360 likes | 730 Views
Encryption Update. Ken Delaporta, Director of Operations and Export Compliance. MathWorks at a Glance. Headquarters: Natick, Massachusetts US Other US Locations: California, Michigan, Texas, Washington DC Europe: France, Germany, Italy, Spain, the Netherlands, Sweden, Switzerland, UK
E N D
Encryption Update Ken Delaporta, Director of Operations and Export Compliance
MathWorks at a Glance • Headquarters:Natick, Massachusetts US • Other US Locations: California, Michigan, Texas, Washington DC • Europe:France, Germany, Italy, Spain, the Netherlands, Sweden, Switzerland, UK • Asia-Pacific:Australia, China, India,Japan, Korea • Worldwide trainingand consulting • Distributors in 25 countries Earth’s topography on an equidistant cylindrical projection, created with MATLABand Mapping Toolbox.
MathWorks Today • Revenues ~$500M in 2009 • Privately held • More than 2,000 employees worldwide • Worldwide revenue balance:45% North America, 55% international • More than 1,000,000 usersin 175+ countries 2005 2000 1985 1990 1995
Key Industries • Aerospace and Defense • Automotive • Biotech and Pharmaceutical • Communications • Education • Electronics and Semiconductors • Energy Production • Financial Services • Industrial Automation andMachinery
“Oh by the way it has encryption” How do most export professions react when they hear…
Ben Flowe, Attorney with Berliner, Corcoran & Rowe in Washington as quoted in the Export Practitioner described the changes well….. “Unfortunately, this Rule does nothing to make the rules less complicated other than reducing the number of ancillary products. In fact, they are more complex than before….and will remain the most confusing part of the EAR for most exporters and regulatory officials”
Is Understanding Encryption Regulations required filings and notifications like a escaping a Black Hole? Let’s try to sort them out !
Let’s start with some background • Encryption for Hardware, Software and Technology is managed differently by the EAR: • It’s an additional layer or lens that’s added to the base item • Due to legitimate National Security Concerns • And…Encryption’s growth is exponential due to mobile devices, wireless communications, use of the internet to transact business, and global privacy regulations
How has Encryption been managed by BIS in the past? • You Start with – The Licensing Requirement • In addition to the classification of the base item another licensing requirement is added for most encryption items • Look for - Allowed Exceptions • “ENC” - exceptions to the licensing requirements based on specific criteria - Always requires review, notification or reporting • Mass Market - Relaxes requirements for higher strength encryption • File - your Encryption Review Requests • With both the BIS and the ENC Encryption Request Coordinator (NSA)
What’s new in Encryption filings and notifications? • Types of Filings & Notifications • 1. Encryption Registration (All new exporters of encryption items) • 2. Encryption Classification Request (CCATS) • 2a. Report if key length increases after CCATS for ENC (b)(2) or (b)(3) • 3. Annual Self Classification Report (Self classified Mass Market and ENC) • 4. Bi-Annual Report (ENC (b)(2) and (b)(3)(iii)) • 5. Encryption Notification (TSU publically available encryption)
MASS MARKET (742.15) • Notes • Mass Market items are controlled for AT reasons only • This chart applies only to Mass Market items that have key lengths: > 64 bit Symmetric, >768 bit Asymmetric or >128 bit Elliptical
Encryption Registration - Mass Market • Mass Market items (b)(1) & (b)(2) Require a Encryption Registration • Use Snap-R to register • SNAP-R will issue an Encryption Registration Number (ERN), which will start with an “R” and will be followed by 6 digits, e.g., R123456. This registration number is confirmation that BIS has received your encryption registration. • You only need to re-file if you change information previously filed • A company that exports under the authorization of the encryption registration does not need to resubmit its encryption registration unless the answers to the questions in Supplement No. 5 to Part 742 changed during the previous calendar year. • You can now begin shipping without review for some items • Once a manufacturer (or producer) of the encryption item submits its Encryption Registration to BIS, the encryption items become eligible for export and reexport under the applicable provision of section 740.17(b) and 742.15(b) of the EAR, subject to the conditions and restriction of those sections.
