Thursday, April 28, 2016

The Oral History of Export Control

Export control regulations are hugely important, and because of that, I and many of us in the software security industry have been sitting in on the ISTAC committee meetings for the last year at the Commerce Department. (Disclosure: I have applied to be on the committee and the White House is reviewing my application.)

These are meetings held by subject matter experts to advise the Commerce Department on how to improve or implement or remove regulations that control anything from Satellite systems to encryption.

I want to take a few minutes to tell you some things that would shock you if you come from an engineering or software development or even a legal background with regards to the process.

No Change Control Management or History

When you write export control regulations you have only an oral history. Nobody knows in the meetings why a particular regulation exists or is worded in any particular way or what the changes are that have gotten it to that point or what other pieces of law it effects or who worked on it or anything that would normally be on GitHub for an equivalent project in the real world.

Some of the things export control regulations are supposed to do are secret (and come from the DoD/IC), but a lot are not, and having a documented trail of what has happened would allow for a much better regulation writing.

No Testing

In the software industry we like to write something called "Unit Tests" for any major codebase. Export control is a kind of giant complicated codebase that lawyers execute to determine criminal liability over technical issues. But in every meeting people are always left guessing at the "intended capture" and "unintended capture" for any particular regulation. This is easy to fix with a simple wiki that links to a set of things you can run through as a checklist. I have done one for unintended captures for the Wassenaar "Intrusion Software" regulations. But it is telling that for most new regulations I've seen there is no specified INTENDED EFFECT. If you had software written like that you would run for the hills.

Basically, right now, we test our export control code in production.

The Future

If I get approved for the ISTAC I will endeavor to examine if it's possible to fix some of these issues, which I see as areas of basic government efficiency and transparency. It's really amazing how accessible the process is if you bother to show up for the meetings and get involved.    

1 comment: