Join Gary Staley as he unravels the intricate web of ITAR, EAR, and cybersecurity measures, providing invaluable insights for effective compliance in a rapidly evolving global landscape.
Nielsonsmith: Gary, first of all, I’d like to thank you for speaking to us today and sharing your knowledge with our audience.
Gary: Thank you. I think we have so much to talk about this year. This has probably been one of the most exciting years for export control practitioners in recent memory, with so much happening. And not all good things; we can talk about that as we go on.
Nielsonsmith: Yes, well, why don’t we dive in? The first question we’ve got for you is, could you provide a brief overview of the key changes and developments in ITAR and EAR over the past year?
Gary: The difficult part for me is to provide a BRIEF overview; I could talk for hours on this. Most of the readers of this interview probably know that the United States has two systems of export controls: the U.S. Department of State’s International Traffic in Arms Regulations (ITAR) and the U.S. Department of Commerce’s Export Administration Regulations (EAR). And, of course, there’s also the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), which administers U,S. sanctions, although EAR export controls and OFAC sanctions continue to converge, with EAR controls looking more and more like sanctions in terms of targeting specific individuals and entities rather than whole countries. Of course, targeting specific individuals and entities is what U.S. sanctions have done for a long time.
But let’s start with the ITAR. Interestingly, there’s not a whole lot of earth-shaking developments regarding the ITAR over the past year. I think, in part, that’s because from May of 2023, when Deputy Assistant Secretary Mike Miller announced that he was leaving for a position at the US Department of Defense, until just recently, there has not been a formally-appointed Deputy Assistant Secretary to lead the Directorate of Defense Trade Controls. During that time, DDTC has had a series of Acting Deputy Assistant Secretaries drawn from the office directors within DDTC. When you have that situation, I think that somewhat chills initiatives within that office; they don’t want to undertake major developments or changes to the ITAR without having the formal appointment of a new Deputy Assistant Secretary. There were tweaks to the ITAR for the most part. The ITAR Reorg rule got finalized; there was an extension of the Open General Licenses, which we can talk about, and there were a few other developments, but again, nothing earthshaking.
I’ve yet to meet any company in the UK, Australia, or Canada that admits to using the Open General Licenses; they just seem once again to be a program dead on arrival. That’s a shame because those Open General Licenses, in theory, allow for retransfers within those countries, and reexports among those three countries, of ITAR-controlled items without a license, without prior approval, provided you meet all the conditions of those Open General Licenses.
We’ve had an update to ITAR Part 126’s Supplement No. 1, which increased the items available for the Canadian exemption and the UK and Australia Defence Trade Control treaties. But again, those treaties were dead on arrival back in the Bush Administration. I have yet to meet any company that admits to using either of the treaties.
DDTC continued the suspension of Cyprus’ proscribed country status under the ITAR. Cyprus had been a proscribed country because of the conflict between the Greek and Turkish communities there on the island, but they’ve suspended that ITAR 126.1 proscribed country status for now. Just again, tweaks.
So what’s coming up? Well, it seems like more tweaks for the moment, except for AUKUS. And AUKUS is going to be very interesting. AUKUS is a proposal to permit ITAR Canadian exemption-like treatment for the UK and Canada; provided, as various State Department officials have testified before Congress, the UK and Australia have export control systems comparable to what the United States has. Now the most glaring difference between the US, UK, and Australia, I would argue, is that the US imposes reexport and retransfer controls. Australia recently adopted some changes to its export control laws that would arguably impose some reexport control requirements. As for the UK, I was at a conference last September in London where I posed the question “Is the UK prepared to have a comparable system?”.to an official of one of the major UK trade associations. He was very quick to say, well, we already have a comparable system, and he clearly had his talking points lined up as to why that was the case. The UK does not have reexport controls; so, it’s going to be interesting to see how that plays out.
I would also urge folks to pay attention to provisions relating to export controls in what is called the National Defense Authorization Act for FY 2024. Among them was authority to negotiate exemption-like treatment for again Australia and the UK and some additional liberalization of trade with Canada on the ITAR side. It will be interesting to see how all that plays out.
Other than that, again, some tweaking. We are still waiting on a final rule regarding the definition of dual/third country nationals. I believe two years or so ago the State Department proposed to change the definition from “do you hold a nationality” to “have you held a nationality.” Right now, the definition is “hold” which means that even someone’s country of birth can make the person a dual national, But what does “hold” mean? If you were born in Iran and you left as a child when the Shah was deposed, and you’ve never been back, and you don’t have any family there, but you wisely have not gone into an Iranian Embassy and said, “where’s the form for me to fill out for me to renounce my Iranian citizenship?”, does the person still “hold” Iranian citizenship. At least in State’s proposed rule, they didn’t clarify that. So, we’ll see.
On the EAR side, the big thing, of course, is trying to increase the pressure through export controls on Russia, Belarus, and China. One of the big subjects this past year was semiconductors and semiconductor manufacturing equipment. It seems like every few weeks we have additions to the Entity List, which is one of the primary ways that Commerce is imposing, again, what amounts to sanctions on Russian companies and entities in other countries that are perceived to be assisting Russia.