Annual Self Classification Report - Mass Market • If you self classify items you need to report them annually - even if there is no change • An annual self-classification report is a requirement for items exported under License Exception ENC - 740.17(b)(1) and Mass Market - 742.15(b)(1). • How to submit • The report has very specific format requirements outlined in Supplement No. 8 to Part 742. The information in the report must be provided in tabular or spreadsheet form, as an electronic file in comma separated values format (CSV), only. • Where to submit • The annual self-classification report must be submitted as an attachment to an e-mail to BIS and the ENC Encryption Request Coordinator at crypt-supp8@bis.doc.gov and enc@nsa.gov.
Encryption Classification - Mass Market • Mass Market provision - 742.15(b)(3) requires a submission of an encryption classification request to BIS before export. • How to submit: Utilize SNAP-R • When can I ship after I file? • Once a mass market classification request is accepted in SNAP-R, you may export and reexport the item under Exception “ENC” as ECCN 5A002 or 5D002, whichever is applicable, to any end-user located or headquartered in a country listed in Supplement No. 3 to Part 740 while the mass market classification request is pending review with BIS. • Thirty-days after the submission of a classification request to BIS, item can be exported using the symbol “NLR”, provided the items qualify for mass market treatment and are classified by BIS under ECCNs 5A992 or 5D992.
MASS MARKET (742.15) • Notes • Mass Market items are controlled for AT reasons only • This chart applies only to Mass Market items that have key lengths: > 64 bit Symmetric, >768 bit Asymmetric or >128 bit Elliptical
Encryption Registration - ENC • ENC Items (b)(1), (b)(2) & (b)(3) Require a Encryption Registration • Use Snap-R to register • SNAP-R will issue an Encryption Registration Number (ERN), which will start with an “R” and will be followed by 6 digits, e.g., R123456. This registration number is confirmation that BIS has received your encryption registration. • You only need to re-file if you change information previously filed • A company that exports under the authorization of the encryption registration does not need to resubmit its encryption registration unless the answers to the questions in Supplement No. 5 to Part 742 changed during the previous calendar year. • You can now begin shipping without review for some items • Once a manufacturer (or producer) of the encryption item submits its Encryption Registration to BIS, the encryption items become eligible for export and reexport under the applicable provision of section 740.17(b) and 742.15(b) of the EAR, subject to the conditions and restriction of those sections.
Annual Self Classification Report - ENC • If you self classify items you need to report them annually - even if there is no change • An annual self-classification report is a requirement for items exported under License Exception ENC - 740.17(b)(1) and Mass Market - 742.15(b)(1). • How to submit • The report has very specific format requirements outlined in Supplement No. 8 to Part 742. The information in the report must be provided in tabular or spreadsheet form, as an electronic file in comma separated values format (CSV), only. • Where to submit • The annual self-classification report must be submitted as an attachment to an e-mail to BIS and the ENC Encryption Request Coordinator at crypt-supp8@bis.doc.gov and enc@nsa.gov.
Encryption Classification - ENC • License Exception ENC - 740.17(b)(2) and (b)(3), requires a submission of an encryption classification request to BIS before export. • When can I ship after I file? • After an encryption classification submission has been made via SNAP-R all items under 740.17(b)(2), except cryptanalytic (code breaking) items, may be immediately exported to countries listed in Supplement No. 3 to Part 740. There is a 30-day wait while the encryption classification is pending before exports of (b)(2) items may be made outside of the countries listed • When is a license still required? • A license will be required for exports to “government end user(s)” outside the countries listed. Cryptanalytic items require a license for export to any “government end user” anywhere except Canada • Non Standard Technology has restrictions • “Non-standard” technology (5E002), cryptanalytic technology (5E002), and open cryptographic interface items may be exported only to end users located or headquartered in Supplement 3 countries using License Exception ENC. Other 5E002 technology may be exported after review to any non-“government end-user” located in a country listed in Country Group D:1.
