Export Enforcement and the Challenge of Intangible Technology Transfers
F. Amanda DeBusk
Assistant Secretary for Export Enforcement
September 27, 2000
Introduction
Good afternoon. U.S. law enforcement is keenly aware that intangible technology
transfers present one of the greatest challenges we face today in maintaining
a successful nonproliferation export control effort. This afternoon I would
like to cover four topics: (1) the challenges law enforcement faces in this
area; (2) the investigative strategies we are employing to address these challenges;
(3) how we are dealing with intangible technology issues on a day-to-day basis,
using case examples; and (4) views on what needs to be done in the future.
1. Intangible Technology Challenges for Law Enforcement
Law Enforcement Needs To Move as Fast as Business
The challenge is immense. More and more, business today is conducted over
the Internet. Transactions that would take weeks to arrange can be completed
in seconds. International trade is now expected to move at "internet
speed." As the economy evolves, and transactions take less time, human
involvement in these transactions decreases. Where just a few years ago several
people would have to review a transaction, today the only human reviewing
a purchase may be the purchaser. Law enforcement has a very small window to
step into these transactions and stop an export before it occurs.
The Internet is all about sharing information. Anyone can put almost any
type of information onto the web. You can find anything from cookie recipes
to bomb recipes with little effort. Almost every company has a website, and
we see more and more technical data on the web. Many companies today provide
all their technical support and software updates in customer restricted areas
of their company websites. Controlled information is literally flying around
the world at light speed. It presents great challenges to law enforcement
to step into this cyber-export world and say this packet of data can go here,
but that packet of data needs an export license.
As the economy has globalized, so have businesses. With the Internet, physical
location means little in the world of software development and business services.
Teams of software engineers from around the world routinely collaborate on
software projects, with no reference to borders or national identities.
In the United States, our technology industry has grown so fast we are running
out of technical workers. Many of the talented computer scientists working
in the United States today are not U.S. citizens, creating all sorts of export
control issues for companies.
Software development is routinely subcontracted outside the United States.
India in particular has received a lot of this subcontracting work, and as
you know we have sanctions on certain Indian companies that can come into
play.
The challenge to law enforcement is to understand these new technologies
and business practices, and learn to use them to our advantage. Law enforcement
must learn to move at "internet speed."
The Legal Framework for Dealing with Intangible Transfers Is Evolving
This is one of the biggest challenges for law enforcement. Law enforcement
needs a strong legal framework within which to combat the new "intangible"
crimes. We understand that the European Union is currently considering new
laws and regulations covering intangible transfer and are interested in learning
more about them and how they will be implemented.
In the United States, we have a solid legal framework for dealing with intangible
technology. Karen Day covered this in detail before lunch, but let me again
state: U.S. export control laws do not differentiate between the transfer
of technology via written form or by electronic means for export control purposes.
A transfer of software or technology constitutes an export when the actual
shipment or transmission is made outside of the United States, or is released
to a foreign national in the United States. The method of export does not
matter. Use of Internet exchanges, faxes, and other electronic media does
not alter the basics of a transaction.
We also have laws and regulations in place that make it illegal to provide
a foreign person controlled information or know how without an export license.
These laws cover:
- Technical discussions with foreign persons during factory visits, technical
training or research, business discussions, or employment.
- E-mailing controlled software or technical data to foreign nationals,
whether inside the United States or overseas.
- Making controlled technical data or software available to foreign customers
over the Internet.
- Setting up E-Commerce solutions that fail to take into account export
controls.
While our domestic laws for dealing with intangible technology are working,
there is a huge gap on the international side. Let me give you an example,
involving offsite data storage. Many companies keep critical computer records
offsite. During one recent search warrant, agents found that computer recordkeeping
had been outsourced to another firm. Agents quickly responded by issuing subpoenas
to the storage firm to obtain the records. But what if that company to whom
this computer recordkeeping function had been outsourced was in another country?
We must be ready to cooperate internationally to handle such situations, and
that cooperation must be fast. Records kept overseas could be deleted before
you can even say MLAT (Mutual Legal Assistance Treaty). The MLAT process must
evolve to be able to handle fast-moving intangible commerce.
Let me give you another example. Suppose a company operates in one country
and stores data in another. If one country serves a search warrant and finds
that the company has remote access to data in another country, can the government
seize that data online? What are the treaty implications of that action? Is
it a legal action in another country? These are difficult questions.
2. Investigative Strategy
Now I would like to turn to the investigative strategies we are pursuing
to handle intangible technology cases:
- All agents are trained on how to use computers as investigative tools.
While the Internet presents many challenges, it also offers many opportunities.
Vast amounts of data on companies and products can be found at the click
of a mouse. Requests for tenders and bids is publicly available. Sources
of critical dual-use items can be identified. We have come to a point now
where it is almost suspicious if a company doesn't have a webpage.
- We have a team of analysts developing tips and leads for investigators
on foreign visitors of concern visiting sensitive U.S. businesses. This
program is not about looking at legitimate business exchanges between U.S.
and foreign business people. It is about drawing on available information
to identify highly suspicious visitors.
