Page 27 - Publication6
P. 27
Encryption and Tokenization $30 million. In 2013, there were three fines issued for ITAR
violations, for a total of $41 million.
Complex requirements and lagging use of technology
solutions have led many to move quicker than the DDTC Year Number of Fines Issued Total Amount of
would wish. The U.S. State Department has already Assessed and Contingent Fines
cautioned at least one cloud security services provider for 2014 2 $30 million
overstating the benefits of encryption and tokenization to 2013 3 $41 million
meet ITAR�s high standards. While the provider apparently 2012 3 $55 million
sought to market its token-based encryption technology as 2011 1 $79 million
solving certain ITAR deemed export restrictions, according
to a June 9, 2014 article published in the Wall Street Journal Moreover the possibility of fines is not the totality of
on the issue, a State Department official is quoted as stating, sanctions. Those possibilities extend to additional civil and
administrative remedies, including debarment as an
�Tokenization is almost irrelevant to the exemption. We did exporter or even a government contractor. Consequences
not in any shape or form endorse tokenization as means [of could extend into criminal sanctions for egregious non-
meeting ITAR standards].� compliance.
Many organizations wishing or having to use the
collaborative and efficient cloud solutions that are coming
to define best practices for ITAR technical data are,
therefore, faced with a choice. One alternative is to develop
an expensive private, dark cloud to provide secure storage
and sharing of sensitive documents.
Newer offerings are entering the market and have
sophisticated functionality that achieve important
efficiencies and cost savings. These offerings have systemic
monitoring tools to track who has viewed information, if
it has been copied to an unsecure platform or if it has been
exported.
The second choice is a conscious effort to attempt to avoid
ITAR rules through the deployment of existing enterprise
tools that are at substantial risk of not meeting security
Risky Business: The Cost of Non-Compliance guidelines.
What is the importance of all this� Since 2010, there have
Not only do these tools fail to take safeguards to prevent
been nine cases where aerospace and defense contractors
non-U.S. persons from viewing information, potentially
have been sanctioned for failing to comply with ITAR. In
causing the unintended or accidental export of ITAR-
2014, there were two fines issued, totaling approximately
defined technical data, they also lack definitive measures
to prevent information from being copied or shared outside
CYBER DEFENSE MAGAZINE - ANNUAL EDITION 3