Semi Annual Report - ENC (b)(2) and (b)(3)(iii) • If you have a CCATS with a 5A002.a.1,a.2, a.5, a.6, a.9,5D002, or 5E002 and ship using License Exception ENC (b)(2) and (b)(3)(iii) • You are required to file semi annual reports all exports to all destinations other than Canada • Information Required: • Distributors or resellers: name, address, item, quantity • and, if collected by the exporter as part of the distribution process, the end user's name and address; • Direct Sales : name, address, item, quantity • Foreign Manufacturers and Products that use encryption items: See 740.17(e)(c) • Submission requirements • January 1 to June 30, by August 1 of that year. • July 1 to December 31, by February 1 the following year. Reports may be sent electronically to BIS at crypt@bis.doc.gov and to • the ENC Encryption Request Coordinator at enc@nsa.gov
Key length increases - classified for License Exception ENC (b)(2) or (b)(3) – Report Required • If you increase the key length of a previously classified item • You may continue to export under the previously authorized provision of License Exception ENC without a classification resubmission. But, you must send a report • Information required. • (A )certification that no change to the encryption functionality has been made other than to upgrade the key length for confidentiality or key exchange algorithms. • (B) The original(CCATS) authorization number issued by BIS and the date of issuance. • (C) The new key length. • Submission requirements. • The report must be received by BIS and the ENC Encryption Request Coordinator before the export or reexport of the upgraded product; and • (B) The report must be e-mailed to • crypt@bis.doc.gov and enc@nsa.gov.
TSU Notification – If you are going to make Encryption software publically available 740.13(e) Encryption source code (and corresponding object code) (1) Scope and eligibility. This paragraph (e) authorizes exports and reexports, without review, if encryption source code controlled by ECCN 5D002 that, if not controlled by ECCN 5D002, would be considered publicly available under §734.3(b)(3) of the EAR. (3) Notification requirement. You must notify BIS and the ENC Encryption Request Coordinator via e-mail of the Internet location (e.g., URL or Internet address) of the source code or provide each of them a copy of the source code at or before the time you take action to make the software publicly available as that term is described in §734.3(b)(3) of the EAR
Grandfathering Old Classifications • • General rule: • No need to provide an encryption registration or file a new classification for old classifications under the new regulations • Semi Annual Reporting • Must continue to provide semi-annual reporting for items under (new) B2 or B3iii • • Exceptions: When do you need to register and file under the new regulations? • When the encryption functionality changes • Any items now classified under B2 that were not previously classified as B2, e.g. penetration testing software.
Grandfathering and Encryption Registrations • CCATS issued before June 24th and Pending on June 24th • June 25th – Aug. 24th Grace Period • • After August 25 must file in new process
Best Practices • Educate Developers/Engineers about Encryption • Utilize the Mass Market Designation • Use “Standard” off the shelf encryption
Non Standard Cryptography EAR definition Non-standard Cryptography Means any implementation of “cryptography” involving the incorporation or use of proprietary or unpublished cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body (e.g., IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA, and GSMA) and have not otherwise been published.
Mass Market Exception- Note 3 • Note 3: Cryptography Note: ECCNs 5A002 and 5D002 do not control items that meet all of the following: • a. Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following: • 1. Over-the-counter transactions; • 2. Mail order transactions; • 3. Electronic transactions; or • 4. Telephone call transactions; • b. The cryptographic functionality cannot be easily changed by the user • c. Designed for installation by the user without further substantial support by the supplier; and • d. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter's country • in order to ascertain compliance with conditions described in paragraphs (a) through (c) of this note.
Don’t Be Scared!!!!! You can successfully deal with these changes!!