Where Industry and Security Intersect
What's New | Sitemap | Search
Maintaining the secrecy of information is the fundamental function of encryption items. Persons abroad may use such items to harm U.S. law enforcement efforts, as well as U.S. foreign policy and national security interests. The U.S. Government has a critical interest in ensuring that persons opposed to the United States are not able to conceal hostile or criminal activities, and that the legitimate needs for protecting important and sensitive information of the public and private sectors are met.
For this reason, when dual-use encryption items were transferred from the United States Munitions List to the Commerce Control List (CCL) on December 6, 1996 , a foreign policy reason for control, Encryption Item (EI), was imposed on these items. A license is required to export or reexport EI –controlled items (classified under ECCNs 5A002, 5D002 and 5E002 on the CCL) to all destinations except Canada . All items controlled for EI reasons are also controlled for National Security (NS) reasons.
Most EI-controlled items are eligible for export and reexport to non-government end users under the terms and conditions of License Exception ENC after review by BIS in conjunction with other agencies, and many items are also eligible for export and re-export to government end users under this License Exception. License applications to export or reexport EI-controlled items to governments, or to Internet and telecommunications service providers for the provision of services specific to governments, may be favorably considered for civil uses, such as social or financial services to the public, civil justice, social insurance, pensions and retirement, taxes, and communications between governments and their citizens. EI-controlled items are also eligible for Encryption Licensing Arrangements (ELAs), which authorize exports and reexports of unlimited quantities of encryption items to all destinations except countries listed in Country Group E:1 (terrorism-supporting countries).
Export controls on encryption have evolved commensurate with electronic commerce and information technology (IT) developments, and to address continuing U.S. national security and law enforcement concerns. Since 2000, U.S. encryption export policy has been directed by three fundamental practices: technical review of encryption products prior to sale, streamlined post-export reporting, and license reviews of proposed transactions involving strong encryption to certain foreign government end-users and countries of concern. U.S. encryption policy also seeks to ensure that American companies are not disadvantaged by the European Union’s “license-free zone.”
Encryption products can be used to conceal the communications of terrorists, drug smugglers, and others intent on harming U.S. interests. Cryptographic products and software also have military and intelligence applications that, in the hands of hostile nations, could pose a threat to U.S. national security. The national security, foreign policy, and law enforcement interests of the United States are protected by encryption export controls. These controls are consistent with Executive Order (E.O.) 13026, which was issued on November 15, 1996 , and the Presidential Memorandum of the same date.
1. Probability of Achieving the Intended Foreign Policy Purpose . The Secretary has determined that, consistent with E.O. 13026 of November 15, 1996, and the Presidential Memorandum of the same date, the updated U.S. encryption export controls achieve the intended purpose of implementing technical review procedures for commercial encryption items and restricting the export of encryption items in situations that would be contrary to U.S. national security or foreign policy interests. The Secretary has determined that these controls are likely to achieve the intended foreign policy purpose, in light of other factors, including the availability of encryption items from other countries, and that the foreign policy purpose cannot fully be achieved through negotiations with the participating states of the Wassenaar Arrangement (WA) or through alternative means. Commensurate with the growth of electronic commerce and the Internet, and the emergence of new security protocols such as for short-range wireless communications, the number of countries with the technology to produce highly sophisticated, dual-use encryption products continues to grow. However, since much of the world’s commercial cryptography is supplied by a core group of information technology (IT) industry leaders using standard algorithms and protocols, encryption export controls can be effective in achieving their intended foreign policy purpose.
2. Compatibility with Foreign Policy Objectives. The Secretary has determined that these controls are compatible with U.S. foreign policy objectives, and that the extension of these controls will not have significant adverse foreign policy consequences. The controls are consistent with the U.S. foreign policy goal of preventing U.S. exports (and subsequent reexports) that might contribute to destabilizing military capabilities or to the capabilities of international terrorists or criminals. In addition, foreign policy concerns and non-proliferation considerations will continue to determine the United States ’ licensing policy to embargoed and sanctioned destinations. Updated U.S. encryption export controls implement multilateral agreements and protect U.S. citizens overseas, as well as critical infrastructure assets at home.
