Defense Trade Advisory GroupCloud Computing Plenary Session May 9, 2013
Task 1 Working Group Members Dana Goodwin, TradeLink Systems, Inc. Greg Hill, DRS Technologies, Inc. Spence Leslie, Pentair • Christine McGinn, InterGlobal Trade Consulting, Inc. • Terry Otis, Otis Associates, LLC • Joy Robins, Wind River Systems • Bill Schneider, International Planning Services, Inc. • Sal Manno, Inmarsat, Inc. • Beth Mersch, Northrop Grumman Corporation Sam Sevier Bill Wade, L-3 Communications Marjorie Alquist, Working Group Co-Chair, LORD Corp. Rebecca Conover, Working Group Co-Chair, Intel Corp. Lisa Bencivenga, Lisa Bencivenga LLC Greg Bourn, Bourn Identity Inc. Dennis Burnett, Dennis J. Burnett, LLC Ginger Carney, Global Connections Michael Cormaney, Luks Cormaney LLP Kim DePew, GE Aviation Andrea Dynes, General Dynamics Corp. Larry Fink, SAIC Alfred Furrs, Johns Hopkins University, APL
Agenda • Tasking Overview • Define Cloud Computing • Review Use of Cloud & Current Regulatory Impact • Potential Ideas for Regulators • DTAG Recommendation
Overview of Assignment Cloud Computing: The use of the “cloud” method for data storage creates some significant regulatory challenges for exporters and the U.S. Government. The Working Group should review on use of this data storage method, its various implementation arrangements, and a report on the implications for regulators and possible guidance that might be promulgated for use by exporters consistent with regulatory controls.
What is a Cloud? National Institute of Science and Technology (NIST) defines ‘cloud computing’ as “…a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisions and released with minimal management effort of service provider interaction.” Essential Characteristics:Self Service , Network Access, Scalability, Resource Sharing Service Models:Type of computing service (Software, Infrastructure, Platform) DeploymentModels: How the computing service is deployed (public, private, community or hybrid) • The cloud is a method of delivering sharedIT computing services • (servers, storage, applications) Sources: Burton, NIST, GAO Report, dated May 2010
Movement of Data in a Cloud Data moves within the Cloud to adjust to computing capacity within various servers within the cloud. Cloud looks the same to the user – movement of data is seamless and untraceable to user. Server in Germany Bytes Server in US Server in Australia Bytes Bytes Bytes Bytes Server in India Server in China Bytes Bytes Bytes Bytes
Current Situation Export regulations, including their definitions and requirements, were originally designed for transfers of tangible items and traditional modes of information sharing. The ITAR does not adequately address intangible transfers or use of the Cloud as a storage method, which has become prevalent in business. One way to address electronic transmission and storage is through encryption. The ITAR currently does not address the use of encryption for the transmission or storage of ITAR controlled technical data via electronic modes. “…Cloud computing has been the subject of a great deal of commentary. Attempts to describe cloud computing in general terms, however, have been problematic because cloud computing is not a single kind of system, but instead spans a spectrum of underlying technologies, configuration possibilities, service models, and deployment models… “(NIST “Cloud Computing Synopsis and Recommendations” Publication 800-146, May 2011 Draft)
Ideas Discussed Within DTAG • Ideas include (some may overlap): • Redefine “export” to exclude transmission or storage of encrypted ITAR controlled data • Redefine “technical data” to recognize Cipher text (encrypted data) as outside of its scope • Take no action and continue in current manner • Modify or create an authorization (license or exemption) • Establish parameters for Cloud users and Cloud Service Providers • Roles/Responsibilities • Standards or certifications Encryption Status Quo Clarify
How Does Encryption Work? Encryption allows the user to secure its data before ever placing the data into a cloud or shared server space. Standards for use of encryption would strengthen controls (from where they are today) and allow companies to appropriately protect ITAR controlled technical data in electronic form.
A Closer Look at Ideas 1 & 2 • Similar in that both rely on encryption technology to secure data prior to being transmitted or stored electronically • Different in that… • Idea 1 redefines “export” when encryption is used as a safeguarding mechanism for ITAR controlled data stored or transmitted electronically • Idea 2 takes idea 1 a step further and proposes that encryption transforms the ITAR controlled data to a point that the data no longer constitutes technical data under the export regulations • We will walk through both ideas in greater detail to understand the differences.
Idea 1: Redefine Export to Exclude Electronic Data in Encrypted Form • Past consent agreements suggest that the mere ability to “access” ITAR controlled data presumes an export. Redefining “export” to exclude encrypted data allows companies to rely on electronic security features standard in virtual computing. • Encryption is a generally accepted form of data protection • The USG uses encryption to protect classified information • Businesses use encryption to protect sensitive information • Barriers to implementation are limited, while impact is significant. • Establishing a level of encryption that would: • Protects the Cloud user; • Enables full use of Cloud for storage purposes; • Protects the data from unauthorized access and the potential of an unintended export.
