Presentation is loading. Please wait.

Presentation is loading. Please wait.

Canadian and US Export Controls and Economic Sanctions: Key Steps for Mitigating Risk for Software and Technology Companies October 24, 2017 IT.Can Annual.

Published byMerry McCoy Modified over 6 years ago

Similar presentations

Presentation on theme: "Canadian and US Export Controls and Economic Sanctions: Key Steps for Mitigating Risk for Software and Technology Companies October 24, 2017 IT.Can Annual."— Presentation transcript:

1 Canadian and US Export Controls and Economic Sanctions: Key Steps for Mitigating Risk for Software and Technology Companies October 24, 2017 IT.Can Annual Conference Stephen Whitney VP, General Counsel, Sandvine Incorporated ULC

2 Agenda Overview of Canadian Export Controls Export Control List
Export Permit Application Process

3 A. Overview of Canadian Export Control Laws
What is an “Export”? A physical shipment outside of a country’s border; Posting software on a web site that can be downloaded by someone in another country; Sharing of technical information visually, physically or orally (e.g.: user manuals, schematics, drawings, files, procedures, conference calls, meetings, etc.)

4 What is an Import? With every export, there must be an import, which is bringing in goods and/or technology from another country The transfer into a country through physical or intangible (typically electronic) means.

5 Objectives of Export Controls
do not cause harm to Canada and its allies; do not undermine national or international security; do not contribute to national or regional conflicts or instability; do not contribute to the development of nuclear, biological or chemical weapons of mass destruction, or of their delivery systems; are not used to commit human rights violations; and are consistent with existing economic sanctions' provisions.

6 B. Export Control List The Export Control List, which is included in A Guide to Canada's Export Controls December 2015 ( identifies specific goods and technology that are controlled for export from Canada to other countries. The Export Control List is divided into the following seven Groups: Group 1: Dual-Use List (used for both civil and military purposes) Includes cryptography Group 2: Munitions List Group 3: Nuclear Non-Proliferation List Group 4: Nuclear-Related Dual-Use List Group 5: Miscellaneous Goods and Technology Group 6: Missile Technology Control Regime List Group 7: Chemical and Biological Weapons Non-Proliferation List

7 Group 1, Category 5, Part 2 - 1-5. A. 2
Group 1, Category 5, Part A.2. SYSTEMS, EQUIPMENT AND COMPONENTS (HARDWARE) 1-5.A.2. “Information security” systems, equipment and components therefor, as follows: Systems, equipment and components, for cryptographic “information security”, as follows: Designed or modified to use "cryptography" employing digital techniques performing any cryptographic function other than authentication, digital signature or the execution of copy-protected "software", and having any of the following: A "symmetric algorithm" employing a key length in excess of 56 bits; or An "asymmetric algorithm" where the security of the algorithm is based on any of the following: 1. Factorisation of integers in excess of 512 bits (e.g., RSA); 2. Computation of discrete logarithms in a multiplicative group of a finite field of size greater than 512 bits (e.g., Diffie-Hellman over Z/pZ); or 3. Discrete logarithms in a group other than mentioned in 1-5.A.2.a.1.b.2. in excess of 112 bits (e.g., Diffie-Hellman over an elliptic curve); More listed in b. through e.

8 1-5.A.2.a does not apply to any of the following:
a. Smart card and smart card ‘readers/writers’ as follows: …. Cryptograhphic equipment specially designed and limited for banking use or ‘money transactions’ c. through h. Routers, switches or relays, where the “information security” functionality is limited to the tasks of “Operations, Administration or Maintenance” (“OAM”) implementing only published or commercial cryptographic standards; or j. General purpose computing equipment or servers, where the “information security” functionality meets all of the following: 1. Uses only published or commercial cryptographic standards; and 2. Is any of the following: a. Integral to a CPU that meets the provisions of Note 3 in Category 5 - Part 2; b. Integral to an operating system that is not specified by 1-5.D.2.; or c. Limited to “OAM” of the equipment.

