Pre-Conference Workshops

Fundamentals of U.S. Encryption Controls: What Every Legal and Compliance Professional Should Know About Key Concepts, Pitfalls, Requirements, and Latest Developments

Mar 26, 2018 9:00am – 12:30pm

Speakers

Vicki Wilkerson
Senior Global Trade Manager
Salesforce (San Francisco, CA)

David Badley
Trade Control Specialist
Boeing Global Trade Controls (Seattle, WA)

Ajay Kuntamukkala
Partner
Hogan Lovells

Advanced Topics in U.S. Encryption Controls: Case Studies on How to Solve the Most Pressing Classification and Program Implementation Challenges

Mar 26, 2018 1:30pm – 5:00pm

Speakers

Tammie Rostant
Global Trade Compliance Mgr, Legal
McAfee (Plano, TX)

Winnie Luk
Senior Global Trade Compliance Manager
Oracle Corporation (San Francisco, CA)

Michael Gershberg
Partner
Fried, Frank, Harris, Shriver & Jacobson LLP (Washington, DC)

Day 1 - Tuesday, March 27, 2018

8:00
Registration Begins and Continental Breakfast
8:30
Conference Co-Chairs’ Opening Remarks
8:45
Compliance Expectations for 2018 and Beyond: A Discussion with U.S. and Foreign Encryption, Cloud and Cyber Government Officials
9:45
New EU Export Controls for Cyber Security and Surveillance Tools: How ‘End-Use’ Continues to Impact Encryption, Cyber, and Cloud Technologies
10:45
Refreshment Break
11:00

CHINA

The New Chinese Cybersecurity Law and Draft Encryption Law— What Does Compliance Now Involve in Practice?
12:30
Networking Lunch
1:45

RUSSIA

How US Companies are Meeting FSB and FSTEC Registration/ Permitting Requirements and U.S. Sanctions Requirements/ Authorizations from OFAC and BIS
2:45

MOCK NEGOTIATION

How Cloud Suppliers and Purchasers Can Approach Liability Risk and Compliance over the Contract Lifecycle
3:30
Refreshment Break
3:45

KEYNOTE

India: Substantial Changes to Export Control Regulations
4:15

EAR99 vs. Category 5

How Exporters are Managing De-Controlled Encryption Products, the Internet of Things, and the Interplay with Foreign Requirements
5:00

WASSENAAR ROUNDTABLE DISCUSSION

Status Report on 2017, and Goals and Objectives in 2018
5:45
End of Main Conference Day One

Day 2 - Wednesday, March 28, 2018

8:00
Registration Begins and Continental Breakfast
8:30
Conference Co-Chairs’ Remarks
8:35

BENCHMARKING SESSION

Dovetailing Complex U.S. and Foreign Encryption Requirements in Practice: Industry’s Latest, Best Practices for Meeting Global Compliance Requirements
9:45
The Convergence of Export Controls and Human Rights: Practical Insights on the Human Rights Implications for Analytics and Other Types of “Surveillance” on Software Communication
10:45
Refreshment Break
11:00

SINGAPORE

New & Emerging Rules for Encryption, Cloud and Cyber Controls
11:30

KEYNOTE

The Netherlands: A Comprehensive Update of Encryption Controls
12:00
Special Focus on the Dark Caracal Case Study
12:45
Networking Luncheon
2:15

ISRAEL

How to Streamline Import Licensing and Permitting Requirements Amid Heightened Enforcement
3:15

HONG KONG

How to Apply the New U.S. Pre-Classification Requirement and Streamline Local Import Licensing with TID
4:15
Networking Break
4:30

HYPOTHETICAL SCENARIOS

How Controls on Cyber Tools are Applied in Multiple Jurisdictions
5:15
OPEN Q & A SESSION
5:45
Co-Chairs’ Closing Remarks and Conference Concludes

Day 1 - Tuesday, March 27, 2018

8:00
Registration Begins and Continental Breakfast
8:30
Conference Co-Chairs’ Opening Remarks

Matt Bell
Chief Export Compliance Officer, Legal Counsel
ZTE (USA) Inc. (Richardson, TX)

Roszel Thomsen
Partner
Thomsen & Burke (Baltimore, MD)

8:45
Compliance Expectations for 2018 and Beyond: A Discussion with U.S. and Foreign Encryption, Cloud and Cyber Government Officials

Joseph P. Whitehead
Special Agent in Charge Office of Export Enforcement Bureau of Industry and Security
U.S. Department of Commerce (San Jose, CA)

Stéphane Chardon*
Head of Sector, Strategic Export Controls
European Commission (Brussels, Belgium)

Mathilde Latour
Domestic and Export Control Unit
French Network and Information Security Agency (ANSSI) (Paris, France)

Moderator:

Dan Fisher-Owens
Partner
Berliner Corcoran & Rowe LLP (San Francisco, CA)

Please consult the event website for special announcements. In this moderated discussion and extended Q&A, regulatory officials from the U.S. and foreign jurisdictions will offer their insights on global priorities for 2018. Topics will include:  

  • How the agencies are recalibrating global priorities
  • Hot button issues in US, EU, and Asian regimes
  • How regulators continue to address national security through the medium of export controls
  • Where can industry expect to strengthen their export compliance strategy?

