Defense Trade Advisory GroupCloud Computing

Plenary SessionMay 9, 2013

2

Marjorie Alquist, Working Group Co-Chair, LORD Corp.

Rebecca Conover, Working Group Co-Chair, Intel Corp.

Lisa Bencivenga, Lisa Bencivenga LLC

Greg Bourn, Bourn Identity Inc.

Dennis Burnett, Dennis J. Burnett, LLC

Ginger Carney, Global Connections

Michael Cormaney, Luks Cormaney LLP

Kim DePew, GE Aviation

Andrea Dynes, General Dynamics Corp.

Larry Fink, SAIC

Alfred Furrs, Johns Hopkins University, APL

Task 1 Working Group Members

Dana Goodwin, TradeLink Systems, Inc.

Greg Hill, DRS Technologies, Inc.

Spence Leslie, Pentair

Christine McGinn, InterGlobal Trade Consulting, Inc.

Terry Otis, Otis Associates, LLC

Joy Robins, Wind River Systems

Bill Schneider, International Planning Services, Inc.

Sal Manno, Inmarsat, Inc.

Beth Mersch, Northrop Grumman Corporation

Sam Sevier

Bill Wade, L-3 Communications

3

Agenda

• Tasking Overview

• Define Cloud Computing

• Review Use of Cloud & Current Regulatory Impact

• Potential Ideas for Regulators

• DTAG Recommendation

4

Overview of Assignment

Cloud Computing: The use of the “cloud” method for data storage creates some significant regulatory challenges for exporters and the U.S. Government.

The Working Group should review on use of this data storage method, its various implementation arrangements, and a report on the implications for regulators and possible guidance that might be promulgated for use by exporters consistent with regulatory controls.

5

What is a Cloud?

National Institute of Science and Technology (NIST) defines ‘cloud computing’ as “…a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisions and released with minimal management effort of service provider interaction.”

   The cloud is a method of

delivering shared IT computing services (servers, storage, applications)

Essential Characteristics: Self Service , Network Access, Scalability, Resource Sharing

Service Models: Type of computing service (Software, Infrastructure, Platform)

Deployment Models: How the computing service is deployed (public, private, community or hybrid)Sources: Burton, NIST, GAO Report, dated May 2010

6

Movement of Data in a Cloud

Server in Australia

Server in ChinaServer in India

Server in Germany Server in US

Data moves within the Cloud to adjust to computing capacity within various servers within the cloud.

Cloud looks the same to the user – movement of data is seamless and untraceable to user.

Byte

s

Bytes Bytes

BytesBytesBytes

BytesBytes

Bytes

7

Export regulations, including their definitions and requirements, were originally designed for transfers of tangible items and traditional modes of information sharing. The ITAR does not adequately address intangible transfers or use of the Cloud as a storage method, which has become prevalent in business.

One way to address electronic transmission and storage is through encryption.

The ITAR currently does not address the use of encryption for the transmission or storage of ITAR controlled technical data via electronic modes.

Current Situation

“…Cloud computing has been the subject of a great deal of commentary. Attempts to describe cloud computing in general terms,

however, have been problematic because cloud computing is not a single kind of system, but instead spans a spectrum of underlying

technologies, configuration possibilities, service models, and deployment models… “(NIST “Cloud Computing Synopsis and

Recommendations” Publication 800-146, May 2011 Draft)

8

Ideas Discussed Within DTAG

Ideas include (some may overlap):1) Redefine “export” to exclude transmission or

storage of encrypted ITAR controlled data 2) Redefine “technical data” to recognize Cipher

text (encrypted data) as outside of its scope 3) Take no action and continue in current

manner4) Modify or create an authorization (license or

exemption)5) Establish parameters for Cloud users and

Cloud Service Providers• Roles/Responsibilities• Standards or certifications

Encryption

Status Quo

Clarify

9

Encryption allows the user to secure its data before ever placing the data into a cloud or shared server space.

Standards for use of encryption would strengthen controls (from where they are today) and allow companies to appropriately protect ITAR controlled technical data in electronic form.

How Does Encryption Work?

10

A Closer Look at Ideas 1 & 2

• Similar in that both rely on encryption technology to secure data prior to being transmitted or stored electronically

• Different in that…• Idea 1 redefines “export” when encryption is used as a

safeguarding mechanism for ITAR controlled data stored or transmitted electronically

• Idea 2 takes idea 1 a step further and proposes that encryption transforms the ITAR controlled data to a point that the data no longer constitutes technical data under the export regulations

We will walk through both ideas in greater detail to understand the differences.

11

Idea 1: Redefine Export to Exclude Electronic Data in Encrypted Form

Past consent agreements suggest that the mere ability to “access” ITAR controlled data presumes an export. Redefining “export” to exclude encrypted data allows companies to rely on electronic security features standard in virtual computing.

