The U.S. government strictly regulates exporting sensitive technology outside its borders. Depending on the nature of the technology and the country of export, a license from the Bureau of Industry and Security (BIS, part of the Commerce Department) may be required. For Cuba, Iran, North Korea, Sudan or Syria, no export of any kind is generally allowed.
While some technology—such as nuclear energy and missile defense—are on the restricted list for obvious reasons, many businesses may be surprised to learn that encryption technology is also heavily regulated by BIS. The regulations cover many common encryption algorithms used in both off-the-shelf and custom-built software, including open-source algorithms. Any shipment of such software across the U.S. border could potentially be in violation of U.S. law and subject the exporter to a large fine or possible criminal sanctions.
Wind River Systems, a subsidiary of Intel, found this out the hard way. On October 8, 2014, BIS announced a $750,000 penalty against Wind River Systems, for the unlawful exportation of 55 encryption software products to users in China, Hong Kong, Russia, Israel, South Africa, and South Korea.
Two things are worth noting. First, because Wind River Systems voluntarily disclosed the violation to BIS, BIS reduced the penalty significantly. Had BIS discovered the violation on its own, the fine would likely have been much higher. Second, BIS’ action is unusual because it in involves a fine for export to countries other than those under a total export ban (Cuba, Iran, North Korea, Sudan or Syria). Prior to this action, such violations usually resulted in a warning letter.
BIS’ upping the ante on encryption enforcement in software means that companies engaged in cross-border shipments of software should review their products to make sure that they are in compliance with export regulations.
While some technology—such as nuclear energy and missile defense—are on the restricted list for obvious reasons, many businesses may be surprised to learn that encryption technology is also heavily regulated by BIS. The regulations cover many common encryption algorithms used in both off-the-shelf and custom-built software, including open-source algorithms. Any shipment of such software across the U.S. border could potentially be in violation of U.S. law and subject the exporter to a large fine or possible criminal sanctions.
Wind River Systems, a subsidiary of Intel, found this out the hard way. On October 8, 2014, BIS announced a $750,000 penalty against Wind River Systems, for the unlawful exportation of 55 encryption software products to users in China, Hong Kong, Russia, Israel, South Africa, and South Korea.
Two things are worth noting. First, because Wind River Systems voluntarily disclosed the violation to BIS, BIS reduced the penalty significantly. Had BIS discovered the violation on its own, the fine would likely have been much higher. Second, BIS’ action is unusual because it in involves a fine for export to countries other than those under a total export ban (Cuba, Iran, North Korea, Sudan or Syria). Prior to this action, such violations usually resulted in a warning letter.
BIS’ upping the ante on encryption enforcement in software means that companies engaged in cross-border shipments of software should review their products to make sure that they are in compliance with export regulations.