9:45
New EU Export Controls for Cyber Security and Surveillance Tools: How ‘End-Use’ Continues to Impact Encryption, Cyber, and Cloud Technologies

Mathilde Latour
Domestic and Export Control Unit
French Network and Information Security Agency (ANSSI) (Paris, France)

Brian Mulier
Partner
Bird & Bird (The Hague, Netherlands)

Joshua D. Fitzhugh
Counsel
Clifford Chance LLP (Washington, DC)

Sol Brody
Vice President, Global Trade
Raytheon (Washington, DC)

Please consult the event website for special announcements.  

  • What the new cyber regulations in the EU mean to U.S. companies
  • How industry is meeting new export controls in the EU with robust compliance and cybersecurity protocols to ensure compliance
  • Managing the overlap between government and surveillance systems used to monitor communications
  • The role of Human Rights Organizations and other NGOs

10:45
Refreshment Break
11:00

CHINA

The New Chinese Cybersecurity Law and Draft Encryption Law— What Does Compliance Now Involve in Practice?

Timothy Wineland
Deputy Assistant USTR for China Affairs
Office of the U.S. Trade Representative (Washington, DC)

Brian Falbo
Legal Director
Dell (Austin, TX)

Eric Carlson
Partner
Covington & Burling LLP (Shanghai, China)

  • Latest insights on the trade relationship between China and United States with reference to encrypted technologies and cyber tools
  • The purpose, scope, and definitions supporting the Cybersecurity and Draft Encryption Laws
  • Managing uncertainties of the implementation for these requirements
  • What are the elements of an effective compliance program taking into account China’s new Cybersecurity and Draft Encryption Law?
  • How companies can comply with and mitigate the risk of local enforcement

12:30
Networking Lunch
1:45

RUSSIA

How US Companies are Meeting FSB and FSTEC Registration/ Permitting Requirements and U.S. Sanctions Requirements/ Authorizations from OFAC and BIS

Michael A. Vatis
Partner
Steptoe & Johnson LLP (New York, NY)

  • Updates on Russia’s classification scheme and advance registration/permitting process
    • Mass market encryption items
  • Managing corruption risks around the classification and permitting process
  • FSTEC Certification dos, don’ts, and licensing requirements
  • How companies are approaching compliance
  • Revised guidelines for carrying electronic devices for employee travel

2:45

MOCK NEGOTIATION

How Cloud Suppliers and Purchasers Can Approach Liability Risk and Compliance over the Contract Lifecycle

Dan Fisher-Owens
Partner
Berliner Corcoran & Rowe LLP (San Francisco, CA)

Shiva Aminian
Partner
Akin Gump Strauss Hauer & Feld LLP (Los Angeles, CA)

In this interactive negotiation and Q&A, speakers will dissemble Cloud User-Provider situations to define best practices for risk allocation from both sides.  

  • If you are a cloud provider, do you take on unlimited risk for data security?
  • As a cloud user, what kind of liability do you place on your provider?
  • What should I be looking for as a user/ supplier of cloud computing services?
  • Negotiations around ITAR – am I using/ creating an ITAR-compliant environment?

3:30
Refreshment Break
3:45

KEYNOTE

India: Substantial Changes to Export Control Regulations

Rohit Jain
Partner
Economics Laws Practice (Mumbai, India)

4:15

EAR99 vs. Category 5

How Exporters are Managing De-Controlled Encryption Products, the Internet of Things, and the Interplay with Foreign Requirements

Laura Webster Kersiek
Global Export Compliance Manager
Netflix (Los Gatos, CA)

Melissa L. Duffy
Partner
Hughes Hubbard & Reed LLP (Washington, DC)

  • How to determine whether encryption products may be de-controlled as EAR99
  • What types of products typically qualify for de-control
    • Evaluating examples such as medical products, industrial equipment controllers, entertainment items and more
  • Mismatch with US 5A/D992 mass market controls having no equivalent in other WASSENAAR countries
  • How to evaluate the product’s core or primary function to do business in China and Russia

5:00

WASSENAAR ROUNDTABLE DISCUSSION

Status Report on 2017, and Goals and Objectives in 2018

Mathilde Latour
Domestic and Export Control Unit
French Network and Information Security Agency (ANSSI) (Paris, France)

Rohit Jain
Partner
Economics Laws Practice (Mumbai, India)

Please consult the event website for special announcements. Gain first-hand insights from government decision-makers about possible changes to the compliance landscape going forward.  

