The Cyber Compliance Imperative

The most critical challenge facing the Global Trade Compliance (GTC) community is export compliance in IT networks and systems, or what I call “Cyber Compliance.”  Cyber Compliance involves the implementation of capabilities to identify, control, track, and otherwise safeguard data in electronic format.

The laws and regulations governing exports were written to address the risks and threats of the 1970’s. As a result, our GTC programs have primarily been designed to address the risks and threats of the pre-Internet paradigm.

In the pre-Internet paradigm, export risks and threats manifested in the human domain (e.g. what people do and say) and the physical domain (e.g. physical access, export shipments, etc.). Our compliance programs, built upon paper policies and training, have focused on facility control plans, visitor controls, hand-carry controls, and export shipments.

The legacy approach has placed a huge emphasis on controlling export shipments, and rightly so. It ensures items are classified and controlled at time of export shipment. Export shipment controls remain relevant, as does training, but they represent the bare minimum.

Our world is now globally-networked and information-driven. Before a regulated object is created, accessed, or transferred in the physical domain, it is created, accessed, and transferred in the cyber domain. Export risks and threats have shifted from the physical domain to the cyber domain.

Our world is now globally-networked and information-driven. Before a regulated object is created, accessed, or transferred in the physical domain, it is created, accessed, and transferred in the cyber domain. Export risks and threats have shifted from the physical domain to the cyber domain.

What about all the data being externally accessed and transferred before a product is manufactured and shipped?

What about all the data being accessed and transferred internally?

Can we answer basic questions about our data?

Do our adversaries know our data better than we do? An honest exploration of this question is unnerving at best. It is imperative that export compliance programs integrate export controls into IT networks and systems.

To remain relevant, to succeed in our non-proliferation objectives, or have any hope of preventing our economic and military advantages from being exfiltrated (stolen), we must develop, implement, maintain, and continuously improve our cyber compliance capabilities.

I’ll be posting more on this topic in the coming months, but your best opportunity to learn more is just around the corner. The challenges described above are exactly what I’ve designed SIA’s IT and Export Controls Seminar (Oct. 24, Arlington, VA) to address. Playing the national security card feels a bit dramatic sometimes, but it is ultimately why we do what we do. We need as many professionals as possible to understand, adopt, and improve the concepts and methodologies we’ll be teaching.

2018-11-30T19:21:57+00:00