Ensuring that technical data is compliant with both export regulations and cybersecurity requires an understanding of what export controlled technical data/technology relate to and how they work together. The two major export control regulations, The International Traffic In Arms Regulations (ITAR) and the Export Administration Regulations (EAR), define controlled technical data/technology differently. Click for the ITAR definition and for the EAR definition.
An effective approach requires incorporating export regulations into cybersecurity protocols. This means the IT architecture needs to embrace not only the encryption requirements and authentication protocols in order to access a company’s systems, files, share drives, but also to analyze what “employees” have access to once they have validly entered their companies domain.
Even though the environment is secure by cybersecurity standards – it may not be “export” compliant.
Example – if a company has export controlled data, which could be cyber security compliant (i.e., encrypted) – a potential export violation could occur if the person accessing the data (or potentially able to access it) doesn’t have the proper export authority based on their nationality/location. A U.S. company sets up an office in the United Kingdom (U.K.) and hires a U.K. citizen to work in that location. The U.K. citizen then gains access to the company’s server, which has export controlled technical data/technology located on it, another words, the U.K. citizen has not be firewalled out of the location where the controlled data is located. If the employee accessed the data or not (potential access) may constitute a potential export violation.
The recent trend is to have more cybersecurity measures identifying the “export controlled data” – and how it is being identified, controlled, and tracked.