Managing Global Export Control Data Security Requirements

Understanding how to secure export-controlled data as a Defence Industry Supplier to Australia, United Kingdom, United States, and other countries.

Defence manufacturers must adhere to country-based Export Control requirements. These regulations control the sale, distribution, and manufacturing of defense-related items including products, services, software and technical data. Complying with the various regulations is essential to secure Defence contracts, and the consequences of not doing so are serious ranging from massive fines to jail time. 

Understanding the Various Export Control Laws

Each country has its own Export Control laws that you must be aware of and adhere to, if you are supplying any goods on the respective lists. Australian legislative controls are separate from the controls placed on goods and technologies by other governments. Importantly, compliance with other countries’ regulations does not remove the need to also comply with Australia's export controls. 

Here’s a brief summary of the current and future laws governing Export Controls in Australia, the United Kingdom and the United States.

Australia

• The Customs Act 1901: Controls the export of defence and strategic goods and technologies executed through Regulations 13E - EK of the Customs (Prohibited Exports) Regulations 1958.
• The Customs (Prohibited Exports) Regulations 1958 – Regulations 13E-13EK:
  Allows the Minister for Defence, or an authorised person, to grant permission to export goods listed on the Defence and Strategic Goods List (DSGL) except for nuclear fuels and special fissionable material administered by the Department of Industry, Innovation and Science.
• The Defence Trade Controls Act (DTCA) 2012: Regulates the supply and publication of DSGL technology and the brokering of DSGL goods and technologies which means specific information necessary for the "development", "production" or "use" of a product including:
• Technical data such as blueprints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals and instructions written or recorded; and,
• Technical Assistance such as instruction, skills, training, working knowledge and consultancy services, and may involve the transfer of technical data.
  
  

United Kingdom

• Export Control (Amendment) (EU Exit) Regulations 2020 and UK Strategic Export Control Lists: Regulates whether any products, software or technology that an organisation intends to export are ‘controlled’,  including strategic military and dual-use items, and therefore require export authorisation.
  
  

United States

• International Traffic in Arms (ITAR): Regulates the sale, distribution, and manufacturing of defense-related items and services on the United States Munitions List (USML), including military hardware, guidance systems, submarines, armaments, military aircraft, IT, and defense specific software.
• The Export Administration Regulations (EAR): Regulates the export of items that are designed for a commercial purpose that could have military applications (‘dual use items’), such as computer hardware and software, on the Commerce Control List (CCL).
  
  

Multinational Legislation

• AUKUS: A trilateral security pact enables the US and UK to assist Australia in acquiring nuclear-powered submarines and sharing naval nuclear propulsion information trilaterally. It includes efforts to strengthen cyber capabilities, including protecting critical communications and operations systems.  
  
  

What is at stake if you are non-compliant? 

With national security at stake, violations of Export Control laws carry serious civil and criminal penalties. 

• In Australia, the DTCA carries heavy criminal penalties for the 'intangible' (non-physical) transfer or supply (including emails) and publication of goods and technologies listed on the DSGL. Criminal liability applies to military goods as well as 'dual use' technologies designed for a specific purpose, but with potential application to military use.
• U.S. ITAR violations carry a civil penalty of US $1 million+ per violation. Violators can also be ‘debarred’ (lose the ability to export goods) and face criminal penalties of up to 20 years in prison.
• In the UK exporting controlled items without the correct export license is a criminal offence, with penalties ranging from licence revocation, goods being seized, fines and/or imprisonment for up to 10 years.
  
  

Securing Export Control Data

If you are unsure whether your item is controlled by Export Control laws, start with a thorough review of the applicable goods lists of the country/countries you are exporting to and from (DSGL, USML, CCL). Requirements vary by regulation and by company; however, the best practices below provide a strong starting point for securing sensitive data to meet Export Control laws. Always consult an expert if you are unsure of what is required to comply with the laws applicable to your business.

Best practices for securing Export Controlled data:

• Establish and maintain an information security policy.
• Implement zero trust network and data access methodologies.
• Regularly test networks, security systems and processes.
• Implement attribute-based access control (ABAC).
• Protect sensitive data with encryption and usage restrictions (e.g., restrict printing, copy/paste functions, downloads, etc.).
• Watermark documents to track the chain of custody and remind users of a document’s sensitivity.
• Track and monitor all access to network resources and sensitive data.
• Implement measures to prevent the loss of Export Controlled data through data misuse, accidental sharing, or theft.
  
  

Managing Access to Export Controlled Data

The management of Export Controlled information requires a multi-pronged approach to control user interactions via training and policies and to properly store and manage access to regulated information.  

Access control is one of the more complex tasks, especially if you are using permissions or role-based access controls (RBAC), as multiple factors must be considered including:

• User clearance levels and caveats
• User citizenship and nationality
• Document/Item classification level
• Briefing levels

Choosing the right technology to help effectively manage the storage, access and sharing of Export Controlled information is critical. The following factors should be taken into consideration:

Data-centric controls – Traditional permission models are complex and require lots of resources to manage while leaving potential security gaps. Complex sharing scenarios can be difficult to manage with permissions and RBAC, requiring hundreds of rules/groups. Consider a data-centric security model that dynamically enforces data access and sharing rules, automatically and transparently at the file level. 

Attribute Based Access Control (ABAC) is a data-centric security model that enables you to apply fine grain controls to enforce strict controls over information access, usage and sharing of files. The ABAC model only grants access once a user’s attributes meet the policies required to release a particular file. These attributes could include a user’s organisation, nationality, and clearance levels, as well other access control identifiers such as project name, mode of access, time, etc. The dynamic nature of ABAC rules means fewer rules are required to manage complex scenarios. 

Data custodians – Applying control at the file level is the most effective way to manage Export Control documents as restrictions will vary from document to document based on its contents and classification. For this reason, document custodians need to control the classification of the materials they create, not the system administrator, as they will best understand the sensitivity level of the document. An ABAC-enabled system can enforce the appropriate information barriers based on policies that data custodians set for each file to restrict access and distribution accordingly.

Secure collaboration – Your document management platform must be able to maintain the level of strict security and audibility that is mandated for Export Controlled data during its entire lifecycle. Look for a platform that offers secure storage, collaboration and sharing controls, and user activity tracking. Depending on the security posture of your IT infrastructure, you may need a hosted platform that is fully accreditable to meet these requirements.

Simplifying the management of Export Controlled data

archTIS has developed a highly secure document management and file sharing platform to assist in meeting Export Control requirements out of the box. Kojensi is designed from the ground up to meet the specific security needs of Government, Defence, and the Defence Industry. It is available as a SaaS or on-premises application to meet the needs of SMEs and larger organisations. 

The Kojensi platform helps you meet Export Control obligations by:

• Protecting sensitive and regulated information via ABAC policies set by the data custodian.
• Providing secure document editing and co-authoring workspaces. 
• Enabling secure collaboration with internal and third-party users.
• Restricting access, usage and sharing of files with unique capabilities including watermarking and read-only viewing.
• Auditing user interaction and changes made to files, workspaces, and other administrative tasks.

Kojensi is accredited to PROTECTED as a hosted SaaS application and is accreditable to higher classification on-premises. You can be confident that your sensitive and regulated information is protected using the highest standards. In addition, if you are using Microsoft 365 or SharePoint on-premises to manage Export Controlled data, archTIS’ NC Protect product provides the same dynamic ABAC-based controls to enhance security and enforce compliance.  

If you need help managing Export Controlled information, contact archTIS today.