Encryption is a generally accepted form of data protection

• The USG uses encryption to protect classified information

•Businesses use encryption to protect sensitive information

Barriers to implementation are limited, while impact is significant.

Establishing a level of encryption that would:• Protects the Cloud user;•Enables full use of Cloud for storage purposes;•Protects the data from unauthorized access and the potential of an unintended export.

12

Idea 1: Proposed Definitions120.17 ExportUnclassified, encrypted technical data being transmitted or stored outside of the United States is not an export provided that foreign persons are not provided with access to the encryption tools.

125.1 Exports subject to this part. The controls of this part apply to the export of technical data and the export of classified defense articles.  Information which is in the public domain (see §120.11 of this subchapter and §125.4(b)(13)), and unclassified, encrypted technical data, provided it remains encrypted during its transmission and storage, is not subject to the controls of this subchapter.  If access to the encryption tool is provided to a recipient, a license or other authorization may be required

13

Ideas Discussed within DTAG

Ideas include (some may overlap):1) Redefine “export” to exclude transmission or

storage of encrypted ITAR controlled data 2) Redefine “technical data” to recognize Cipher

text (encrypted data) as outside of its scope 3) Take no action and continue in current

manner4) Modify or create an authorization (license or

exemption)5) Establish parameters for Cloud users and

Cloud Service Providers• Roles/Responsibilities• Standards or certifications

Encryption

Status Quo

Clarify

14

Idea 2: Redefine Technical Data to Recognize Cipher Text as Outside of its Scope

Taking Idea 1 a step further, the DTAG explored encryption and understands that when data is encrypted it results in ‘Cipher text’. The DTAG researched Cipher text, and believes the following summarizes Cipher text:

Cipher text is encrypted information which contains a form of the original plain text that is unreadable by human or computer without the proper cipher (key) to decrypt it. The NIST paper on Computer Security (800-38F) describes it as, “The confidential form of the plaintext that is the output of the authenticated-encryption function.”

ITAR controlled technical data that is encrypted results in Cipher text. The DTAG believes that Cipher text does not meet the current ITAR definition of “technical data”, since it is unreadable and unusable.

• Not information while encrypted

Not Subject to the EAR

Is Cipher Text “technology”

per Part 772.1? NO

Is Cipher Text a “commodity” per Part 772.1?

NO

Assumptions

Is Cipher Text “technical data”

or “software” per §120.10 &

121.8(f)? NO

Cipher Text

Is Cipher Text a “defense article” per

§120.6? NO

ITAR

EARR

• Not information while encrypted• Analogous to “personal

knowledge” per §120.17(a)(1)

Not Subject to the ITAR

Is Cipher Text subject to

export regulations?

• Cipher text does not include decrypted or unencrypted data

• Cipher text does not include “software”• Encryption strength set by and commensurate with USG

standards

• Not an article, material or supply

• Does not reveal technical data relating to items listed in ITAR§ 121.1

16

Idea 2: Proposed Definitions120.10 Technical Data(b)(4) Unclassified, encrypted technical data being transmitted or stored, regardless of location, is not controlled under this provision provided that the data remains encrypted and the ability to decrypt the information is not disseminated.  (See also § 120.17, § 125.10) 120.17 ExportUnclassified, encrypted technical data being transmitted or stored outside of the United States is not an export provided that foreign persons are not provided with access to the encryption tools.

125.1 Exports subject to this part.The controls of this part apply to the export of technical data and the export of classified defense articles.  Information which is in the public domain (see §120.11 of this subchapter and §125.4(b)(13)), and unclassified, encrypted technical data, provided it remains encrypted during its transmission and storage, is not subject to the controls of this subchapter.  If access to the encryption tool is provided to a recipient, a license or other authorization may be required.

17

Items for further considerationMust align with other agencies to establish encryption standard (e.g., NIST and/or other agencies).

Some companies/universities may not be able to meet encryption requirements to prevent exports so they will need to use traditional approaches to protect data.

May be challenging to balance security interests with the need to offer a solution where resulting changes are not confusing to industry.

Mechanics of ensuring the security still need to be addressed:• Protection of keys• Ensure data stays encrypted in transit and at rest

Need to assess the impact if the USG changes the standard encryption level.

Would encrypted data in another medium be an export if transferred or stored outside of the US?

Idea 2 only: Would encrypted data in another medium be technical data?

Items for Further Consideration

18

The DTAG recommends:• The ITAR recognize encrypting data (to an established standard) as an

adequate means of protecting and securing ITAR controlled data.• Unclassified, encrypted data transmitted or stored outside of the

United States as not being an export provided that foreign persons are not provided with access to the encryption key.

• Unclassified, encrypted data is not subject to export regulations in this form.

