items above, to provide a low cost, high impact solution that reduces your ITAR and EAR risk.