By George W. Thompson
Cryptic (adjective). Mysterious in meaning; puzzling; ambiguous.
“Cryptic” may be a good term to describe the Bureau of Industry and Security’s recently-revised encryption and information security regulations, published here, at least upon a first reading. Perseverance will be rewarded, though, since they have instituted extensive changes to encryption controls. Most notably, entire classes of products were removed from coverage, new control categories were created and details regarding export authorization under license exception ENC were significantly adjusted. Exporters should conduct a review of their encryption products, to ensure that the correct export classifications and control requirements are now being followed.
Many Items Removed from Encryption Controls
Probably the biggest changes, measured by the number of products affected, is the removal from encryption controls of items that previously were classified in ECCN 5A992 pursuant to the Note to ECCN 5A002. These include such items as “smart cards” and readers/writers for them, banking-related equipment, certain limited-range wireless and portable telephone devices, and telecommunications and computing equipment using encryption only for limited “Operations, Administration or Maintenance” purposes. While the Federal Register notice indicates these items now have EAR99 status, exporters should consider whether any of their items are described elsewhere in the Commerce Control List (for example, Category 5, Part 1, covering telecommunications equipment) to determine the appropriate classification.
In connection with this change, ECCNs 5A992.a and .b have been abolished, while 5A992.c remains limited to mass market items. Products previously classified in the eliminated provisions have either been moved elsewhere in the CCL or are designated as EAR99. In my interpretation, this means that products that use encryption only for authentication/password protection functions now fall outside encryption controls altogether, since they fell into either 5A992.a or .b. It puzzles me, however, that BIS would take this step without any discussion at all in the Federal Register notice.
Changes to License Exception ENC Requirements
While many items may be self-classified by exporters for License Exception ENC eligibility, BIS classification reviews are required for designated “network infrastructure”, customized and non-standard items to qualify. Such items also are ineligible for mass market status, and could not be exported to “government end users” in most countries without an export license. There are two important changes regarding network infrastructure articles in these categories.
First, the technical parameters for many of these products have been revised upward, resulting in a number of exclusions. For example, the media encryption encrypted signaling threshold for media gateways was increased from 1,000 endpoints to 2,500. Now-removed items may be self-classified, and I see no restriction on seeking mass market status for them, although whether they would meet the applicable requirements is questionable.
Second, those network infrastructure products for which pre-export BIS classification remains in effect may now be exported to “less sensitive government end users” in restricted countries (those not listed in Supplement No. 3 to 15 C.F.R. Part 740) under license exception ENC. The remaining network infrastructure products now are eligible for export to “less sensitive government end users” in non-Supplement 3 countries under license exception ENC; previously, all government end users in such countries were ineligible for this treatment. Such “less sensitive” bodies include state, provincial and local governments and many national government agencies engaged in civil functions. Cuba, Iran, North Korea, Sudan and Syria are, of course, ineligible.
New ECCNs for Non-Cryptographic Information Security Items
Previously, information security articles that do not use cryptography were lumped together in ECCN 5A002 with those that do. These are now classified in new ECCN 5A003. Likewise, “cryptanalytic” items “designed to defeat cryptographic mechanisms in order to derive confidential variables or sensitive data” were removed from ECCN 5A002 to new ECCN 5A004. ECCN 5A003 has limitations on coverage by license exception ENC, while that exception is unavailable for 5A004.
Numerous Other Changes Were Adopted
The revised regulation eliminated “encryption registration” for exporters that self-classified their products, although the self-classification reporting requirement remains in effect. License exception ENC’s authorization covering encryption articles for internal company use has been expanded to encompass companies affiliated with a parent corporation headquartered in a Supplement No. 3 country, as well as certain foreign-made products incorporating U.S.-origin encryption. Publicly-available encryption source code is not subject to the EAR following notification of its characteristics to BIS and the National Security Agency.