• Definitions for “export” and “technical data” are amended and that the transmission and storage of unclassified, encrypted technical data be reflected in ITAR 125.1(a).

Recommendation

Encryption is the foundation to enabling business while securing data. The DTAG realizes that while our task was focused on Cloud

Computing storage, the solution lies in technology.

19

Questions

20

Supplemental Slides

21

ReferencesPublications, Articles and Case Law Reviewed, Discussed and Considered Pursuant to this Tasking Center for Technology Innovation at Brookings, “Addressing Export Control in the Age of Cloud Computing”, John Villasenor, July 25, 2011Congressional Research Service, Cybersecurity Authoritative Reports and Resources, Rita Tehan, March 2013DoD Cloud Computing Strategy, July 2012GAO-10-513, “Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing.” May 2010NIST Special Publication 800-38F, “Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping”NIST Special Publication 800-53 “Recommended Security Controls for Federal Information Systems and Organizations”, Rev. 3, August 2009.NIST Special Publication 800-144 “Guidelines on Security and Privacy in Public Cloud Computing”.NIST Special Publication 800-145 “The NIST Definition of Cloud Computing”.NIST Special Publication 800-146 “DRAFT Cloud Computing Synopsis and Recommendations”.Nixon Peabody, “The Export Control Implications of Cloud Computing”, Alexandra Lopez-Casero, August 2011. Supplemental Materials Reviewed, Discussed and Considered ITAR, 22 CRF 120CNSS Instruction 4009, National Information Assurance Glossary“ITAR and the Cloud”, Candace Goforth presented at the SIA Fall 2012 Conference“Emerging Technologies: Managing Export Controlled Data in the Cloud”, C. Goforth, Bob Rarog, Matt Henson, November 9, 2012“EAR Controls and Cloud Computing”, Bob Rarog, Dept. of Commerce, BIS, SIA Fall 2012 ConferenceMicrosoft Office 365 “FISMA and ITAR Solutions for Enterprises,” October 2012.

 

22

Five Essential Characteristics

$

= $$( x Jan, Feb, Mar…)

$( x Jan)

Sources: Burton, NIST, GAO Report, dated May 2010

23

Deployment Models

24

Three Service Models

SOFTWARE AS A SERVICE (SaaS)

Vendor-provided software (e.g., ePerform, Cliqbook, United Way)

running in a cloud infrastructure via a thin client interface

INFRASTRUCTURE AS A SERVICE (IaaS)

Vendor-provided infrastructure services (e.g., Google Apps, Microsoft

Azure) ) to create and deploy applications

PLATFORM AS A SERVICE (PaaS)

Vendor-provided infrastructure services (e.g., operating systems, storage, network infrastructure)

Amazon’s EC2

Infrastructure

Platform

Software

Vendor Provided Vendor Provided Vendor Provided

Software

Platform

Infrastructure

Software

Platform

Infrastructure

Sources: Burton, NIST, GAO Report, dated May 2010

25

What do Stakeholders Want/Need?

26

Ideas 1 and 2: BenefitsBenefitsMany encryption tools are readily available to industry and the USG

Allows use of encryption to protect data and prevent unauthorized access

Encrypted data can be stored securely on the Cloud and eliminates the concern for where servers reside

Allows companies to use the same kind of security that they use to protect intellectual property for export control

Establishes an encryption “standard” for ITAR controlled data stored electronically

Clarifies that an export/import occurs only when access to the key is provided to a foreign person

Cloud Computing decisions are usually made by IT so it makes sense to place control of the protection of ITAR controlled data with the user by enabling the use of encryption to prevent unauthorized exports

Idea 2 only: Recognizes encrypted ITAR controlled data as not meeting the criteria of “technical data”

Idea 2 only: Recognizes encrypted ITAR controlled data as not subject to export regulations and allows the USG to focus its enforcement activities on ITAR controlled data in usable form

27

Idea 3: Take no action/continue in current manner

Benefits

None identified by industry

Items for further considerationCurrent regulations can be interpreted to restrict or prohibit widespread use of the Cloud (potential national security implications, economic impact)

Regulatory precedence in consent agreements would appear to prohibit use of the Cloud due to presumed access, even when actual access cannot be confirmed

Usage of the Cloud is pervasive in business practice

Cloud users and/or Cloud Service Providers risk inadvertent exports resulting in violations

28

Idea 4: Modify or Create Authorization, i.e., License or Exemption

• Assumption is that the ‘ability’ to “access” equates to an export• Exemption (based on cloud location, level of encryption, similar to

125.4(b)(9) which authorizes secured data to “travel”)• With the use of encryption, secured ITAR data be transferred to and

stored in the Cloud without authorization provided:• Data is in encrypted form during transmission & storage• Does not involve 126.1 destinations and other restrictions

29

Idea 4: Modify or Create Authorization, i.e., License or Exemption

Benefits

Enable USG to provide clarity/parameters to industry while imposing restrictions as deemed appropriate

There is precedent in 125.4(b)(9) for trusted situations

Provides some relief when Cloud is defined and controlled (e.g. limited locations of servers, etc.)

