Military Export Controls Reinhard Egger, HPE Enterprise Services Trade Compliance, Global Military Trade Controls, and ITAR Consultant June 1, 2016

Military Export Controls at HPE Confidential – For Training Purposes Only

Keys to Understanding HPE & Military Controls What you will learn in this course: Military Control Triggers Products Technology (know-how) Clients / Client Data Business activities Seek advice from Global Trade Where to seek information Who can help What information will be needed What you should expect Compliance Consequences of noncompliance General compliance models Implement Global Trade’s advice: control plans Keep Global Trade advised of changes & developments Do we talk about standing compliance programs Compliance is a team effort Confidential – For Training Purposes Only

Military Export Controls at HPE Most nations have two types of export controls – dual use and military. HPE is most often concerned with the dual-use (“civilian”) controls Commercial and consumer products: Hardware, Software, and Technology (information). HPE has several controls in place to address these issues Most of these activities do NOT require formal government authorizations (a few do) HPE must also be concerned with military export controls “Military Controls” extend beyond things typically thought of as “military” HPE has the Military Goods & Services Controls Policy to address these issues. Most of these activities DO require formal government authorizations. Training focus Confidential – For Training Purposes Only

Military Controls Triggers Confidential – For Training Purposes Only

Military Export controls - Triggers There are several ways something can fall under military controls Products (not always what you’d expect) Technology (know-how for such products) Client Data and Software (primarily in Enterprise Services) Business activities (Marketing, sales, brokering & trafficking) Confidential – For Training Purposes Only

Military controlled Products Some triggers are obvious….but not all…. Products (includes hardware and software) Products designed or modified for military use for orbital, satellite, or space use. to have very low electromagnetic emissions, lower than required for safety/agency requirements (especially “TEMPEST”) to be radiation-hardened Products that contain a component that meets any of the above specifications 3rd party products meeting any of these criteria Military purchase of standard HPE consumer & commercial products is not “Military Controlled” Any design or modification for these criteria IS a trigger for Military Controls. Confidential – For Training Purposes Only

Military controlled Technology Technology is information in any form – written, electronic, verbal, etc Technology Information for the development, production, testing, modification, repair, or use of a military controlled product (previous slide) Information may also be marked with a Government security classification, which has additional HPE controls. This information may appear as HPE owned information for HPE developed military products Information owned by other companies for their military products Client data RFP, RFQ, and specifications Sharing this information within HPE is *NOT* exempt from export controls. Products are like “soup” Technology is like the “recipe” With the recipe, you can make the soup at will Confidential – For Training Purposes Only

Military controlled Client Data & Software Client Data & Software (in any form) may have military export controls Clients may have military controlled data (technology) or software. Only the client can advise on the control status of their data and software. If HPE exports client data without doing due diligence with the client, HPE could be held liable for “causing, aiding or abetting” a breach of the regulations Once HPE has knowledge of any concern, HPE must act in compliance to the controls. Sharing this information between the client and HPE is *not* exempt Sharing this information between HPE entities is *not* exempt May also hit integration and consulting Client Data demands Due Diligence Confidential – For Training Purposes Only

Military controlled business activities Even business activities can fall under military controls Marketing & Sales Business activities for products & services that may involve technical information meeting the military criteria: sharing specifications, customer requests, HPE responses to these requests, demonstrations, etc. Trafficking and Brokering Any involvement in the sale, financing, shipping or marketing of certain military material which would result in the transfer of that material from a second country to a third country (i.e. not a sale etc from your country) Confidential – For Training Purposes Only

Additional USA Implications USA - International Traffic in Arms Regulations (ITAR) adds major impacts All governments Additional USA controls (ITAR) Controlling marketing, sales, financial & shipment activities Limiting access to controlled material, data and software based on geography Extraterritorial Jurisdiction - beyond USA Deemed Export Rule – person-based controls See Through Rule – whatever the item is in Defense Services – using military knowledge Confidential – For Training Purposes Only

USA Special Controls – Extraterritorial USA ITAR Regulations extend beyond the USA ITAR items remain under USA government… forever. When ITAR-controlled content is involved, Non-USA persons and organizations required to comply with USA ITAR regulations. USA can penalize foreign persons/organizations USA can penalize the foreign person/organization’s holdings or operations in the USA. The USA regulations follow the ITAR products or ITAR data wherever they may go. Non-USA military products and technical data become subject to ITAR once in the USA or USA persons are involved. Confidential – For Training Purposes Only

USA Special Controls – Deemed Export Rule Exporting without exporting Person-based export controls (nationality) When a non-USA national has access to ITAR controlled technical data or source code, it is “deemed” to be an export to that person’s country Example: Granting ITAR data access to a UK national, even when on the person is on USA soil, is a “deemed export” to the UK & requires prior authorization Determining nationality: Seek GT guidance Rules for determining nationality are very complex Complicated by privacy regulations Sharing ITAR data or source code within HPE is not exempt Just having “access” to ITAR tech data is an issue Confidential – For Training Purposes Only

USA Special Controls – See-Through Rule The “see through rule” means…. This entire item is under ITAR so long as the ITAR part is present Anything that contains an ITAR-controlled item is, itself, effectively controlled by the ITAR The intended application use of the containing item does not matter. The significance of the ITAR-controlled item does not matter. Example: A portable data center contains an ITAR-controlled cooling system. That portable data center itself becomes an ITAR controlled item. Example: A machine contains an ITAR-controlled item. The entire machine is ITAR-controlled. One ITAR part Confidential – For Training Purposes Only

USA Special Controls – Defense Services When USA persons or organizations…. When USA persons or anyone employed by a USA organization assists foreign persons or organizations – in any location - with any of the following for US-controlled* military products, military technology, client data/software, etc. Design, development, engineering Manufacture, production, assembly Repair, maintenance Modification, demilitarization, destruction, processing Operation, use Sharing within HPE is *NOT* exempt from export controls. Application of knowledge concerns about USA vs. EU, EU persons... Mark / David revisit Hannelore provide any examples Confidential – For Training Purposes Only

Actual HPE Examples: Military Control Issues Examples: HPE already has these kinds of issues Enterprise Services If the client makes military aircraft parts, then the client is very likely to have the design specs etc for those parts on its IT system The specialist software that the client uses to design those parts may also be subject to the military controls Inkjet curing ovens A small number of curing ovens fall under military export controls due to an onboard military controlled amplifier Special controls are in place to assure compliance. Confidential – For Training Purposes Only

Military Control Triggers: Test Your knowledge Confidential – For Training Purposes Only

Test Your Knowledge: Switched in Space (1 of 2) Test case 1 Situation You work in the HPE Networking business. Your team has been tasked with making modifications to a standard switch so it can be used in satellites. Could this be military controlled? Confidential – For Training Purposes Only

Test Your Knowledge: Switched in Space (2 of 2) Test case 1 Situation Analysis You work in the HPE Networking business. Your team has been tasked with making modifications to a standard switch so it can be used in satellites. Could this be military controlled? YES! Not only is the switch likely to have strong military controls, but the know-how associated with the modifications is likely to have such strong controls. Trigger: Designed or modified for orbital, satellite, or space use Confidential – For Training Purposes Only

Test Your Knowledge: Client Data (1 of 2) Test Case 2 Situation An Enterprise Services client would like HPE to take over their data center. This particular customer designs transmissions for vehicles, including military vehicles Could this be military controlled? Confidential – For Training Purposes Only

Test Your Knowledge: Client Data (2 of 2) Test Case 2 Situation Analysis An Enterprise Services client would like HPE to take over their data center. This particular customer designs transmissions for vehicles, including military vehicles Could this be military controlled? YES! This client’s data is likely to be under military export controls. HPE needs to ask the client about any possible military controlled technical data – before undertaking the business Trigger: HPE must ask clients about their technical data. This enables the client to comply when handing over the data center to HPE, and enables HPE to comply Confidential – For Training Purposes Only

Test Your Knowledge: TEMPEST in a Teacup (1 of 2) Test case 3 Situation You are working on a project that involves designing a product (or modifying a product) that uses TEMPEST components or meets TEMPEST requirements Could this be military controlled? Confidential – For Training Purposes Only

Test Your Knowledge: TEMPEST in a Teacup (2 of 2) Test case 3 Situation Analysis You are working on a project that involves designing a product (or modifying a product) that uses TEMPEST components or meets TEMPEST requirements Could this be military controlled? YES! Not only is the product likely to have strong military controls, but the know-how associated with the modifications is likely to have such strong controls. Trigger: Very low electromagnetic emissions, lower than required for safety/agency requirements (especially “TEMPEST”) Trigger: Products that contain a military controlled product Confidential – For Training Purposes Only

Test Your Knowledge: UK MoD on paper (1 of 2) Test case 4 Situation The UK Ministry of Defence has approached HPE about purchasing standard HPE printers Could this be military controlled? Confidential – For Training Purposes Only

Test Your Knowledge: UK MoD on paper (2 of 2) Test case 4 Situation Analysis The UK Ministry of Defence has approached HPE about purchasing standard HPE printers Could this be military controlled? NO! These are standard HPE printers with no special design or modification for military use. If the requirement involved military design or modification requirements, the answer would be different Military purchase of standard, unmodified commercial product is NOT under military controls Confidential – For Training Purposes Only

Test Your Knowledge: Military Managed Print Services (1 of 2) Test case 5 Situation HPE has a managed print services relationship with a military. HPE replenishes, maintains, repairs and replaces the printing and scanning equipment for this military. Could there be military controls? Confidential – For Training Purposes Only

Test Your Knowledge: Military Managed Print Services (2 of 2) Test case 5 Situation Analysis HPE has a managed print services relationship with a military. HPE replenishes, maintains, repairs and replaces the printing and scanning equipment for this military. Could there be military controls? YES! There could be! Managed print services could involve devices that capture & retain printed/scanned military data on hard drives or other memory systems. Trigger: Military technology (technical data) Confidential – For Training Purposes Only

How to get help…. Confidential – For Training Purposes Only

What Information to Provide to Global Trade Do NOT send the actual technical data. Outline the principles of your concern – Who what, when, where, and why. Do NOT send the actual technical data, until advised to do so What was the trigger? Who is involved (both HPE and non-HPE entities) What is the general nature of the activity? What is being shipped …from who, when, where and why? …to who, when, where and why? …by who, when, where and why? What information might be shared …by whom to whom …from where to where? Confidential – For Training Purposes Only

Do NOT send the actual technical data. Who to Contact Find your contact point based on your business or activity from the Global Trade Contacts Policy/Process HPE Military Goods & Services Policy (also known as “Military Export Control Policy”) HPE Military Goods & Services Controls Process (also known as “Military Export Controls”) REMINDER: Do NOT send the actual technical data. Outline the principles of your concern – Who what, when, where, and why. Confidential – For Training Purposes Only

What will happen? There are two outcomes…. Course or Module Title What will happen? There are two outcomes…. If Global Trade determines there are military export controls If Global Trade determines there are no military controls Global Trade will advise and assist Your business will need to implement controls based on that advice. These controls will impact most business and technical activities. Sales, shipments, sharing information etc will require prior government authorizations You will be referred to the HPE policies regarding dual- use (“civilian”) activities. In some rare cases, the dual-use controls may be roughly as stringent as the military controls. Confidential – For Training Purposes Only Confidential – For Training Purposes Only

Example Control Program “Skeleton” This is a “superset” of possible controls Product Controls Data & Document Controls All products (hardware & software) submitted for export control rating “classification” as per HPE policy No shipments or electronic transfers (software) without Global Trade authorization All hiring, transfers into team, visitors (HPE and non- HPE), and training (HPE and non HPE) approved by Global Trade in advance Customer engagements prior authorized by Global Trade Data storage limited by geography Data access (physical and electronic) limited by geography and nationality Information-sharing (email, telephone, FAX, virtual meeting, etc) limited by geography and nationality Physical documents labeled and secured Meet all Global Trade requirements, as well as HPE Global Security requirements People Controls Government security clearance controls Sales & Marketing Controls Confidential – For Training Purposes Only

Consequences of Non-Compliance Confidential – For Training Purposes Only

Consequences of Noncompliance: Public Cases Some example cases ITT John Reese Roth, PhD ITT fined in excess of $110 million for unauthorized exports of new-generation night-vision technology All hiring, transfers into team, visitors (HPE and non- HPE), and training (HPE and non HPE) approved by Global Trade in advance University of Tennessee professor sentenced to 4 years in prison for unauthorized exports of US military drone technology to Iran and China. Fined >$100 million for unauthorized exports of military airplane software and guidance systems. Noshir Gowadia Northrop Grumman Confidential – For Training Purposes Only

Consequences for Non-Compliance HPE’s Standard of Business Conduct requires compliance to regulations HPE : Beyond Brand Damage Individuals (HPE officers & employees) Monetary Fines Up to $1M per violation (2012) USA, EU, Singapore, etc – all similar Other consequences Seizure of products Denial of export privileges Standards of Business Conduct (SBC) Compliance is required by the SBC Monetary fines Up to $500K per violation (2012) USA, EU, Singapore, etc – all similar Prison USA – up to 10 years in prison per violation (2012) EU, Singapore, others are similar. Malaysia – up to death penalty! Confidential – For Training Purposes Only

Summary Confidential – For Training Purposes Only

Re-Iteration: Understanding HPE & Military Controls What you’ve learned…. Military Control Triggers Products Technology (know-how) Clients / Client Data Business activities Seek advice from Global Trade Where to seek information Who can help What information will be needed What you should expect Compliance Possible outcomes Implement Global Trade’s advice Keep Global Trade advised of changes & developments Compliance is a team effort Confidential – For Training Purposes Only

Action What do I do if I suspect an activity is subject to military controls? Contact Global Trade as listed in “How to Get Help” Confidential – For Training Purposes Only

Resources Information Resources Within HPE External (For reference only) Military Policies and information HPE Military Goods & Services Policy also known as Military Export Controls Policy HPE Military Goods & Services Controls Process also known as Military Export Controls Overall Global Trade information Global Trade Website Example Military Regulatory Agencies US State Department Equivalent agencies in each EU nation Singapore Tariff and Trade & others Example Military Regulatory References USA ITAR & US Munitions List EU National Military Lists (each nation unique) Singapore Military List Wassenaar Military List & others Confidential – For Training Purposes Only

Thank you Course or Module Title Confidential – For Training Purposes Only Confidential – For Training Purposes Only