- Export Enforcement at Commerce has made a commitment to having our investigators
pursue intangible cases. We are working to see that our agents have the
technical training and equipment they need. We are rewarding our agents
for successful pursuit of these cases. Last month the U.S. Department of
Commerce awarded gold medals to our computer evidence team -- those agents
especially trained on computer information recovery -- for their work on
a number of critical ongoing investigations.
3. Intangible Technology Cases
Now let me give you a flavor of some of our cases involving intangible technology.
- We have investigated cases where controlled software was e-mailed to a
foreign end-user without a required license. All the evidence related to
this case was electronic evidence. There was no physical box that left the
United States that could be inspected. There were no shipping documents
filed with a freight forwarder that could be examined. There was no Shipper's
Export Declaration filed with the government that could be analyzed. The
software was in the foreign country at the click of a button. In this case,
we found out about it from the company that committed the violations. Agents
had to recreate the transaction from E-mail stored at the company.
- In another case, a company that was under investigation was operating
on both the East and West coasts of the United States. There was a concern
that if we served a search warrant on the East coast operation, the West
coast operation would destroy computer evidence. We had to coordinate simultaneous
search warrants and enter both companies at exactly the same time. The split-second
execution of search warrants at multiple locations is a necessity in the
Internet world.
- You may have heard of some of the problems we have had at our nuclear
weapons labs. Many of these issues relate to intangible transfers. Controlled
nuclear secrets can be whisked out of the country over the Internet in an
instant today. The results of millions of dollars of research and development
can fit onto a floppy disk and be carried overseas in a shirt pocket. We
have conducted several investigations involving technical data disclosures
at our national labs. Scientists love to share information. Many view what
they do as "pure science" and sometimes seem to forget the implications
of their research. We have worked long and hard to educate the scientists
at our national labs about their export control responsibilities. We have
held seminars and spoken at lab training sessions. Education is our best
weapon to prevent violations. There is no way to stop the violations once
someone has hit the "send" key.
- Another case involves the oral exchange of controlled information between
a U.S. party and a foreign national. We received a "tip" indicating
that a foreign visitor from a country of concern recently visited a sensitive
facility. This visit was not mentioned on the visa application nor did the
individual visit the fairly benign U.S. business that was listed on the
application. Further checking turned up that the individual was associated
closely with a program to develop weapons of mass destruction. Our agent
discovered that controlled information was discussed in the course of several
technical discussions. There is now an investigation underway to determine
exactly what happened and who is responsible.
- The final case shows what our foreign visitor visa review program can
do to stop potential intangible transfers. Our visa program turned up information
that three individuals associated with a missile program from a country
of concern were visiting several sensitive U.S. businesses. We believed
that the visitors were coming to scout for potential technology suppliers
and to see what useful information could be picked up. One tip off was the
fact that the visa application for these individuals stated that they were
coming to visit a limousine service!
It turned out that the visas had already been granted, so we had to act fast.
We contacted the State Department for assistance. We understand that the visas
were revoked the same day these three individuals were scheduled to depart.
They packed and got to the airport, but they were not allowed to complete
their trip. This was not an easy case -- the agents and analysts spent a lot
of hours uncovering the true story behind the visa application -- but the
end results were worth it.
4. Looking Ahead to the Future
Clearly, there is much work ahead of law enforcement in the intangible technology
area. I would like to conclude my remarks by offering some ideas for developing
your export enforcement resources to manage this new crime environment:
- Invest time and resources now in understanding the Internet environment.
This includes developing a cadre of skilled personnel as well as understanding
the new resources available on the net to assist law enforcement's work.
We are finding that more and more major investigations today require investigators
trained in recovering computer evidence to seize corporate computers, analyze
the disk drives, and retrieve information that can be admitted as evidence
in court. Building such a skilled cadre of these types of agents takes time.
- Use the Internet to gather information and identify sources of controlled
technology. Today if a rogue state wants to acquire a sensitive item, they
are probably going to go on the Internet and find out who makes it. We can
do the same thing, and reach out to those companies before the bad guys
do.
- Focus traditional investigative law enforcement techniques within the
Internet environment as applicable and seek to develop new investigative
techniques. We need to understand more about what is available on the Internet
for export enforcement purposes and how it can best be used. For example,
investigators can obtain records from Internet Service Providers (ISPs)
used by the company (when legal authority has been granted to do so). Today
we get some of our best evidence off of computers. E-mail provides an incredible
record of transactions. We are always amazed at what people seem to be willing
to put in E-mail -- things that they would never think to put in a letter!
- Finally, it is important for us to share information multilaterally through
this fora and others. It is only through international cooperation that
law enforcement can be fully successfully in combating export control crimes.
Thank you.
Note
In April of 2002 the Bureau of Export Administration (BXA)
changed its name to the Bureau of Industry and Security(BIS). For historical
purposes we have not changed the references to BXA in the legacy documents
found in the Archived Press and Public Information.
| | | | | | |