May provide some visibility to the USG (e.g. recordkeeping requirements)

Similar approach as other countries appear to be considering with Cloud (e.g. Japan, Germany)

Items for further consideration

May be more cumbersome than a license depending on requirements of exemption

Recordkeeping requirements may be difficult or impossible to manage/control/regulate

Restricts 126.1 countries

Raises issue of ‘ability to access’ vs. ‘access’ by foreign persons

Roles, responsibilities and obligations of Cloud users and Cloud Service Providers would need to be established

DSP-5 vehicle is not optimum for technical data transfers or storage in the Cloud

Would Cloud users and/or Cloud Service Providers would need to be registered with Dept. of State?

An exemption would not provide relief for temporary imports of foreign data entering into a US cloud

30

Idea 3: Possible License authorization

(rewrite of 125.4(b)(x) & 123.26)§ 125.4(a)The following exemptions apply to exports of technical data for which approval is not needed from the Directorate of Defense Trade Controls. The exemptions, except for paragraph (b)(13) of this section, do not apply to exports to proscribed destinations under § 126.1 of this subchapter or for persons considered generally ineligible under § 120.1(c) of this subchapter. The exemptions are also not applicable for purposes of establishing offshore procurement arrangements or producing defense articles offshore (see § 124.13), except as authorized under § 125.4(c). Transmission of classified information must comply with the requirements of the Department of Defense National Industrial  Security Program Operating Manual (unless such requirements are in direct conflict with guidance provided by the Directorate of Defense Trade controls, in which case the latter guidance must be followed) and the exporter must certify to the transmittal authority that the technical data does not exceed the technical limitation of the authorized export.

(b) The following exports are exempt from the licensing requirements of this subchapter.

(x) Technical data encrypted at [designated USG level] virtually transmitted and stored outside the US not for end use outside the US or unlicensed location  § 123.26 Recordkeeping for exemptions.

Any person engaging in any export, reexport, transfer, or retransfer of a defense article or defense service pursuant to an exemption must maintain records of each such export, reexport, transfer, or retransfer. ..

For section 125.4(b)(x), contract language and/or documentation demonstrating encryption (at designated USG level) prior to, during and throughout electronic storage or transmission is adequate for use of 125.4(b)(x).

31

Idea 5: Establish parameters for Cloud Users and Cloud Service Providers

• Identify roles, responsibilities and obligations of the parties (consistent among regulatory agencies)

• Certification or establishment of standards for Cloud Service Providers

• GAO-10-513 speaks to both points• Clarify whether encrypted data is export controlled• BIS made an attempt to address the role of Cloud Service Providers

in its Advisory Opinions• Dept. of Defense Cloud Computing Strategy speaks to supporting

“…the migration of moderate risk data and information (e.g., CUI, PII, PHI, ITAR and EAR) to commercial cloud services” along with recognizing the need to ‘…establish standardized, baseline DoD cloud computing SLAs and contract requirements…’

• Need to clarify USPPI – who is responsible for what

32

Idea 5: Establish parameters for Cloud Users and Cloud Service Providers (cont.)

BenefitsClearly identifies the responsibilities of each party

Could achieve consistency across regulatory agencies

Standards specific to ITAR compliance could validate Cloud Service Providers claiming ‘ITAR compliant’.

Standards could be a subset of those established for security purposes

Items for further considerationChallenge of time, effort and coordination among USG agencies

Could limit or restrict the number of providers, thereby reducing some advantages of Cloud and at the same time, increasing costs

Creates additional burden for Cloud Service Providers

Likely inevitable to some degree given GAO-10-513 and additional complexities

Need to consider whether the parameters would be government “guidance” versus “regulation”

33

Possible guidance that might be promulgated for use

by exporters consistent with current regulatory controls

• Cloud users should understand the different types of Clouds and service models and the export risks associated with each.

• Refer to NIST Special Publication 800-144 for recommendations on what the Service Level Agreement (SLA) with the cloud service provider should include.

• Roles and Responsibilities must be outlined and a means to audit the Cloud Service Provider should be established.

• SLA should identify Cloud Service Provider’s obligations upon contract termination, such as the return and expunging of data.

• Cloud users should ensure the Cloud Service Provider can meet the Cloud user’s requirements for managing ITAR controlled data.

• Cloud users should also ensure compliance with other US regulatory agencies.

• Cloud users should ensure that an adequate authentication process is implemented to protect access to company data and ITAR controlled data.