Idea 1: Proposed Definitions 120.17 Export Unclassified, encrypted technical data being transmitted or stored outside of the United States is not an export provided that foreign persons are not provided with access to the encryption tools. 125.1 Exports subject to this part. The controls of this part apply to the export of technical data and the export of classified defense articles. Information which is in the public domain (see §120.11 of this subchapter and §125.4(b)(13)), and unclassified, encrypted technical data, provided it remains encrypted during its transmission and storage, is not subject to the controls of this subchapter. If access to the encryption tool is provided to a recipient, a license or other authorization may be required
Ideas Discussed within DTAG • Ideas include (some may overlap): • Redefine “export” to exclude transmission or storage of encrypted ITAR controlled data • Redefine “technical data” to recognize Cipher text (encrypted data) as outside of its scope • Take no action and continue in current manner • Modify or create an authorization (license or exemption) • Establish parameters for Cloud users and Cloud Service Providers • Roles/Responsibilities • Standards or certifications Encryption Status Quo Clarify
Idea 2: Redefine Technical Data to Recognize Cipher Text as Outside of its Scope • Taking Idea 1 a step further, the DTAG explored encryption and understands that when data is encrypted it results in ‘Cipher text’. The DTAG researched Cipher text, and believes the following summarizes Cipher text: • Cipher text is encrypted information which contains a form of the original plain text that is unreadable by human or computer without the proper cipher (key) to decrypt it. The NIST paper on Computer Security (800-38F) describes it as, “The confidential form of the plaintext that is the output of the authenticated-encryption function.” • ITAR controlled technical data that is encrypted results in Cipher text. The DTAG believes that Cipher text does not meet the current ITAR definition of “technical data”, since it is unreadable and unusable.
Cipher Text Is Cipher Text subject to export regulations? Assumptions • Cipher text does not include decrypted or unencrypted data • Cipher text does not include “software” • Encryption strength set by and commensurate with USG standards Is Cipher Text a “defense article” per §120.6? NO Is Cipher Text “technical data” or “software” per §120.10 & 121.8(f)? NO ITAR Not Subject to the ITAR • Not information while encrypted • Analogous to “personal knowledge” per §120.17(a)(1) • Does not reveal technical data relating to items listed in ITAR§ 121.1 Is Cipher Text a “commodity” per Part 772.1? NO Is Cipher Text “technology” per Part 772.1? NO EARR Not Subject to the EAR • Not an article, material or supply • Not information while encrypted
Idea 2: Proposed Definitions 120.10 Technical Data (b)(4) Unclassified, encrypted technical data being transmitted or stored, regardless of location, is not controlled under this provision provided that the data remains encrypted and the ability to decrypt the information is not disseminated. (See also § 120.17, § 125.10) 120.17 Export Unclassified, encrypted technical data being transmitted or stored outside of the United States is not an export provided that foreign persons are not provided with access to the encryption tools. 125.1 Exports subject to this part. The controls of this part apply to the export of technical data and the export of classified defense articles. Information which is in the public domain (see §120.11 of this subchapter and §125.4(b)(13)), and unclassified, encrypted technical data, provided it remains encrypted during its transmission and storage, is not subject to the controls of this subchapter. If access to the encryption tool is provided to a recipient, a license or other authorization may be required.
Recommendation • The DTAG recommends: • The ITAR recognize encrypting data (to an established standard) as an adequate means of protecting and securing ITAR controlled data. • Unclassified, encrypted data transmitted or stored outside of the United States as not being an export provided that foreign persons are not provided with access to the encryption key. • Unclassified, encrypted data is not subject to export regulations in this form. • Definitions for “export” and “technical data” are amended and that the transmission and storage of unclassified, encrypted technical data be reflected in ITAR 125.1(a). Encryption is the foundation to enabling business while securing data. The DTAG realizes that while our task was focused on Cloud Computing storage, the solution lies in technology.
References Publications, Articles and Case Law Reviewed, Discussed and Considered Pursuant to this Tasking Center for Technology Innovation at Brookings, “Addressing Export Control in the Age of Cloud Computing”, John Villasenor, July 25, 2011 Congressional Research Service, Cybersecurity Authoritative Reports and Resources, Rita Tehan, March 2013 DoD Cloud Computing Strategy, July 2012 GAO-10-513, “Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing.” May 2010 NIST Special Publication 800-38F, “Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping” NIST Special Publication 800-53 “Recommended Security Controls for Federal Information Systems and Organizations”, Rev. 3, August 2009. NIST Special Publication 800-144 “Guidelines on Security and Privacy in Public Cloud Computing”. NIST Special Publication 800-145 “The NIST Definition of Cloud Computing”. NIST Special Publication 800-146 “DRAFT Cloud Computing Synopsis and Recommendations”. Nixon Peabody, “The Export Control Implications of Cloud Computing”, Alexandra Lopez-Casero, August 2011. Supplemental Materials Reviewed, Discussed and Considered ITAR, 22 CRF 120 CNSS Instruction 4009, National Information Assurance Glossary “ITAR and the Cloud”, Candace Goforth presented at the SIA Fall 2012 Conference “Emerging Technologies: Managing Export Controlled Data in the Cloud”, C. Goforth, Bob Rarog, Matt Henson, November 9, 2012 “EAR Controls and Cloud Computing”, Bob Rarog, Dept. of Commerce, BIS, SIA Fall 2012 Conference Microsoft Office 365 “FISMA and ITAR Solutions for Enterprises,” October 2012.
