Defense Trade Advisory Group Cloud Computing Plenary Session May 9, 2013

2 Marjorie Alquist, Working Group Co-Chair, LORD Corp. Rebecca Conover, Working Group Co-Chair, Intel Corp. Lisa Bencivenga, Lisa Bencivenga LLC Greg Bourn, Bourn Identity Inc. Dennis Burnett, Dennis J. Burnett, LLC Ginger Carney, Global Connections Michael Cormaney, Luks Cormaney LLP Kim DePew, GE Aviation Andrea Dynes, General Dynamics Corp. Larry Fink, SAIC Alfred Furrs, Johns Hopkins University, APL Task 1 Working Group Members Dana Goodwin, TradeLink Systems, Inc. Greg Hill, DRS Technologies, Inc. Spence Leslie, Pentair Christine McGinn, InterGlobal Trade Consulting, Inc. Terry Otis, Otis Associates, LLC Joy Robins, Wind River Systems Bill Schneider, International Planning Services, Inc. Sal Manno, Inmarsat, Inc. Beth Mersch, Northrop Grumman Corporation Sam Sevier Bill Wade, L-3 Communications

3 Agenda Tasking Overview Define Cloud Computing Review Use of Cloud & Current Regulatory Impact Potential Ideas for Regulators DTAG Recommendation

4 Overview of Assignment Cloud Computing: The use of the “cloud” method for data storage creates some significant regulatory challenges for exporters and the U.S. Government. The Working Group should review on use of this data storage method, its various implementation arrangements, and a report on the implications for regulators and possible guidance that might be promulgated for use by exporters consistent with regulatory controls.

5 What is a Cloud? National Institute of Science and Technology (NIST) defines ‘cloud computing’ as “…a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisions and released with minimal management effort of service provider interaction.” The cloud is a method of delivering shared IT computing services (servers, storage, applications) Essential Characteristics: Self Service, Network Access, Scalability, Resource Sharing Service Models: Type of computing service (Software, Infrastructure, Platform) Deployment Models: How the computing service is deployed (public, private, community or hybrid) Sources: Burton, NIST, GAO Report, dated May 2010

6 Movement of Data in a Cloud Server in Australia Server in China Server in India Server in Germany Server in US Data moves within the Cloud to adjust to computing capacity within various servers within the cloud. Cloud looks the same to the user – movement of data is seamless and untraceable to user. Bytes

7 Export regulations, including their definitions and requirements, were originally designed for transfers of tangible items and traditional modes of information sharing. The ITAR does not adequately address intangible transfers or use of the Cloud as a storage method, which has become prevalent in business. One way to address electronic transmission and storage is through encryption. The ITAR currently does not address the use of encryption for the transmission or storage of ITAR controlled technical data via electronic modes. Current Situation “…Cloud computing has been the subject of a great deal of commentary. Attempts to describe cloud computing in general terms, however, have been problematic because cloud computing is not a single kind of system, but instead spans a spectrum of underlying technologies, configuration possibilities, service models, and deployment models… “(NIST “Cloud Computing Synopsis and Recommendations” Publication , May 2011 Draft)

8 Ideas Discussed Within DTAG Ideas include (some may overlap): 1)Redefine “export” to exclude transmission or storage of encrypted ITAR controlled data 2)Redefine “technical data” to recognize Cipher text (encrypted data) as outside of its scope 3)Take no action and continue in current manner 4)Modify or create an authorization (license or exemption) 5)Establish parameters for Cloud users and Cloud Service Providers Roles/Responsibilities Standards or certifications Encryption Status Quo Clarify

9 Encryption allows the user to secure its data before ever placing the data into a cloud or shared server space. Standards for use of encryption would strengthen controls (from where they are today) and allow companies to appropriately protect ITAR controlled technical data in electronic form. How Does Encryption Work?

10 A Closer Look at Ideas 1 & 2 Similar in that both rely on encryption technology to secure data prior to being transmitted or stored electronically Different in that… Idea 1 redefines “export” when encryption is used as a safeguarding mechanism for ITAR controlled data stored or transmitted electronically Idea 2 takes idea 1 a step further and proposes that encryption transforms the ITAR controlled data to a point that the data no longer constitutes technical data under the export regulations We will walk through both ideas in greater detail to understand the differences.

11 Idea 1: Redefine Export to Exclude Electronic Data in Encrypted Form Past consent agreements suggest that the mere ability to “access” ITAR controlled data presumes an export. Redefining “export” to exclude encrypted data allows companies to rely on electronic security features standard in virtual computing. Encryption is a generally accepted form of data protection The USG uses encryption to protect classified information Businesses use encryption to protect sensitive information  Barriers to implementation are limited, while impact is significant. Establishing a level of encryption that would: Protects the Cloud user; Enables full use of Cloud for storage purposes; Protects the data from unauthorized access and the potential of an unintended export.

