Page 59 - index
P. 59
Once that file breaks out in such an unsupervised manner, no one knows exactly who is viewing
it or its ultimate destination – a major risk when handling important, government-related
technical data and, too often, a major regulatory violation.
Just what is ITAR Compliance?
Each year, several well-known enterprises are charged for not adhering to the International
Traffic in Arms Regulations (ITAR), a subset of the Federal Government’s export regulations.
These cases can arise even when actual illegal exports are not alleged, but sloppy practices
have resulted in “deemed” exports.
Under ITAR, the U.S. government requires all manufacturers, exporters and brokers of defense
articles, defense services and technical data to follow stringent compliance guidelines to protect
certain confidential and technical information related to national defense from unlicensed non-
citizens or transfer outside the country.
This means that recipients, or even viewers, of this data must be U.S. persons – a guideline that
standard public cloud solutions can’t ensure or track.
In just three years’ time, nine large companies have been sanctioned for ITAR violations. The
penalties are made public on government websites (even a simple Google search can yield this
information), meaning companies are unable to hide and immediately suffer a hit to their
reputation.
Recent fines for not adhering to these export regulations have ranged from $20,000 to as much
as $78 million per company. Looking back to 2007, one company had to pay $100 million in
fines and forfeitures as a result of an ITAR violation.
In addition to the substantial sum of the monetary penalties, companies investigated for
potential ITAR violations are subject to being decertified as an exporter by the government with
the obvious devastating impact of that sanction.
ITAR’s Impact in the Cloud
ITAR regulations don’t necessarily restrict a company from using the public cloud, but a
business should be more cognizant of the technology decisions made prior to implementation
and exercise an extreme level of due diligence in the selection.
As more organizations exchange and collaborate on technical data via the cloud, ITAR
compliance will need to be considered and adhered to in the virtual solutions provided by third-
party vendors.
59 Cyber Warnings E-Magazine – December 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
