Export Controls

Issue Summary

Current United States export control laws on computer technology are a legacy of the by-gone Cold War, when their intent was to retard the then Soviet Union and its allies from reaching military parity with the US and its western allies.

Debate has arisen on how US computer controls should be updated and reformed to better serve today's US national security and economic interests. There are three primary aspects to this debate.

Performance-Based Controls. These were mandated by the 1998 National Defense Authorization Act (NDAA), apply to exports to so-called Tier 3 countries and are based on a metric referred to as MTOPS (millions of theoretical operations per second). These controls currently prohibit the export of computers exceeding 85,000 MTOPS and have been raised at six month intervals the last several years in an attempt to keep pace with technological advances in widely available commercial computers. President Bush has cited these controls as having "the shelf life of sliced bread."

Enhanced Proliferation Control Initiative (EPCI). These controls prohibit the export of any US products to proliferators of weapons of mass destruction (WMD). They were established after the Gulf War, as Iraqi efforts had brought concern that low-level technologies, including low-level computers, can aid the development and manufacture of WMD by rogue nations.

Knowledge Controls. US companies are required to obtain export licenses for many of their foreign-born employees before they can work on certain technology projects, even at the companies' US facilities.

Sun's Position

Performance Controls on Computers Are No Longer Effective
High performance commercial computing used to be controllable, and performance-based controls on computers served US national security interests. With today's technologies, this is no longer true for the following reasons:
Due to advances in microprocessor speeds, today's personal computer already exceeds yesterday's supercomputer in computing power. The US is not the only source of high performance computers. Ten of the top 25 manufactureres of mid-range, mainframe and high-end servers are non-US companies. The fastest growing PC company in the world has been China's Legend. Advances in clustering, networking, scalability, and remote access have caused computing power to become easy to purchase or access globally and, therefor, uncontrollable. The US Department of Defense writes, "our ability to control the acquisition of computer hardware is already largely ineffective and will be increasingly so within a very short time frame." President Bush has stated that these controls no longer work. To pretend otherwise is, as the Defense Science Board has written, "at best unhelpful to the maintenance of military dominance, and, at worst, counterproductive."

The Defense Department's Science and Technology Office has recommended that these performance controls be abandoned, and replaced by increased protections on the two areas most critical to the US military's advantages in using computing power for military purposes: specially designed military software and databases.

Recommendations:
Repeal the current statutory requirement for MTOPS-based controls on computers, and subsequently eliminate such performance-based controls entirely; Review and strengthen protections against the export or diversion of specially designed military software and databases.

Proliferation End-User Restrictions Need Improvement
Sun and other US suppliers of commercial computing technology want to prevent potentially dangerous exports to WMD proliferators and rogue nations, and we've incorporated rules, procedures, and technologies to protect against such sales. However, the US government does not publish a list of such WMD proliferators, so a company has no easy way to determine if a potential customer is an end-user of concern. And this becomes even more difficult for any products which are downloaded from the Internet.

If a company does request assistance from the US government, it could wait as long as 18 months for an answer; and if the government identifies the potential customer as an end user of concern, it does so only to the inquiring company, not to that company's competitors.

Under the current EPCI controls, companies are compelled to maintain their own mini-CIA, and they face stiff penalties if their in-house intelligence efforts fall short.

The three international WMD control regimes (Missile Technology Control Regime, Nuclear Suppliers Group and the Australian Group) do not impose controls on commercial computer technology which they consider unimportant for WMD design, testing, or production. The lack of multilateral support makes these controls ineffective.

Recommendations:
Review and improve the EPCI controls, replacing burdensome and ineffective requirements with new procedures built upon US government identification of WMD proliferators; Seek greater multilateral cooperation on export restrictions to WMD proliferators and rogue nations.

Controls on Employee Access Need Improvement
To remain globally competitive, US IT companies must employ the best engineering and technical talent we can find. This often means employing foreign-born engineers and computer scientists. In addition, we are integrating our global engineering sites into an efficient cross-border unit.

US "deemed export" and other controls on the sharing of information and data with foreign-born employees do not recognize these industry developments, and treat these employees -- and their involvement in corporate design and engineering projects -- as though they are external foreign parties.

In doing so, these controls unnecessarily hamper efficient completion of projects within a company, and impose a major, immediate, and increasing burden on US IT companies.

Such controls are responsible for the single largest category of export license applications for US IT companies.

An exemption from these requirements has recently been promulgated for encryption technologies, without harm to US National security.

Recommendation:
Review and reform current requirements that US companies get an export license for each foreign-born employee before allowing access to company-owned commercial information.