12 Idea 1: Proposed Definitions Export Unclassified, encrypted technical data being transmitted or stored outside of the United States is not an export provided that foreign persons are not provided with access to the encryption tools Exports subject to this part. The controls of this part apply to the export of technical data and the export of classified defense articles. Information which is in the public domain (see § of this subchapter and §125.4(b)(13)), and unclassified, encrypted technical data, provided it remains encrypted during its transmission and storage, is not subject to the controls of this subchapter. If access to the encryption tool is provided to a recipient, a license or other authorization may be required

13 Ideas Discussed within DTAG Ideas include (some may overlap): 1)Redefine “export” to exclude transmission or storage of encrypted ITAR controlled data 2)Redefine “technical data” to recognize Cipher text (encrypted data) as outside of its scope 3)Take no action and continue in current manner 4)Modify or create an authorization (license or exemption) 5)Establish parameters for Cloud users and Cloud Service Providers Roles/Responsibilities Standards or certifications Encryption Status Quo Clarify

14 Idea 2: Redefine Technical Data to Recognize Cipher Text as Outside of its Scope Taking Idea 1 a step further, the DTAG explored encryption and understands that when data is encrypted it results in ‘Cipher text’. The DTAG researched Cipher text, and believes the following summarizes Cipher text: Cipher text is encrypted information which contains a form of the original plain text that is unreadable by human or computer without the proper cipher (key) to decrypt it. The NIST paper on Computer Security (800-38F) describes it as, “The confidential form of the plaintext that is the output of the authenticated-encryption function.” ITAR controlled technical data that is encrypted results in Cipher text. The DTAG believes that Cipher text does not meet the current ITAR definition of “technical data”, since it is unreadable and unusable.

Not information while encrypted Not Subject to the EAR Is Cipher Text “technology” per Part 772.1? NO Is Cipher Text a “commodity” per Part 772.1? NO Assumptions Is Cipher Text “technical data” or “software” per § & 121.8(f)? NO Cipher Text Is Cipher Text a “defense article” per §120.6? NO ITAR EAR R Not information while encrypted Analogous to “personal knowledge” per §120.17(a)(1) Not Subject to the ITAR Is Cipher Text subject to export regulations? Cipher text does not include decrypted or unencrypted data Cipher text does not include “software” Encryption strength set by and commensurate with USG standards Not an article, material or supply Does not reveal technical data relating to items listed in ITAR§ 121.1

16 Idea 2: Proposed Definitions Technical Data (b)(4) Unclassified, encrypted technical data being transmitted or stored, regardless of location, is not controlled under this provision provided that the data remains encrypted and the ability to decrypt the information is not disseminated. (See also § , § ) Export Unclassified, encrypted technical data being transmitted or stored outside of the United States is not an export provided that foreign persons are not provided with access to the encryption tools Exports subject to this part. The controls of this part apply to the export of technical data and the export of classified defense articles. Information which is in the public domain (see § of this subchapter and §125.4(b)(13)), and unclassified, encrypted technical data, provided it remains encrypted during its transmission and storage, is not subject to the controls of this subchapter. If access to the encryption tool is provided to a recipient, a license or other authorization may be required.

17 Items for further consideration Must align with other agencies to establish encryption standard (e.g., NIST and/or other agencies). Some companies/universities may not be able to meet encryption requirements to prevent exports so they will need to use traditional approaches to protect data. May be challenging to balance security interests with the need to offer a solution where resulting changes are not confusing to industry. Mechanics of ensuring the security still need to be addressed: Protection of keys Ensure data stays encrypted in transit and at rest Need to assess the impact if the USG changes the standard encryption level. Would encrypted data in another medium be an export if transferred or stored outside of the US? Idea 2 only: Would encrypted data in another medium be technical data? Items for Further Consideration

18 The DTAG recommends: The ITAR recognize encrypting data (to an established standard) as an adequate means of protecting and securing ITAR controlled data. Unclassified, encrypted data transmitted or stored outside of the United States as not being an export provided that foreign persons are not provided with access to the encryption key. Unclassified, encrypted data is not subject to export regulations in this form. Definitions for “export” and “technical data” are amended and that the transmission and storage of unclassified, encrypted technical data be reflected in ITAR 125.1(a). Recommendation Encryption is the foundation to enabling business while securing data. The DTAG realizes that while our task was focused on Cloud Computing storage, the solution lies in technology.