The other big development is the significantly increased emphasis on enforcement. The State Department came out with a new compliance program guide. They also published a compliance matrix, which is well worth reviewing. It is very useful. State has continued to bring enforcement cases; particularly, there was a Consent Agreement that came out just last week imposing a $51 million dollars civil penalty on Boeing, although that’s far from the highest civil penalty that has previously been assessed against companies. Interestingly, in the Boeing Consent Agreement, there was a reference to one of the Boeing export control managers fabricating DSP-5 licenses. And you kind of go, “Wow!” How’s that possible? So, I thought that was interesting. About half of the $51 million penalty is allowed to be applied toward remedial measures.
On the EAR and sanctions side, we’ve seen a lot more multi-agency and, I’d say, multi-country enforcement efforts. On the US side, we have had since March of 2022 something called Task Force KleptoCapture run by the Department of Justice, which brings together the FBI, US Marshals Service, Internal Revenue Service, US Postal Inspection Service, Immigration and Customs Enforcement, and so forth to enforce sanctions on Russian oligarchs. And then in February of 2023, Justice and Commerce launched what they’re calling the Disruptive Technology Strike Force”. This is a joint effort, again, to bring together the FBI, Homeland Security, and task forces within each US Attorney offices within the various States to up the ante on enforcement of US export controls and sanctions.
It’s interesting that since the Obama Administration, there has been something called the Export Enforcement Coordination Center (E2C2), which was supposed to be doing the same thing. So why was there a need for this new Disruptive Technology Task Force? Was the E2C2 a failure? Inquiring minds want to know! But there’s no doubt that the pressure is on to bring cases.
And that brings me to something about which I’m really looking forward to having a dialogue with attendees at the conference. Are we kidding ourselves about how effective sanctions and export controls are?
There was a very interesting article in the New York Times, I think, at the beginning of last week, where they had seven tables explaining why sanctions have not been effective against Russia, and one of the big factors, of course, is that Russia has turned to China for a lot of its trade. But also a lot of this illicit trade is coming out of the Middle East: UAE, Bahrain, some of the other Gulf States. By all apparent measures, the sanctions have not been effective in bringing Russia to its knees.
Nielsonsmith: That was one of the questions that was on the agenda today to ask how effective you think they are; well, here are the answers.
Gary: A number of the major US newspapers ran articles about why sanctions aren’t more effective last week or the end of the week before when we had the two-year anniversary of the Ukraine war. One of the things that I think goes on is that the sanctions process is just not nimble enough. It has always been a matter of playing whack-a-mole. As soon as you identify and whack one conduit for elicit trade, five more pop up. U.S. authorities approach sanctions in a very legalistic way; it’s about building prosecutable cases in US courts. And by the time you do that, an awful lot of illicit trade has happened. And then another thing I just don’t understand, and I would love to have someone explain it to me is why the United State came out with this big additional sanctions package for the second anniversary of the war. Officials announced that they were sanctioning 500 additional individuals and entities in Russia, Belarus, and third countries. What were they waiting for? Five hundred? You knew they were involved in illicit trade, and you were holding off sanctioning them? I don’t understand.
Nielsonsmith: Well, we covered quite a bit now, I’d like to go back to the topic of AUKUS in a little more detail. What implications might this have for trade compliance?
Gary: Well, I’m a Doubting Thomas about this. In part, because, again, all these initiatives seem to get a lot of press play and then turn out to not be very effective. I mentioned the Open General License initiative from, I guess, about three years ago. They don’t affect US reexport controls applicable to defense trade out of, say, the UK to countries other than to Canada and Australia. The global supply chains at this point are so interwoven. You’ve got BAE in the UK working on a US defense program that would be subject to the ITAR; BAE has probably got suppliers throughout Europe, if not throughout the world. So even if we effectively have an exemption on trade with the UK, isn’t BAE still going to have to go back and get reexport approval to deal with those suppliers in Germany and France and India possibly. So, I can see it possibly making some difference but, again, given how the global supply chain works, I have to question how effective is that going to be?
And if AUKUS causes UK, Canadian, and Australian companies to become more insular and not utilize global supply chains, is that really a good thing for our respective defence postures? The US, UK, Australia, and Canada don’t have a monopoly on all the best technology anymore. So, if creating an exemption for these countries then deters the BAEs and the Rolls-Royces of the world from using better technology that’s available in Germany for a US DoD project – is that a good thing? So, again, we shall see.
In terms of broader impact for legitimate companies, I hope they’re stepping up their third-party compliance efforts to make sure they’re not dealing with, they’re not exporting to someone where the items are going to end up in Russia or as illicit exports to China. I don’t see how you do this in 2024 without automation. You’ve got to have trade automation software to make it happen.
Nielsonsmith: Cybersecurity is quite a big topic right now, so my next question is what are the latest developments regarding the US DoD’s Cybersecurity Maturity Model Certification program?