3. Reaction of Other Countries. The Secretary has determined that the continued implementation of U.S. encryption export controls is generally accepted in the international community, and that any adverse reaction to these controls is not likely to render the controls ineffective, nor are they counter-productive to the foreign policy interests of the United States . Other countries, particularly those capable of producing highly sophisticated encryption products, recognize the need to control exports of such products for national security and law enforcement reasons. The U.S. Government and its key trading and security partners recognize the desirability of securing critical infrastructures, developing new technologies and standards, preventing cybercrime, and promoting electronic commerce, while restricting goods that could compromise common security and foreign policy interests.
4. Economic Impact on U.S. Industry. The Secretary has determined that the continued implementation of encryption regulations will allow U.S. industry to maintain its leadership position in the global market for encryption as well as other IT products, while ensuring that essential protections for U.S. national security and foreign policy interests, as well as the public safety, are upheld. The Secretary has determined that any adverse effect of these controls on the U.S. economy, including on the competitive position of the United States in the international economy, does not exceed the benefit to U.S. foreign policy objectives.
Except for a limited range of encryption items (such as high-end “network infrastructure” products, commercial encryption source code items, and products for which the cryptography has been customized or tailored for government end-users or end-uses) for which a license is required to certain government end-users outside the EU “license-free zone”, dual-use encryption products may be exported and reexported to any destination outside Country Group E:1 after a one-time technical review has been conducted pursuant to either the License Exception ENC (15 C.F.R. § 740.17) or the “mass market” encryption provisions of the Export Administration Regulations (EAR) (15 C.F.R. § 742.15(b)(2)).
Throughout Fiscal Year 2006, the Department of Commerce processed a substantial number of pre-export encryption review requests for a variety of products with encryption features. This activity continues to reflect the ever-expanding trade in encryption items, and the wide commercial applicability of such items. The Department received approximately 1,684 technical review requests for over 2,700 controlled encryption products, components, toolkits, and source code items. Types of products reviewed include commodities and software for desktop and laptop computers, wireless handheld devices, e-business applications, network security, and telecommunications platforms. These encryption reviews comprised 36 percent of the 4,732 commodity classifications conducted by the Department in Fiscal Year 2006. Of the 2,276 encryption products reviewed during the Fiscal Year, the Bureau of Industry and Security (BIS) classified 87 percent (or 1,988 encryption reviews) as “unrestricted” (1,366) or “mass market” (622) encryption items, making them eligible for export and reexport without a license to government and non-government end-users in most countries.
Additionally, during Fiscal Year 2006, the Department approved 1,011 license applications for “restricted” encryption items (such as high-end routers and other network infrastructure equipment) and technology (excluding so-called “deemed exports” that are eligible under License Exception ENC to most foreign national employees). These 1,011 licenses for “restricted encryption items,” valued at nearly $380 million, were destined to non-sanctioned end-users outside Country Group E:1 for which licenses were required.
The Department returned without action (RWA) 191 applications for encryption items classified under ECCNs 5A002, 5D002 and 5E002, valued at just over $97 million. Many of the RWA applications did not require a license, as the transaction was authorized under License Exception ENC. In Fiscal Year 2006, there were no denials of encryption commodities based on issues specific to encryption policy.
Overall, the Department processed approximately 20 percent more encryption review requests and license applications in Fiscal Year 2006 than in Fiscal Year 2005.
5. Effective Enforcement of Controls. The Secretary has determined the United States has the ability to effectively enforce these controls. Detection of some encryption transactions is difficult since encryption components are often incorporated into other products and encryption software can be transferred over the Internet. However, the importance and value ascribed to commercial encryption products does lead to traceable transfers and distributions. Over the course of implementing U.S. encryption export controls under the EAR, the Department of Commerce has determined that it is easier to enforce controls on proprietary encryption technology and commercial encryption commodities and software than it would be to restrict free distributions of “open source” encryption software under a license requirement.