Five Essential Characteristics $ $( x Jan, Feb, Mar…) = $ $( x Jan) Sources: Burton, NIST, GAO Report, dated May 2010
ThreeService Models PLATFORM AS A SERVICE (PaaS) Vendor-provided infrastructure services (e.g., operating systems, storage, network infrastructure) Amazon’s EC2 INFRASTRUCTURE AS A SERVICE (IaaS)Vendor-provided infrastructure services (e.g., Google Apps, Microsoft Azure) ) to create and deploy applications SOFTWARE AS A SERVICE (SaaS)Vendor-provided software (e.g., ePerform, Cliqbook, United Way) running in a cloud infrastructure via a thin client interface Customer Provided Customer Provided Software Software Software Platform Platform Platform Infrastructure Infrastructure Infrastructure Vendor Provided Vendor Provided Vendor Provided Sources: Burton, NIST, GAO Report, dated May 2010
Idea 3: Take no action/continue in current manner
Idea 4: Modify or Create Authorization, i.e., License or Exemption • Assumption is that the ‘ability’ to “access” equates to an export • Exemption (based on cloud location, level of encryption, similar to 125.4(b)(9) which authorizes secured data to “travel”) • With the use of encryption, secured ITAR data be transferred to and stored in the Cloud without authorization provided: • Data is in encrypted form during transmission & storage • Does not involve 126.1 destinations and other restrictions
Idea 4: Modify or Create Authorization, i.e., License or Exemption
Idea 3: Possible License authorization (rewrite of 125.4(b)(x) & 123.26) • § 125.4 • The following exemptions apply to exports of technical data for which approval is not needed from the Directorate of Defense Trade Controls. The exemptions, except for paragraph (b)(13) of this section, do not apply to exports to proscribed destinations under § 126.1 of this subchapter or for persons considered generally ineligible under § 120.1(c) of this subchapter. The exemptions are also not applicable for purposes of establishing offshore procurement arrangements or producing defense articles offshore (see § 124.13), except as authorized under § 125.4(c). Transmission of classified information must comply with the requirements of the Department of Defense National Industrial Security Program Operating Manual (unless such requirements are in direct conflict with guidance provided by the Directorate of Defense Trade controls, in which case the latter guidance must be followed) and the exporter must certify to the transmittal authority that the technical data does not exceed the technical limitation of the authorized export. • (b) The following exports are exempt from the licensing requirements of this subchapter. • (x) Technical data encrypted at [designated USG level] virtually transmitted and stored outside the US not for end use outside the US or unlicensed location • § 123.26 Recordkeeping for exemptions. • Any person engaging in any export, reexport, transfer, or retransfer of a defense article or defense service pursuant to an exemption must maintain records of each such export, reexport, transfer, or retransfer. .. • For section 125.4(b)(x), contract language and/or documentation demonstrating encryption (at designated USG level) prior to, during and throughout electronic storage or transmission is adequate for use of 125.4(b)(x).
Idea 5: Establish parameters for Cloud Users and Cloud Service Providers • Identify roles, responsibilities and obligations of the parties (consistent among regulatory agencies) • Certification or establishment of standards for Cloud Service Providers • GAO-10-513 speaks to both points • Clarify whether encrypted data is export controlled • BIS made an attempt to address the role of Cloud Service Providers in its Advisory Opinions • Dept. of Defense Cloud Computing Strategy speaks to supporting “…the migration of moderate risk data and information (e.g., CUI, PII, PHI, ITAR and EAR) to commercial cloud services” along with recognizing the need to ‘…establish standardized, baseline DoD cloud computing SLAs and contract requirements…’ • Need to clarify USPPI – who is responsible for what
Idea 5: Establish parameters for Cloud Users and Cloud Service Providers (cont.)
Possible guidance that might be promulgated for use by exporters consistent with current regulatory controls • Cloud users should understand the different types of Clouds and service models and the export risks associated with each. • Refer to NIST Special Publication 800-144 for recommendations on what the Service Level Agreement (SLA) with the cloud service provider should include. • Roles and Responsibilities must be outlined and a means to audit the Cloud Service Provider should be established. • SLA should identify Cloud Service Provider’s obligations upon contract termination, such as the return and expunging of data. • Cloud users should ensure the Cloud Service Provider can meet the Cloud user’s requirements for managing ITAR controlled data. • Cloud users should also ensure compliance with other US regulatory agencies. • Cloud users should ensure that an adequate authentication process is implemented to protect access to company data and ITAR controlled data.