Businesses that handle US military data must be extremely careful. The regulations under ITAR (International Traffic in Arms Regulations) and EAR (Export Arms Regulations) carry severe penalties for disclosing restricted data, including civil fines, criminal charges, and forfeiture of restricted materials.
The situation is similar in some ways to the protection of personal health data under HIPAA, but there are important differences. HIPAA violations have resulted in multi-million-dollar fines, but they won’t put anyone in jail for ten years. HIPAA is concerned with the quality of protection and is otherwise flexible, but ITAR has specific and not always intuitive requirements on how information can be handled and who can handle it.
Credit card numbers and health records have market value for thieves, but they seldom draw the level of concerted espionage which military data attracts. Expert spies can discover important secrets by connecting the dots between items that look harmless in themselves, so the US authorities are very watchful.
General-purpose services aren’t enough
General-purpose online services may have extremely good data protection yet not be ITAR-compliant. Large cloud services often have multinational data centers, but ITAR data may be stored only in the United States. Anyone who handles the data must meet strict requirements. The requirements shift from time to time, making compliance easier in some ways but more difficult in others.
Record keeping is an important part of the requirements. It’s necessary not just to show that information is in authorized hands, but to keep an audit trail of how it has been handled.
The only safe course when looking for a cloud service to handle restricted data is to choose one that has specific expertise and can comply with export regulations.
Mistakes have serious consequences
The penalties for non-compliance can be serious, and producers all along the supply chain may be subject to them. This applies to anyone buying, selling, or distributing products on the US Munitions List. Many items intended for space flight are on the list, since that’s missile technology.
In 2017, a New Jersey defense manufacturer was cited for making diagrams of restricted components available to foreign persons. It had requested bids from non-US companies and put the diagrams up on its website. The company’s business is “manufacturing minor spare parts (including rubber stoppers, seals assemblies, and grommets),” so it seems unlikely any serious military secrets were revealed. That may be why the company only had to pay a $400,000 civil penalty rather than face criminal charges.
This incident shows that small businesses as well as large ones are under scrutiny, and that information on ordinary components, not just advanced technology, needs to be strictly protected.
Some restrictions would surprise the average person. Military technology drifts into the mainstream over time. What was at the leading edge during Vietnam may be considered commonplace today. This doesn’t always mean, though, that it’s been removed from the USML. When in doubt about whether information may be restricted, it’s best to get professional advice.
Cloud migration is an option
Many businesses that deal with restricted data use only on-premises systems. This gives them full control over IT operations and physical access. They can lock doors and require identification on entry to the server area. Any desired level of data protection is possible. Data can be encrypted at the whole-disk level and again for individual files. The systems can be as isolated as necessary from the Internet.
However, this isn’t a cost-effective approach. Server hardware and software has to be maintained, upgraded, and replaced over time. Physical security requires full-time personnel. Data security requires expertise and constant monitoring. Using managed services is an option for many kinds of business, but it’s rarely feasible when ITAR and EAR compliance is required.
Cloud services have seen a tremendous growth in popularity, for good reasons. They reduce the burden of system maintenance. They provide physical security which is hard to match in the typical office building. They provide scalable resources so that it isn’t necessary to buy new hardware as processing and storage requirements increase. The best services have high-level data security and constantly monitor their networks for any sign of a breach. For a broad range of business needs, cloud services are the most cost-effective, reliable, and secure option. Many services comply with specific security requirements, such as HIPAA for health records and PCI for payment data.
These are valuable features when handling data under arms restrictions. Cloud storage can be suitable for data restricted by arms export regulations, but the requirements go beyond ordinary data security. Even an excellent security record isn’t enough by itself.
In some cases, export-restricted data may be placed on cloud servers if it has been secured with end-to-end encryption. That is, the data must be encrypted before going to the cloud and decrypted by an authorized party. The cloud provider can’t have the ability to decrypt the data, even as an emergency recovery option. There are some limits to this exception.
If the company does its own encryption before uploading, it needs to document this step and be sure never to skip it. Uploading unencrypted data by mistake could have serious consequences. Encryption needs to be an integral part of the data transfer process.
ITAR-compliant cloud services
A cloud provider which is explicitly ITAR-compliant and writes compliance into its contracts is the only safe choice when migrating technical data to the cloud. Such a provider uses only US-based facilities and allows only confirmed US persons access to the information it handles.
Not all employees in a business are cleared to the same level. Access to export-controlled data needs to be on a strict need-to-know basis. The system should have highly granular access controls and log all access to controlled data.
Any business that deals in military products and information carries a heavy responsibility. It needs to take it seriously, both to avoid giving information to hostile powers and to protect itself from liability. At the same time, it needs to take advantage of the latest developments in technology to stay competitive. Doing it properly achieves compliance with export regulations and gives technical data the protection it needs. The key is to choose a service that is reliable, understands the relevant regulations, and strictly complies with them.