  • Wassenaar positive list – what has changed in practice? What still needs to be done?
  • New Issues: IOT, ‘cryptographic activation’, cyber-surveillance and intrusion software
  • New and anticipated changes to intrusion software and network surveillance controls

5:45
End of Main Conference Day One

Day 2 - Wednesday, March 28, 2018

8:00
Registration Begins and Continental Breakfast
8:30
Conference Co-Chairs’ Remarks
8:35

BENCHMARKING SESSION

Dovetailing Complex U.S. and Foreign Encryption Requirements in Practice: Industry’s Latest, Best Practices for Meeting Global Compliance Requirements

Alexandra S. Haney
Group Export Control, Counsel
BAE Systems plc. (London, United Kingdom)

Kathleen Gebeau
Senior Director, Export Compliance
Qualcomm (San Diego, CA)

Moderator:

Dan Fisher-Owens
Partner
Berliner Corcoran & Rowe LLP (San Francisco, CA)

Take this opportunity to benchmark with peers. Gain insights on the latest, best practices to create compliant protocols in a rapidly changing regulatory landscape—accounting for regimes currently undergoing reform and countries that are passing entirely new legislation.  

  • How to work with partners in different countries and incorporate global encryption regulations into the earliest, product development stages
  • Tips for staying on top of Wassenaar and country-by-country legislation according to where you do business
  • Creating an adaptable global policy to account for both existing and emerging regulation
  • How U.S. export laws intersect foreign requirements with now de-controlled products, re-exports, and more

9:45
The Convergence of Export Controls and Human Rights: Practical Insights on the Human Rights Implications for Analytics and Other Types of “Surveillance” on Software Communication

Mark Renfeld
Senior Manager, Trade Compliance
Veritas Technologies (Roseville, CA)

Sanjay Mullick
Partner
Kirkland & Ellis LLP (Washington, DC)

  • Best practices for companies to self-regulate software, communication, and social media
  • How do you control and encourage for your company’s multi-use ‘analytics’ and ‘surveillance’ technologies to be utilized in the right way?
  • Managing due diligence, reputational risk, and ethical implications for your business

10:45
Refreshment Break
11:00

SINGAPORE

New & Emerging Rules for Encryption, Cloud and Cyber Controls

Karmi Leiman
Senior Director of Trade Compliance
GlobalFoundries (Santa Clara, CA)

Nelson G. Dong
Partner Head, National Security Group Co-Head, Asia Group
Dorsey & Whitney LLP (Seattle, WA)

  • Evaluating new and anticipated encryption controls that could affect your compliance status
  • Which Southeast Asian countries are looking to adopt policies under the WASSENAAR— and which are not
  • What does Singapore’s new export control regime mean for companies in practice?
  • How are the agencies enforcing regulation, and what can trigger suspicion
  • Scope of liability for non-compliance

11:30

KEYNOTE

The Netherlands: A Comprehensive Update of Encryption Controls

Tim van Essen LLM MSc
Policy Advisor
Ministry of Foreign Affairs Directorate – General for Foreign Economic Relations – Export Control and Strategic Goods (The Hague, Netherlands)

Gain insights on how the Netherlands is preparing a comprehensive update of its encryption controls.

12:00
Special Focus on the Dark Caracal Case Study

Michael Flossman
Security Research Services Lead
Lookout (San Francisco, CA)

Eva Galperin
Director of Cybersecurity
Electronic Frontier Foundation (San Francisco, CA)

In January, EFF and Lookout announced a new report, Dark Caracal, that uncovers a new, global malware espionage campaign. Gain insights on how this study impacts the cyber landscape.

12:45
Networking Luncheon
2:15

ISRAEL

How to Streamline Import Licensing and Permitting Requirements Amid Heightened Enforcement

Heather A. Stone
Partner
GKH Law Offices (Tel Aviv, Israel)

  • Current compliance and enforcement landscape, scope, and application
  • How U.S. companies can mitigate newfound enforcement risks
  • When and how to obtain a license to engage with Israel
    • Supply chain issues
    • Encryption layering in different countries
    • Guidance for small and large companies

3:15

HONG KONG

How to Apply the New U.S. Pre-Classification Requirement and Streamline Local Import Licensing with TID

Sally Peng
Member
Sandler, Travis & Rosenberg (Hong Kong)