9 Group 1 – Dual-Use List - Category 5 - Part 2: “Information Security”
No export permit needed from Government of Canada if: Exporting for personal use; or Your good is within a named category (1-5.A.2, 1-5.A.3, 1-5.A.4, and 1-5.D.2) and your export meets: A. the crypto note or mass market criteria a. Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following: 1. Over-the-counter transactions; 2. Mail order transactions; 3. Electronic transactions; or 4. Telephone call transactions; b. The cryptographic functionality cannot easily be changed by the user; c. Designed for installation by the user without further substantial support by the supplier; and d. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described in paragraphs (a) to (c) above; or

10 Group 1 – Dual-Use List - Category 5 - Part 2: “Information Security” (cont.)
B. Hardware components or ‘executable software’, of existing items described in paragraph A. of this Note, that have been designed for these existing items, and meeting all of the following: a. "Information security" is not the primary function or set of functions of the component or 'executable software'; b. The component or ‘executable software’ does not change any cryptographic functionality of the existing items, or add new cryptographic functionality to the existing items; c. The feature set of the component or ‘executable software’ is fixed and is not designed or modified to customer specification; and d. When necessary as determined by the appropriate authority in the exporter’s country, details of the component or ‘executable software’, and details of relevant end-items are accessible and will be provided to the authority upon request, in order to ascertain compliance with conditions described above.

11 3. Category 5–Part 2 does not apply to items incorporating or using
3. Category 5–Part 2 does not apply to items incorporating or using “cryptography” and meeting all of the following: a. The primary function or set of functions is not any of the following: 1. “Information security”; 2. A computer, including operating systems, parts and components therefor; 3. Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management); or 4. Networking (includes operation, administration, management and provisioning); b. The cryptographic functionality is limited to supporting their primary function or set of functions; and c. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described in paragraphs a. and b. above.

12 1-5.D.2. SOFTWARE 1-5.D.2. “Software” as follows: a. “Software” specially designed or modified for the “development”, “production” or “use” of equipment specified by 1-5.A.2, 1-5.A.3 or 1-5.A.4, or of “software” specified by 1-5.D.2.c.; b. … c. Specific “software” as follows: 1. “Software” having the characteristics, or performing or simulating the functions of the equipment, specified by 1-5.A.2., 1- 5.A.3 or 1-5.A.4; 2. “Software” to certify “software” specified by 1-5.D.2.c.1. Note: 1-5.D.2c. Does not apply to “software” limited to the tasks of “OAM” implementing only published or commercial cryptographic standards. d. “Software” designed or modified to enable, by means of “cryptographic activation”, an item to meet the criteria for functionality specified by 1-5.A.2.a. that would not otherwise be met.

13 C. Export Permit Application Process
Apply online – EXCOL system Application Review Period: Up to 10 business days for routine Up to 8 weeks for complicated Plan ahead, apply early, and know you can receive questions from Government and (rare) requests for in-person meetings

14 Approvers of Export Permits primarily include:
Dept of Foreign Affairs, Trade and Development Canada (DFAT) Communications Security Establishment of Canada (CSEC)

15 Types of export permits
Individual export permit to a specified consignee/recipient General Export Permit (GEP) Multiple Destination Permit (MDP)

16 1. Individual Export Permit
When preparing an individual export permit application, the supporting material typically includes: Cover letter explaining the overall nature of the proposed transaction, including the roles of the parties involved and the end-use of the product. Name of exporter Name of consignee/recipient Address of consignee Name of goods being exported (model # or version #) Quantity to be exported Individual value and total value of export? Country of manufacture US Content % Self Assessment of applicable Export Control List Number End-use statement (to be signed by consignee) Any available technical specification documents Cryptography and Information Security Product Questionnaire or *CSEC Questionnaire*

17 *Sample* Abbreviated End-Use Statement
(on final consignee letterhead) To: Export Controls Division Foreign Affairs and International Trade Canada The following products: [insert products] will be exported to us by [Canadian exporter] and will be used by us [at State final consignee address]. The above-mentioned products will be used for: [state purpose] The above-mentioned products will not be used for military purposes nor in any nuclear or missile proliferation activity, in the design of chemical or biological weapons nor resold or exported to any entity involved in such activity. I_______________________________ Signature

18 Cryptography and Information Security Product Qestionnaire or. CSEC
Cryptography and Information Security Product Qestionnaire or *CSEC* Questionnaire 1. Provide general marketing/promotional information describing the product, including the product name and version number as applicable, or other documentation or specifications related to the technology or software. 2. What cryptographic algorithms and strengths are employed and for what purposes (eg: digital signature, authentication, confidentiality of data, etc)? Identify the key length as well as whether the algorithm is symmetric or asymmetric. 3. Provide details on the product architecture. Is the cryptographic engine user-accessible or modifiable? Describe how the architecture and/or distribution method inhibit user accessibility. 4. Describe how the product architecture prohibits modification of the product-use for which it was designed. State how the product is written to preclude user modification of the encryption algorithms, key management and key space. 5. For products which incorporate an Open Cryptographic Interface, describe the Open Cryptographic Interface.

