Global Encryption, Cloud & Cyber Export Controls

Registration and Continental Breakfast

Co-Chair’s Opening Remarks

Roszel C. Thomsen II
Partner
Thomsen and Burke LLP

Anne Marie Griffin
Director, Regulatory Affairs
Microsoft

KEYNOTE ADDRESS

Thea D. Rozman Kendler
Assistant Secretary of Commerce for Export Administration, Bureau of Industry and Security (BIS)
U.S. Department of Commerce

The Aftermath of Recent EAR Changes and How Industry is Navigating the Finer Points of ICTS’ Supply Chain/Licensing Interim Rule

Sarah O’Hare O’Neal
Partner, Associate General Counsel, Global Trade
Microsoft

Laura Molinari
Director, Global Trade Policy
Boeing

Kevin J. Wolf
Partner
Akin Gump

Arthur Shulman
Senior Director, International Trade Compliance
General Atomics Aeronautical Systems

• Practical impact of BIS changes: Expected reduced regulatory requirements for US software and technology companies.
  • Elimination of most mass market annual self-classification reports
  • Certain encryption products no longer require formal classification by BIS
  • Removal of notification requirement for publicly available encryption source code
  • Encryption changes for software development
  • Overall impacts on business operations and investments
• Securing the Information and Communications Technology and Services Supply Chain (ICTS) Interim Rule and licensing ANPRM
  • Industry concerns around the broad scope of covered ICTS transactions, unclear definitions and terms, duplicate agency review, and retroactive application
  • Responses to the ANPRM: Would a voluntary process reduce industry licensing burden? Should safe harbor provisions be created?
• ITAR: Temporary modifications to Category XI of USML
  • Overall impacts on business operations and investments
  • Risk mitigation around leveraging ITAR encryption carveout

Extended Networking Break

SPECIAL ADDRESS AND Q&A

New EU Dual-Use Regulation, the Recast

Stephane Chardon
Head of Sector, Dual Use Export Controls
European Commission

The Recast in Real Life: The Most Critical Takeaways from The New EU Dual-Use Regulations and New Catch-All Cyber Surveillance Clause

Kostas Katsoulis
Director - Global Trade Compliance
Cardinal Health

Sven De Knop
Partner
Sidley Austin LLP

On September 9th, 2021, the EU’s recast of the Dual-Use Regulation (Council Regulation No. 2021/821, hereinafter the “Regulation”) entered into force. The recast represents the culmination of five years of consultation at the EU, leading to the formal endorsement of the revised text to the Regulation by the European Council in May 2021. The Regulation replaces the previous EU dual use regulation, Council Regulation (EC) 428/2009.

• Reconciling the previously applicable EU regulations of EC Dual-Use Regulation 428/2009 with those of the new Dual-Use Regulation
• The new catch-all provision requiring authorization for the export of non-listed cyber-surveillance items
  • The definition of “cyber-surveillance items”
• Article 8: Authorization requirements for provision of technical assistance related to dual-use items related to weapons of mass destruction
• Article 9: National authorization requirements for dual-use items that can promote human rights abuses. How will such measures impact exports from other member states?
• The new definition of “provider of technical assistance” captures scenarios
• Unilateral export controls for non-listed items where the Member State deems those controls necessary
• Expansion of controls on “brokering services” involving dual-use items
• New General Export Authorizations (“GEAs”) with regards to the intra-group export of software and technology (GEA EU007); and encryption items (GEA EU008)
• Export control compliance program requirements
• What positive/negative issues does the new regulation present for exporters?

Networking Lunch

Insights into the Present and Future of U.S.-China Trade Relations

Jeff Rittener
Chief Trade Officer, General Manager International Trade Group
Intel

Christopher Millward
President and Managing Director
United States Information Technology Office (USITO)

Matt Bell
Global Practice Leader, Export Controls, Sanctions & Trade
FTI Consulting

How Companies are Implementing China’s New Data Security and Export Control Laws: The Finer Points of Navigating Grey Areas Affecting Data Transfers, Classification

Yan Luo
Partner
Covington & Burling (China)

Wendy Wysong
Partner
Steptoe & Johnson LLP (Hong Kong)

Jeff Rittener
Chief Trade Officer, General Manager International Trade Group
Intel

Matt Bell
Global Practice Leader, Export Controls, Sanctions & Trade
FTI Consulting

With complex requirements affecting usage, collection, and protection of data, China’s Data Security Law came into effect on September 1, 2021. How can industry navigate murky, grey areas of the law? Which data processing activities might trigger national security review requirements?