19 Questions

20 Supplemental Slides

21 References Publications, Articles and Case Law Reviewed, Discussed and Considered Pursuant to this Tasking Center for Technology Innovation at Brookings, “Addressing Export Control in the Age of Cloud Computing”, John Villasenor, July 25, 2011 Congressional Research Service, Cybersecurity Authoritative Reports and Resources, Rita Tehan, March 2013 DoD Cloud Computing Strategy, July 2012 GAO , “Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing.” May 2010 NIST Special Publication F, “Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping” NIST Special Publication “Recommended Security Controls for Federal Information Systems and Organizations”, Rev. 3, August NIST Special Publication “Guidelines on Security and Privacy in Public Cloud Computing”. NIST Special Publication “The NIST Definition of Cloud Computing”. NIST Special Publication “DRAFT Cloud Computing Synopsis and Recommendations”. Nixon Peabody, “The Export Control Implications of Cloud Computing”, Alexandra Lopez-Casero, August Supplemental Materials Reviewed, Discussed and Considered ITAR, 22 CRF 120 CNSS Instruction 4009, National Information Assurance Glossary “ITAR and the Cloud”, Candace Goforth presented at the SIA Fall 2012 Conference “Emerging Technologies: Managing Export Controlled Data in the Cloud”, C. Goforth, Bob Rarog, Matt Henson, November 9, 2012 “EAR Controls and Cloud Computing”, Bob Rarog, Dept. of Commerce, BIS, SIA Fall 2012 Conference Microsoft Office 365 “FISMA and ITAR Solutions for Enterprises,” October 2012.

22 Five Essential Characteristics On-Demand Self Service Ubiquitous Network Access Metered UseElasticityResource Pooling $ = $ $( x Jan, Feb, Mar…) $( x Jan) Sources: Burton, NIST, GAO Report, dated May 2010

23 Deployment Models

24 Three Service Models SOFTWARE AS A SERVICE (SaaS) Vendor-provided software (e.g., ePerform, Cliqbook, United Way) running in a cloud infrastructure via a thin client interface INFRASTRUCTURE AS A SERVICE (IaaS) Vendor-provided infrastructure services (e.g., Google Apps, Microsoft Azure) ) to create and deploy applications PLATFORM AS A SERVICE (PaaS) Vendor-provided infrastructure services (e.g., operating systems, storage, network infrastructure) Amazon’s EC2 Infrastructure Platform Software Vendor Provided Customer Provided Vendor Provided Customer Provided Vendor Provided Software Platform Infrastructure Software Platform Infrastructure Sources: Burton, NIST, GAO Report, dated May 2010

25 Department of State Protect National Security Protect military secrets Prevent unauthorized access to ITAR data Regulations that are easy to implement & oversee Enable business with US allies Industry/Academia To operate safely in our country (and support the protection of national security) Protect company & military secrets Know how to implement/administer compliance to the regulations Grow business What do Stakeholders Want/Need?

26 Ideas 1 and 2: Benefits Benefits Many encryption tools are readily available to industry and the USG Allows use of encryption to protect data and prevent unauthorized access Encrypted data can be stored securely on the Cloud and eliminates the concern for where servers reside Allows companies to use the same kind of security that they use to protect intellectual property for export control Establishes an encryption “standard” for ITAR controlled data stored electronically Clarifies that an export/import occurs only when access to the key is provided to a foreign person Cloud Computing decisions are usually made by IT so it makes sense to place control of the protection of ITAR controlled data with the user by enabling the use of encryption to prevent unauthorized exports Idea 2 only: Recognizes encrypted ITAR controlled data as not meeting the criteria of “technical data” Idea 2 only: Recognizes encrypted ITAR controlled data as not subject to export regulations and allows the USG to focus its enforcement activities on ITAR controlled data in usable form

27 Idea 3: Take no action/continue in current manner Benefits None identified by industry Items for further consideration Current regulations can be interpreted to restrict or prohibit widespread use of the Cloud (potential national security implications, economic impact) Regulatory precedence in consent agreements would appear to prohibit use of the Cloud due to presumed access, even when actual access cannot be confirmed Usage of the Cloud is pervasive in business practice Cloud users and/or Cloud Service Providers risk inadvertent exports resulting in violations

28 Idea 4: Modify or Create Authorization, i.e., License or Exemption Assumption is that the ‘ability’ to “access” equates to an export Exemption (based on cloud location, level of encryption, similar to 125.4(b)(9) which authorizes secured data to “travel”) With the use of encryption, secured ITAR data be transferred to and stored in the Cloud without authorization provided: Data is in encrypted form during transmission & storage Does not involve destinations and other restrictions