19 Questionnaire cont. 6.For products which incorporate encryption-related Application Programming Interfaces (APIs), describe the APIs that are implemented and/or supported. Explain which interfaces are for internal (private) and/or external (public) use. 7. Describe whether the cryptographic routines are statically or dynamically linked, and the routines (if any) that are provided by third-party modules or libraries. Identify the third-party manufacturers of the modules or toolkits. 8. In what form will the software be distributed/exported (e.g.: source code, object code, etc)? 9. How will the product be installed? 10. Is the product currently being used by any Department(s) at any level of government in Canada (either Federal, Provincial and/or Municipal)? If so, please state which one(s). 11. Is the product being considered for purchase by any Department(s) at any level of government in Canada (either Federal, Provincial and/or Municipal)? If so, please state which one(s).

20 Receive Individual Export Permit Now What?
Before you begin exporting, read your export permit carefully Validity Period for Individual EP: 2 years Can request shorter or longer (up to 5 years) Version Numbering: If a permit is issued for version 1.1, ok to use permit to export versions 1.2 and 1.3 (assuming no change to the cryptographic functionality). Need to obtain new EP for version 2.1 of the same software.

21 Where Can’t Export To When Obtain an Individual Export Permit
- Exports to the following will be prohibited: - Countries on Canada Area Control List Currently - North Korea - Countries with sanctions (may or not apply to your circumstances) and can apply to both entities and individuals

22 Sanctions Presently, Canada imposes trade controls of varying degrees on activities involving the following countries (and in many cases, listed entities and individuals associated with them): Belarus, Burma (Myanmar), Côte d'Ivoire, the Democratic Republic of the Congo, Cuba, Egypt, Eritrea, Guinea, Iran, Iraq, Lebanon, Liberia, Libya, North Korea, Pakistan, Russia, Somalia, Sudan, Syria, Tunisia, Ukraine and Zimbabwe.

23 2. General Export Permit (GEP)
GEPs do not require an export permit application You export and report bi-annually about your exports assuming you meet certain criteria

24 GEP No. 45 Cryptography for the Development or Production of a Product
If meet the criteria set out in GEP No. 45, residents of Canada may export or transfer all goods and technology referred to in Group 1-5 Part 2 of “A Guide to Canada's Export Controls”, excluding those goods and technology referred to in: a. items 1-5.A.2.a.2., 1-5.A.2.a.4., or 1-5.A.2.a.9. of A Guide to Canada's Export Controls.

25 GEP No. 46 Cryptography for Use by Certain Consignees
If meet the criteria set out in GEP No. 46, residents of Canada may export or transfer all goods and technology referred to in Group 1-5 Part 2 of “A Guide to Canada's Export Controls”, excluding those goods and technology referred to in: a. items 1-5.A.2.a.2., 1-5.A.2.a.4., or 1-5.A.2.a.9. of A Guide to Canada's Export Controls.

26 3. Multiple Destination Permit
Can export to all countries except: countries on Canada’s Area Control List Countries subject to Canadian Economic Sanctions (including UN Act and Special Economic Measures Act) Sanctions apply to following countries: Central Africa Republic, Congo, Eritrea, Iran, Iraq, Lebanon, Libya, Myanmar, North Korea, Russia, Somalia, South Sudan, Sudan, Syria, Tunisia, Ukraine, Venezuela, Yemen, and Zimbabwe Country list: Belarus, Central African Republic, Cote d’Ivoire, Cuba, Congo, North Korea, Eritrea, Guinea, Iran, Iraq, Lebanon, Liberia, Libya, Myanmar, Pakistan, Russia, Somalia, Syria, South Sudan, Sudan, Tunisia, Ukraine, Yemen, and Zimbabwe Export for end-use that is directly or indirectly related to research, development or production of chemical, biological or nuclear weapons, or any missile programmes for such weapons; Export of technical information related to design, development or implementation of the crypto; and Export of source code or pseudo-code, in any form, of the crypto.

27 Suggestions for Dealing with Government
Only answer the questions and nothing more CSEC will ask because they want to know or someone else wants to know - Five Eyes Watch out for questions like: “Are the Russians still asking for source code?”

28 Disclosures of Non-Compliance
Voluntary disclosure for non-compliance The Export Controls Division looks favourably upon voluntary disclosures Seek legal advice before making disclosure .

Download ppt "Canadian and US Export Controls and Economic Sanctions: Key Steps for Mitigating Risk for Software and Technology Companies October 24, 2017 IT.Can Annual."

