Defense Industry and the Cloud – Managing IT Security Requirements and Export Control Challenges
Companies in the defense industry face several export control regulations. Certain data and information fall under these regulations as well. Storing and processing data in the cloud poses export control challenges that require particular IT security measures.
1. The Cloud Brings Many Benefits to the Defense Industry
Digitalization is making steady progress in the defense industry. Electronic data transfers to and from online services are a key component of every company’s business operations. Data flows both within a company and externally to customers, suppliers, interested parties and public authorities.
Due to the sensitivity of the sector, the defense industry is rather reluctant to adopt cloud technology. However, the use of modern technologies is essential for the digitization process. Many standard software products that were traditionally offline desktop software have now implemented cloud elements, if not completely switched to cloud services. Universally used software, such as Microsoft Office, are now available as a cloud based service (Office 365). Manufacturers even deeply integrate cloud elements in modern operating systems, such as Windows 10. Cloud technology can hardly be avoided, at the very latest, when collaborating with external companies requires usage of commercially available cloud tools.
Cloud services encompass a wide range of services, from infrastructure as a service (IaaS), platforms as a service (PaaS) to software as a service (SaaS). Businesses use clouds to store and make accessible large amounts of data, process the information on powerful cloud servers, use commercially available online applications, and much more.
All these cloud services usually process data on complex server architectures. Cloud service providers often rely on infrastructure providers to increase server availability to customers worldwide. Many infrastructure providers, in turn, use hosting subcontractors with a distributed server network, spread across multiple countries. Some companies use a private cloud infrastructure, meaning the company stores and processes the cloud application on-premise. But even then, the data itself often flows without regard to national borders, enabling users to access the data worldwide.
2. Companies Face Numerous Export Control Regulations
In order to determine which data or information may be subject to export controls, companies must primarily observe restrictions from three areas: national export control law, the European Dual-Use Regulation, and special embargos.
Companies in Germany are subject to German national export control law. The German Foreign Trade Act (Außenwirtschaftsgesetz, AWG) and the German Foreign Trade and Payments Ordinance (Außenwirtschaftsverordnung, AWV) restrict free foreign trade on a national level. The National Export List in Annex 1 to the AWV is of particular importance. It contains military equipment in Section A, as well as nationally registered dual-use items in Section B.
At the European level, the Dual-Use Regulation (EC) No. 428/2009 applies. The European Commission recently updated the items listed in its Annexes in October 2018 (Regulation (EU) No. 2018/1922). EU legislators are currently revising a comprehensive update to the Dual-Use Regulation, expected to enter into force late 2019 or early 2020.
3. Data and Information Can Fall Under Export Restrictions
Export restrictions apply not only to physical goods but also to software and certain data. In this context, export does not only mean the actual data transfer to third countries but also accessibility of such data from other countries. Regardless of actual data retrieval, the mere possibility of data access is sufficient.
For the cloud, this means that, if the cloud provider’s servers are located in another country, the use of this cloud for restricted data is an export-controlled process. However, if the cloud servers are in Germany and the data can be accessed from abroad, this comprises an export-controlled process as well.
The national and EU export regulations contain lists of specific restricted goods. Certain software is included in these lists. Likewise, certain dual-use goods, meaning goods that are useable for military purposes in addition to civilian purposes, including software and data, are subject to export restrictions.
An export of such software is subject to the same restrictions as physical goods. With regard to the cloud, this would apply to the cloud software itself, i.e. an SaaS application developed by the company, if it was developed for the stated purposes.
Restrictions also cover „technologies“. This includes the specific technical knowledge required to develop, manufacture or use a restricted good. This information is often stored or processed as data in clouds. This can happen through data transmissions via cloud infrastructures, or by further processing the data in SaaS applications. Such data flows can constitute an export under the export control regulations.
In addition, export regulations contain “catch-all clauses”, restricting non-listed items if they are intended for military use in „critical“ countries in connection with NBC weapons. Restrictions based on specific embargos of recipient countries or individuals should not be overlooked as well. In determining if their data may be subject to restrictions, companies should therefore not merely rely on checking the respective lists of restricted items, but carry out a comprehensive examination.
Small and medium-sized enterprises in particular need to be vigilant if they cannot themselves provide a private cloud infrastructure under their full control.
4. Cloud Usage Leads to IT Security Requirements
To ensure compliance with export restrictions without obtaining special permits, defense industry companies face numerous IT security challenges if they choose to use cloud services.
First, companies must identify the extent to which they potentially own critical software, technology or information in the form of data. They must then determine which data might fall under the national export list or the dual-use regulation. Companies must evaluate any possible international transfers of such data, including if data stored locally is accessible internationally. For this purpose, companies must ensure that employees only use authorized cloud services for restricted data, and verify the actual location of data servers and data flows carefully.
Even if the company intends to use international cloud tools for non-critical data only, they must still undertake special measures to secure the transfers. In order to avoid export restrictions, they must ensure that the system architecture effectively separates the information not covered by export restrictions from the data relevant under export control law.
If companies make their cloud servers accessible internationally, for example for employees traveling abroad, access restrictions must ensure that only authorized personnel have access and only non-critical data is accessible. Appropriate security measures are required. Companies can solve this through access control schemes, for example, by implementing access control technologies that effectively restrict availability. Arguably, data encrypted under a well-implemented encryption scheme should not be subject to export controls as well.
Depending on the type of cloud application, such adequate security measures might not be possible at all. Many public cloud providers, for example, store and make available unencrypted user data across servers in multiple countries. Consequently, companies should not process any restricted data with such applications.
For any company dealing with potentially restricted data, it is advisable to introduce and maintain an „Internal Compliance Program“ (ICP) in order to establish procedures and monitor compliance with export restrictions. The establishment of an ICP requires careful planning and diligent implementation. In light of several recent and imminent updates to the legal bases of export restrictions, constant updates to internal compliance efforts are essential.