Export Controls |
Issue Summary
Current United States export control laws on computer technology are a legacy of the by-gone Cold War, when their intent was to retard the then Soviet Union and its allies from reaching military parity with the US and its western allies.
Debate has arisen on how US computer controls should be updated and reformed to better serve today's US national security and economic interests. There are three primary aspects to this debate.
Performance-Based Controls. These were mandated by the 1998 National Defense Authorization Act (NDAA), apply to exports to so-called Tier 3 countries and are based on a metric referred to as MTOPS (millions of theoretical operations per second). These controls currently prohibit the export of computers exceeding 85,000 MTOPS and have been raised at six month intervals the last several years in an attempt to keep pace with technological advances in widely available commercial computers. President Bush has cited these controls as having "the shelf life of sliced bread."
Enhanced Proliferation Control Initiative (EPCI). These controls prohibit the export of any US products to proliferators of weapons of mass destruction (WMD). They were established after the Gulf War, as Iraqi efforts had brought concern that low-level technologies, including low-level computers, can aid the development and manufacture of WMD by rogue nations.
Knowledge Controls. US companies are required to obtain export licenses for many of their foreign-born employees before they can work on certain technology projects, even at the companies' US facilities.
Sun's Position
Performance Controls on Computers Are No Longer Effective
High performance commercial computing used to be controllable, and
performance-based controls on computers served US national security
interests. With today's technologies, this is no longer true for the
following reasons:
Due to advances in microprocessor speeds, today's
personal computer already exceeds yesterday's supercomputer in computing
power. The US is not the only source of high performance computers. Ten of
the top 25 manufactureres of mid-range, mainframe and high-end servers are
non-US companies. The fastest growing PC company in the world has been
China's Legend. Advances in clustering, networking, scalability, and
remote access have caused computing power to become easy to purchase or
access globally and, therefor, uncontrollable. The US Department of
Defense writes, "our ability to control the acquisition of computer
hardware is already largely ineffective and will be increasingly so within
a very short time frame." President Bush has stated that these controls no
longer work. To pretend otherwise is, as the Defense Science Board has
written, "at best unhelpful to the maintenance of military dominance, and,
at worst, counterproductive."
The Defense Department's Science and Technology Office has recommended that these performance controls be abandoned, and replaced by increased protections on the two areas most critical to the US military's advantages in using computing power for military purposes: specially designed military software and databases.
Recommendations:
Repeal the current statutory requirement
for MTOPS-based controls on computers, and subsequently eliminate such
performance-based controls entirely; Review and strengthen protections
against the export or diversion of specially designed military software
and databases.
Proliferation End-User Restrictions Need Improvement
Sun and
other US suppliers of commercial computing technology want to prevent
potentially dangerous exports to WMD proliferators and rogue nations, and
we've incorporated rules, procedures, and technologies to protect against
such sales. However, the US government does not publish a list of such WMD
proliferators, so a company has no easy way to determine if a potential
customer is an end-user of concern. And this becomes even more difficult
for any products which are downloaded from the Internet.
If a company does request assistance from the US government, it could wait as long as 18 months for an answer; and if the government identifies the potential customer as an end user of concern, it does so only to the inquiring company, not to that company's competitors.
Under the current EPCI controls, companies are compelled to maintain their own mini-CIA, and they face stiff penalties if their in-house intelligence efforts fall short.
The three international WMD control regimes (Missile Technology Control Regime, Nuclear Suppliers Group and the Australian Group) do not impose controls on commercial computer technology which they consider unimportant for WMD design, testing, or production. The lack of multilateral support makes these controls ineffective.
Recommendations:
Review and improve the EPCI controls,
replacing burdensome and ineffective requirements with new procedures
built upon US government identification of WMD proliferators; Seek greater
multilateral cooperation on export restrictions to WMD proliferators and
rogue nations.
Controls on Employee Access Need Improvement
To remain
globally competitive, US IT companies must employ the best engineering and
technical talent we can find. This often means employing foreign-born
engineers and computer scientists. In addition, we are integrating our
global engineering sites into an efficient cross-border unit.
US "deemed export" and other controls on the sharing of information and data with foreign-born employees do not recognize these industry developments, and treat these employees -- and their involvement in corporate design and engineering projects -- as though they are external foreign parties.
In doing so, these controls unnecessarily hamper efficient completion of projects within a company, and impose a major, immediate, and increasing burden on US IT companies.
Such controls are responsible for the single largest category of export license applications for US IT companies.
An exemption from these requirements has recently been promulgated for encryption technologies, without harm to US National security.
Recommendation:
Review and reform current requirements that
US companies get an export license for each foreign-born employee before
allowing access to company-owned commercial information.