Similar presentations

Licensing Export Control in China --Experiences and Challenges Wang Daxue Department of Arms Control and Disarmament Ministry of Foreign Affairs, China.

Licensing Export Control in China --Experiences and Challenges Wang Daxue Department of Arms Control and Disarmament Ministry of Foreign Affairs, China.
ASEAN REGIONAL FORUM Export Licensing Experts Meeting Effective Export Controls Lynne.C.Sabatino- Permit Officer Export Controls Division.

ASEAN REGIONAL FORUM Export Licensing Experts Meeting Effective Export Controls Lynne.C.Sabatino- Permit Officer Export Controls Division.
Presented by: Sheryl Trexler, Export Compliance Officer Office of Research Integrity & Compliance (ORIC) Date: September 2011.

Presented by: Sheryl Trexler, Export Compliance Officer Office of Research Integrity & Compliance (ORIC) Date: September 2011.
Export Control Overview John R. Murphy Business Development Manager Sartomer Company October 4, 2004 Boston, MA.

Export Control Overview John R. Murphy Business Development Manager Sartomer Company October 4, 2004 Boston, MA.
EXPORT CONTROLS. Export Controls are established to implement treaties and national security laws, generally protect national security and to combat terrorism.

EXPORT CONTROLS. Export Controls are established to implement treaties and national security laws, generally protect national security and to combat terrorism.
Baker & McKenzie LLP is a member firm of Baker & McKenzie International, a Swiss Verein with member law firms around the world. In accordance with the.

Baker & McKenzie LLP is a member firm of Baker & McKenzie International, a Swiss Verein with member law firms around the world. In accordance with the.
John W. Boscariol, International Trade and Investment Law Group, McCarthy Tétrault LLP / mccarthy.ca Best Practices in Export Compliance: Five Key Issues.

John W. Boscariol, International Trade and Investment Law Group, McCarthy Tétrault LLP / mccarthy.ca Best Practices in Export Compliance: Five Key Issues.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
PACE Technologies – 3601 E. 34 th St. Tucson, AZ 85713 Telephone: 520-882-6598 FAX: 520-882-6599 - www.metallographic.com ExitNextBack www.metallographic.com.

PACE Technologies – 3601 E. 34 th St. Tucson, AZ Telephone: FAX: ExitNextBack
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
2000 U.S. Census Bureau Foreign Trade Statistics Regulations 15 CFR Part 30 **** U.S. Principal Party in Interest and Forwarding Agent Responsibilities,

2000 U.S. Census Bureau Foreign Trade Statistics Regulations 15 CFR Part 30 **** U.S. Principal Party in Interest and Forwarding Agent Responsibilities,
How to Determine If You Need a Commerce Export License Relatively small percentage of total U.S. exports require a Validated License Most products are.

How to Determine If You Need a Commerce Export License Relatively small percentage of total U.S. exports require a Validated License Most products are.
Michael Pender U.S. Department of Commerce December 14, 2011.

Michael Pender U.S. Department of Commerce December 14, 2011.
Taking UT Abroad: Implications of Export Controls on Traveling and Working Abroad Kay Ellis, MHR Associate Director, Export Controls Officer Office of.

Taking UT Abroad: Implications of Export Controls on Traveling and Working Abroad Kay Ellis, MHR Associate Director, Export Controls Officer Office of.
Export Controls A Basic Overview by Scott Goldschmidt-Office of General Counsel Export Controls A Basic Overview by Scott Goldschmidt-Office of General.

Export Controls A Basic Overview by Scott Goldschmidt-Office of General Counsel Export Controls A Basic Overview by Scott Goldschmidt-Office of General.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
IT.Can Quarterly Roundtable Series September 24, 2008 Export-Controlled Technology: The Cost of Non-Compliance IT.Can Quarterly Roundtable Series September.

IT.Can Quarterly Roundtable Series September 24, 2008 Export-Controlled Technology: The Cost of Non-Compliance IT.Can Quarterly Roundtable Series September.
Office of Research & Sponsored Programs Responsible Conduct of Research Jeff Busch, Ph.D. Main Campus Research Compliance Coordinator.

Office of Research & Sponsored Programs Responsible Conduct of Research Jeff Busch, Ph.D. Main Campus Research Compliance Coordinator.
Secure Electronic Transaction (SET)

Secure Electronic Transaction (SET)
1 Brown Bag Luncheon Series Training 09/25/2008 EXPORT CONTROLS AT YALE.

1 Brown Bag Luncheon Series Training 09/25/2008 EXPORT CONTROLS AT YALE.

Similar presentations

Ads by Google