US government fines Intel's Wind River over crypto exports
New emphasis on encryption as a weapon?
The US Government has imposed a $750,000 fine on an Intel subsidiary for exporting encryption to China, Russia, Israel and other countries
Wind River Systems was fined for exporting products that incorporated encryption to foreign governments and to organisations on the US government restricted list. The controversial move means the US Department of Commerce appears to be coming down heavily against the export of encryption even in cases where no export to sworn enemies of the US (Iran, Cuba and North Korea etc.) is involved.
The Intel subsidiary was fined for falling to get Department of Commerce licenses for a modest piece of business, valued at under $3m. As such the fine represents a slap on the wrist, but it's still a clear signal that priorities are changing.
Previously self-reported cases of crypto export used to be handled by a warning only. Multinational commercial law firm Goodwin Procter warned its clients to treat what happened to Wind River as the new normal.
Wind River Systems exported its software to China, Hong Kong, Russia, Israel, South Africa, and South Korea. BIS [Bureau of Industry and Security] significantly mitigated what would have been a much larger fine because the company voluntarily disclosed the violations.
We believe this to be the first penalty BIS has ever issued for the unlicensed export of encryption software that did not also involve comprehensively sanctioned countries (e.g., Cuba, Iran, North Korea, Sudan or Syria). This suggests a fundamental change in BIS’s treatment of violations of the encryption regulations.
Historically, BIS has resolved voluntarily disclosed violations of the encryption regulations with a warning letter but no material consequence, and has shown itself unlikely to pursue such violations that were not disclosed. This fine dramatically increases the compliance stakes for software companies — a message that BIS seemed intent upon making in its announcement.
Senior FBI and US government law officers have repeatedly complained over recent weeks about plans by Apple and Google to incorporate enhanced security into smartphones. Now, as Techdirt notes, the conflict between government regulation and the tech industry is moving onto the renal original turf of the first crypto wars of the late 90s - the export of strong encryption.
Strong cryptography was classified as a weapon and subject to export controls back in the 90s. This approach fell into disfavour for several good reasons that are even more relevant today than they were 20 years ago.
Firstly cryptography is essentially applied mathematics and the knowledge is already out there. Secondly decent cryptography is a fundamental component of any computing system that aspires to be secure.
This includes an increasing number of consumer devices with built-in processor chips, covering everything from smart-meters to electronic car locks and insulin pumps. Encryption is one of the best ways to safeguard against these devices getting hacked.
Clamping down on the export of cryptography creates a huge competitive disadvantage for US tech companies trying to offer products and services worldwide. Foreign competitors, most likely from China, will inevitably step in and fill the breach.
If the Snowden revelations hurt US-based cloud providers then what effect is stymying the US tech industry as a whole likely to have? At best the tougher line is an extra bureaucratic burden.
In a statement, BIS provided an essentially bureaucratic justification for its enforcement action - Wind River had failed to apply for an export permit.
Wind River Systems "voluntarily disclosed that between 2008 and 2011 the company made 55 exports of operating software valued at $2.9 million to governments and various end users in China, Hong Kong, Russia, Israel, South Africa, and South Korea. The operating software is controlled under Export Administration Regulations for national security reasons, and some of the export recipients in China are on the BIS Entity List."
“I approved penalties in this case because the violations were ongoing over a period of several years,” said assistant secretary of commerce for enforcement, David W. Mills. “Because the violations were voluntarily disclosed, the company received significant mitigation. This penalty should serve as a reminder to companies of their responsibility to know their customers and, when using license exceptions, to ensure their customers are eligible recipients." ®
Sponsored: Becoming a Pragmatic Security Leader