• Cross border data transfer requirements: Compliance requirements for data intermediary service providers. What are the penalties for violation?
• Data classification challenges under Article 21
• Managing ambiguous, and more restrictive cross-border transfer rules
• National security review requirements
• Which Chinese regulator will be in charge? Why this is burdensome for business
• How does the Data Security Law differ from the Personal Information Protection Law (effective November 1, 2021)?
• What are strategies businesses should keep in mind to ensure compliance?
• Updates on China’s Export Control Law (ECL) and China’s Catalog of Technologies Prohibited and Restricted from Export

Networking Break

U.S. Cyber-Rule Update: Status and Impact of The BIS Interim Final “Intrusion Software” Rule

Melissa Duffy
Partner, Trade and National Security
Fenwick & West LLP

Caroline Murray Walsh
Senior Director & Associate General Counsel, Enterprise Services Global Trade
Raytheon Technologies

Waqas Shahid
Senior Managing Director
Ankura Consulting

It has been almost a decade in the making and new U.S. export controls on “cybersecurity items” have arrived, including products and technology involving “intrusion software” and IP network communications surveillance. What are the compliance obligations and practical implementation challenges-and how to resolve them?

• What is a covered “cybersecurity item”?
• Does License Exception ACE apply?
• Results of BIS’ stakeholder engagement exercise, inviting industry comments on the expected impacts of the rule, including how it may deter, restrict or overburden legitimate cybersecurity research, defensive activity, and incident response.

Close of Day One and Champagne Toast

Registration and Continental Breakfast

Chair’s Opening Remarks

Roszel C. Thomsen II
Partner
Thomsen and Burke LLP

AI, BCI and More Emerging Technologies: Perspectives on the Next Wave of New, Anticipated Export Controls

Mathilde Latour
Global Export Trade Corporate Counsel
Cisco (France)

Josephine Aiello LeBeau
Partner
Wilson Sonsini Goodrich & Rosati

• Brain computer interface technologies (BCI): BIS’ Advance notice of proposed rulemaking (ANPRM) that would question BCI’s ethical and policy issues
• Potential new license requirements for surveillance technologies used for crowd control, facial recognition, machine learning, and biometric/AI technologies
  • Potential controls around quantum computing
• State of BIS’ review of China-related export controls for surveillance technologies

Combatting Ransomware: Practical Know-How for Mitigation and Resilience

Megan Stifel
Chief Strategy Officer
Institute for Security and Technology (IST)

Beau Woods
Senior Advisor and Strategist, Cyber Security and Infrastructure Security Agency (CISA)
Department of Homeland Security

Tom Winterhalter

Federal Bureau of Investigation

Even if your organization has not been the targeted victim of a ransomware attack, you have likely felt their impact. The cascade of attacks has caused a ripple effect through value chains, straining almost every organization’s ability to deliver their services and products. What can you do to disrupt the ransomware business model?

• Colonial Pipeline ransomware attack case study: DOJ seizes $2.3 million in cryptocurrency paid to ransomware extortionists Darkside
• The Ransomware Task Force: Foundational mitigation recommendations
  • A carrot-and-stick approach to direct nation-states away from providing safe havens to ransomware criminals
  • A sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign
  • Governments should establish Cyber Response and Recovery Funds to support ransomware response
  • Internationally coordinated efforts to develop a clear, accessible, and broadly adopted framework to help organizations prepare for, and respond to, ransomware attacks
  • The cryptocurrency sector that enables ransomware crime should be more closely regulated
  • Cyber Security and Infrastructure Security Agency (CISA) undertakes a renewed push for cyber preparedness and resilience, as well as decision support for stakeholders within critical infrastructure sectors
• A victim’s advocate perspective on mitigation measures

Networking Break

Human Rights Due Diligence and Surveillance and Risk Mitigation Considerations: Five Eyes, Entity List Additions, State Department and BIS Guidance

Cindy Cohn
Executive Director
Electronic Frontier Foundation

Roszel C. Thomsen II
Partner
Thomsen and Burke LLP

• Five Eyes: Is the alliance in trouble over China?
• BIS’ addition of 34 entities to the Entity List
• U.S. Department of State guidance on implementing the “UN Guiding Principles” for transactions linked to foreign government end-users of surveillance capabilities
• Using data to provide insights into future crises: Developing what has been called “anticipatory intelligence”
• Due diligence and risk mitigation considerations: BIS’ Know your customer guidance

Networking Lunch

DRONE SURVEILLANCE CASE STUDY

Andrés Arrieta
Director of Consumer Privacy Engineering
Electronic Frontier Foundation

David Kovar
Founder and CEO
URSA Inc.

Leesa Smith-Papier
Director, Office of National Security Programs & Incident Response
Federal Aviation Administration

Surveillance drones or unmanned aerial systems (UASs) raise significant issues for privacy and civil liberties. What are the risks that drone technology can pose to security, privacy, and human rights? In this case study, learn more about drone mechanisms and the technology’s future growth prospects.

Closing Roundtable Discussion

Close of Conference