Gary: Well, interestingly, DoD waited until December 26th, when everyone was on holiday, to publish not only proposed rules regarding CMMC 2.0, but also quite a number of additional guidance documents that would apply to CMMC 2.0. They certainly do seem to be going forward with the program. It looks like we will end up with three levels, and if you’re in defense trade, you’re going to be in Level 2 because you’re going to be dealing with export-controlled information.
The big question I have in my mind for European companies is that CMMC calls for auditing, third party auditing, to verify that you have cybersecurity programs that comply with the CMMC requirements, as articulated by the National Institute of Standards and Technologies’ Special Publication 800-171 and its various permutations. So how is that auditing abroad going to work? In Canada, they are developing their own cybersecurity program, much like CMMC, with a certification element, and they are in talks with the United States about having reciprocity, i.e., If we certify a Canadian company as being compliant with our program, will you recognize that as being compliant with CMMC and not require a separate audit? I think the UK is working on something like that. I have not heard a lot of news like that out of other European countries; so where does that leave their companies in the supply chain for US DoD, where CMMC requirements would kick in. It is still very vague about whether and when the CMMC program will accredit auditors in third countries to do this auditing. If it doesn’t for the first two – three – four – five years after CMMC comes into effect, the auditing will have to be done by US companies. I can’t imagine that companies in France or the Netherlands are going to be thrilled about having to pay for auditors from the US to come over. I’ve even heard some reservations from European companies, and this is not just some conspiracy theory, about having US auditors examine their cybersecurity programs. Is that information that’s gathered going to be funneled to our National Security Agency to allow it to snoop on their programs? So there’s a lot to be determined about CMMC 2.0, but it’s moving ahead and companies in the US DoD supply chain would be well advised, if they haven’t taken a look at all this, to do so.
Nielsonsmith: Thank you for sharing so much knowledge today. But lastly, I’d like to ask about how important you think it is for companies to invest in the training of their compliance officers and what resources they should use.
Gary: I can’t emphasize enough that training is one of the three key components to an effective compliance program. If you haven’t trained your employees about what the requirements are, how do you expect them to adhere to those requirements? And particularly, if you haven’t provided training resources to your dedicated export control managers, how are they supposed to administer your compliance programs? I see that time and time and time again. I’m going to be having a videoconference today with a company I’m assisting with a major voluntary disclosure to the Department of State, and they continue to go out and hire people to be export control managers that have no training, no experience. Well, they’re learning on the job, but in my experience over 40 years, that only may happen. A lot of these folks do not put the homework that is required into learning export control requirements.
This is not, you know, fifth-grade academics; these are very sophisticated rules they take a lot of time, a lot of effort to learn, and in a lot of instances, I’m not seeing that. But the good news, Alisa, is that on average, I find that the European export control managers are better trained, better informed than the US ones are.
Nielsonsmith: Thank you very much for your time, Gary, and I’m sure the knowledge you shared today is very much appreciated by our readers.
Gary Stanley is the President of Global Legal Services, PC, a Washington, DC-based law firm focusing on trade compliance and other international business issues.
Mr. Stanley represents, among others, numerous U.S., Canadian, and European companies on defense export control issues.
For example, Mr. Stanley has:
• Counseled numerous U.S. defense firms on securing U.S. Department of State/ Directorate of Defense Trade Controls approvals of licenses, as well as manufacturing license and technical assistance agreements, under Parts 123 and 124 of the International Traffic in Arms Regulations (“ITAR”) and in using ITAR exemptions, including the Canadian exemption in ITAR §126.5.
- Advised several companies on voluntary disclosures under ITAR § 127.12.
- Assisted numerous defense firms with registration and licensing of its brokers under Part 129 of the ITAR.
• Provided export control training to a variety of U.S., U.K., and Canadian defense firms, as well as Russian Government export control officials and various agencies of the Government of Canada, including the Canadian Department of National Defence, Canadian Department of Foreign Affairs and International Trade, and the Canadian Space Agency. From February 2004 to February 2005, Mr. Stanley served as the Special Compliance Official overseeing a major defense company’s export control compliance program pursuant to a Consent Agreement the company entered with the U.S. Department of State. State enforcement officials had brought charges against the company under a theory of successor liability for violations another company, most of whose assets this company had acquired, allegedly committed.
Besides representing private companies, Mr. Stanley has also served as a consultant to the U.S. Government and industry groups. For example, he served as the principal outside subject matter expert on export controls to prime contractor Booz Allen Hamilton Inc. in Phase II of the Transatlantic Secure Collaboration Program. This program was a consortium of ten U.S., Canadian and European defense companies, including Lockheed Martin, EADS, Northrop Grumman, and Boeing, seeking to establish “best practice” guidelines for the electronic exchange of unclassified proprietary and export-controlled information.
Mr. Stanley received his undergraduate degree from Emory University in 1975 and his law degree from Harvard Law School in 1978. He was elected in his junior year to Phi Beta Kappa. Mr. Stanley currently serves as Secretary-Treasurer and a Trustee of The Procedural Aspects of International Law Institute.
For more information about Mr. Stanley and his law firm, Global Legal Services, call him at (202) 686-4854 or e-mail him at gstanley@glstrade.com.
GLOBAL LEGAL SERVICES