29 Idea 4: Modify or Create Authorization, i.e., License or Exemption Benefits Enable USG to provide clarity/parameters to industry while imposing restrictions as deemed appropriate There is precedent in 125.4(b)(9) for trusted situations Provides some relief when Cloud is defined and controlled (e.g. limited locations of servers, etc.) May provide some visibility to the USG (e.g. recordkeeping requirements) Similar approach as other countries appear to be considering with Cloud (e.g. Japan, Germany) Items for further consideration May be more cumbersome than a license depending on requirements of exemption Recordkeeping requirements may be difficult or impossible to manage/control/regulate Restricts countries Raises issue of ‘ability to access’ vs. ‘access’ by foreign persons Roles, responsibilities and obligations of Cloud users and Cloud Service Providers would need to be established DSP-5 vehicle is not optimum for technical data transfers or storage in the Cloud Would Cloud users and/or Cloud Service Providers would need to be registered with Dept. of State? An exemption would not provide relief for temporary imports of foreign data entering into a US cloud

30 Idea 3: Possible License authorization (rewrite of 125.4(b)(x) & ) § (a)The following exemptions apply to exports of technical data for which approval is not needed from the Directorate of Defense Trade Controls. The exemptions, except for paragraph (b)(13) of this section, do not apply to exports to proscribed destinations under § of this subchapter or for persons considered generally ineligible under § 120.1(c) of this subchapter. The exemptions are also not applicable for purposes of establishing offshore procurement arrangements or producing defense articles offshore (see § ), except as authorized under § 125.4(c). Transmission of classified information must comply with the requirements of the Department of Defense National Industrial Security Program Operating Manual (unless such requirements are in direct conflict with guidance provided by the Directorate of Defense Trade controls, in which case the latter guidance must be followed) and the exporter must certify to the transmittal authority that the technical data does not exceed the technical limitation of the authorized export. (b) The following exports are exempt from the licensing requirements of this subchapter. (x) Technical data encrypted at [designated USG level] virtually transmitted and stored outside the US not for end use outside the US or unlicensed location § Recordkeeping for exemptions. Any person engaging in any export, reexport, transfer, or retransfer of a defense article or defense service pursuant to an exemption must maintain records of each such export, reexport, transfer, or retransfer... For section 125.4(b)(x), contract language and/or documentation demonstrating encryption (at designated USG level) prior to, during and throughout electronic storage or transmission is adequate for use of 125.4(b)(x).

31 Idea 5: Establish parameters for Cloud Users and Cloud Service Providers Identify roles, responsibilities and obligations of the parties (consistent among regulatory agencies) Certification or establishment of standards for Cloud Service Providers GAO speaks to both points Clarify whether encrypted data is export controlled BIS made an attempt to address the role of Cloud Service Providers in its Advisory Opinions Dept. of Defense Cloud Computing Strategy speaks to supporting “…the migration of moderate risk data and information (e.g., CUI, PII, PHI, ITAR and EAR) to commercial cloud services” along with recognizing the need to ‘…establish standardized, baseline DoD cloud computing SLAs and contract requirements…’ Need to clarify USPPI – who is responsible for what

32 Idea 5: Establish parameters for Cloud Users and Cloud Service Providers (cont.) Benefits Clearly identifies the responsibilities of each party Could achieve consistency across regulatory agencies Standards specific to ITAR compliance could validate Cloud Service Providers claiming ‘ITAR compliant’. Standards could be a subset of those established for security purposes Items for further consideration Challenge of time, effort and coordination among USG agencies Could limit or restrict the number of providers, thereby reducing some advantages of Cloud and at the same time, increasing costs Creates additional burden for Cloud Service Providers Likely inevitable to some degree given GAO and additional complexities Need to consider whether the parameters would be government “guidance” versus “regulation”

33 Possible guidance that might be promulgated for use by exporters consistent with current regulatory controls Cloud users should understand the different types of Clouds and service models and the export risks associated with each. Refer to NIST Special Publication for recommendations on what the Service Level Agreement (SLA) with the cloud service provider should include. Roles and Responsibilities must be outlined and a means to audit the Cloud Service Provider should be established. SLA should identify Cloud Service Provider’s obligations upon contract termination, such as the return and expunging of data. Cloud users should ensure the Cloud Service Provider can meet the Cloud user’s requirements for managing ITAR controlled data. Cloud users should also ensure compliance with other US regulatory agencies. Cloud users should ensure that an adequate authentication process is implemented to protect access to company data and ITAR controlled data.