On March 7, 2006 , Ching Kan Wang, President/owner China May, Inc. of Hollywood, Florida, was sentenced to prison for one year and one day. Wang pled guilty to violating Title 18 United States Code, Section 371 (conspiracy to violate the IEEPA) for his role in attempting to acquire sensitive communication encryption modules for export to Taiwan without the required BIS export licenses. BIS’s Office of Export Enforcement and the Department of Homeland Security’s Immigration and Customs Enforcement jointly conducted this investigation.
The U.S. Government continually consults with U.S. industry regarding encryption policy. The objective of these consultations is to develop updated policy solutions to assist law enforcement, protect U.S. national security, ensure continued U.S. technological leadership, and promote the privacy and security of U.S. firms and citizens engaged in electronic commerce in an increasingly networked world. Such consultations have proven successful, as evidenced by the increasing number of encryption items submitted for technical review, constructive industry input on matters of regulations and policy, and continued industry commitment to assist law enforcement to better understand current and future encryption technologies.
In an October 23, 2006 , Federal Register notice (71 FR 62065), the Department of Commerce solicited comments from industry on the effectiveness of U.S. foreign policy-based export controls. In addition, comments were solicited from the public via the BIS website. Comments from the Department’s six Technical Advisory Committees and the President’s Export Council Subcommittee on Export Administration are solicited on an ongoing basis and are not specific to this report. The comment period closed on November 22, 2006 , and three comments were received. A detailed review of all public comments received can be found in Appendix I.
The U.S. Government has taken the lead in global efforts to prevent international criminals, terrorists, and designated state sponsors of terrorism from acquiring sophisticated encryption products, and urged other supplier nations to adopt export controls comparable to those of the United States . As a result, the major industrial partners of the U.S. Government maintain export controls on encryption equipment and technology. U.S. encryption policy reflects continual consultation with other nations, such as the participating states of the Wassenaar Arrangement, members of the European Union, and key bilateral strategic partners.
Encryption items are included under the WA Basic List of dual-use goods and technologies, with controls based on the encryption strength (e.g., key size) and use of specified dual-use items. In addition, the WA Cryptography Note stands as the basis for evaluating “mass market” encryption items covered by the Wassenaar control list. These controls have been maintained, without major structural or strategic changes, since 2000.
In 2005, due to the emerging viability of sophisticated quantum cryptography techniques for both military and commercial applications, the United States consulted with WA partners and quickly reached multilateral agreement on instituting dual-use export controls on quantum cryptography items. In addition, during the reporting period the WA reached agreement on a U.S. proposal to decontrol electronics design automation (EDA) tools containing embedded encryption that is not user-accessible. Such items serve a limited purpose of ensuring that design specifications for commercial electronic components (such as microprocessors and integrated circuits) are not compromised during the manufacturing process. The United States also held technical consultations with key strategic partners on issues raised in WA discussions regarding cellular communications, finding agreement on the application of existing WA controls in this area of encryption policy.
Through a wide range of diplomatic cooperation with law enforcement officials in friendly countries, the U.S. Government continues to undertake bilateral and multilateral efforts to keep encryption products out of the hands of terrorists and other criminals. The U.S. Government continues to encourage other nations to adopt appropriate restrictions on the export of encryption products. These efforts supplement, but do not replace, the effectiveness of U.S. encryption export controls.
The United States recognizes the ongoing adoption and widespread use of encryption world wide, and the continued development of foreign-made encryption hardware and software. The U.S. Government continues to monitor global IT marketplace and encryption policy developments so that updated U.S. regulations will enable American companies to maintain their technological leadership in a manner that safeguards U.S. national security and public safety interests. The U.S. Government does consult with other governments to secure cooperation in controlling the unfettered availability of encryption items. However, the U.S. Government’s foreign policy concerns override the impact of foreign availability.