Chris Gondara
Director of Compliance
Marvell Semiconductor Inc. (Santa Clara, CA)

  • The ‘No Undercut’ Rule: How Hong Kong is working with the U.S. to make sure license requirements are not getting undermined
  • How U.S. manufacturers are creating robust import and export processes to move product quickly
  • How to work with TID to secure licenses— guidance on rules, forms, and authorizations
  • Managing your supply chain, including resellers, customs brokers and customers

4:15
Networking Break
4:30

HYPOTHETICAL SCENARIOS

How Controls on Cyber Tools are Applied in Multiple Jurisdictions

This session will expand upon issues related to cyber tools and the elements of successful compliance programs. Led by the Co-Chairs, this discussion will focus on how to resolve complex hypothetical issues and update your compliance protocols. Designed as an additional benchmarking opportunity, participants will gain real-time knowledge on how to apply the requirements.

5:15
OPEN Q & A SESSION

Faculty members will take your questions and provide further insights on how to manage real-world compliance challenges in practice. Take this time to ask any outstanding questions and further clarify anything discussed over the course of this event.

5:45
Co-Chairs’ Closing Remarks and Conference Concludes

Fundamentals of U.S. Encryption Controls: What Every Legal and Compliance Professional Should Know About Key Concepts, Pitfalls, Requirements, and Latest Developments

Mar 26, 2018 9:00am – 12:30pm

Vicki Wilkerson
Senior Global Trade Manager
Salesforce (San Francisco, CA)

David Badley
Trade Control Specialist
Boeing Global Trade Controls (Seattle, WA)

Ajay Kuntamukkala
Partner
Hogan Lovells

What is it about?

This session is designed both for attendees new to encryption controls and for those who would like an in-depth refresher before the more advanced discussions of the main program. Take part in this practical and interactive working group as experts discuss the current state of U.S. Encryption Controls—with a focus on building and maintaining strong protocols to ensure compliance.  
  • What is symmetrical and asymmetrical encryption?
  • Technical details of the history and current state of encryption
  • Nuances of U.S. Export Control laws for encryption technologies, cloud computing, and cyber export controls
    • What is an encryption item and how does the EAR treat them differently?
    • Determining whether a product contains or uses externally provided encryption functionality
  • Classification of Encryption Items
    • Primary Function Tests (Former Note 4)
    • Decontrolled Cryptographic Functions
  • When to self-classify and when to obtain CCATS from BIS
    • License Exception ENC
    • Mass Market
  • Open Source Encryption
  • Reporting requirements
  • Summary of recent regulatory changes and impact on legacy classifications/controls
  • Encryption licensing – when you need an encryption licensing arrangement (ELA) or an individual license

Advanced Topics in U.S. Encryption Controls: Case Studies on How to Solve the Most Pressing Classification and Program Implementation Challenges

Mar 26, 2018 1:30pm – 5:00pm

Tammie Rostant
Global Trade Compliance Mgr, Legal
McAfee (Plano, TX)

Winnie Luk
Senior Global Trade Compliance Manager
Oracle Corporation (San Francisco, CA)

Michael Gershberg
Partner
Fried, Frank, Harris, Shriver & Jacobson LLP (Washington, DC)

What is it about?

Now that you are up-to-speed on the basics, learn and problem-solve alongside industry practitioners to clarify gray areas of U.S. Encryption Controls in practice. Here, our expert-level workshop leaders will shed light on how to resolve pressing, complex cryptography issues, the toughest classification challenges, the former Note 4, and more.  
  • Proprietary encryption source code and technology exports
  • EAR Jurisdiction over foreign-developed products that use US-origin encryption items
  • Non-standard cryptography
  • Communications Interception items and Surreptitious Listening controls
  • ENC (b)(2) Products –
    • When to rule products out under the “network infrastructure” definition
    • Cryptanalytic commodities in (b)(2) versus advanced network vulnerability analysis and digital forensics in (b)(3)
    • Encryption technology
  • ENC (b)(3) Products –
    • What is an encryption component
    • Cryptographic activation products
    • Intersection of ENC (b)(3) and mass market
  • Mass Market Products
    • When can products not oriented towards individual consumers still qualify for mass market treatment
    • What types of sales models could support a mass market determination
    • Navigating the mass market provision for components
  • Non-Cryptographic Information Security Classifications
    • 5A003 Systems, equipment and components, for non-cryptographic information security
    • 5A004 Systems, equipment and components for defeating, weakening or bypassing information security
  • Classification Strategies
    • When to self-classify versus requesting a voluntary CCATS under ENC (b)(1)
    • CCATS advocacy – tips for presenting your best case and how to communicate with BIS during the process
    • Best practices for preparing and documenting self-classifications
  • ITAR encryption controls