Global Encryption, Cloud & Cyber Export Controls

Registration and Continental Breakfast

Co-Chairs’ Opening Remarks

Anne Marie Griffin
Director of Trade
Microsoft

Roszel C. Thomsen II
Partner
Thomsen and Burke LLP

FIRESIDE CHAT: U.S. Encryption Controls and China

Thea D. Rozman Kendler
Assistant Secretary of Commerce for Export Administration, Bureau of Industry and Security (BIS)
U.S. Department of Commerce

Moderator:

Brandon L. Van Grack
Partner
Morrison & Foerster LLP

Managing the Real-Life Aftermath of the U.S. Semiconductor and Advanced Computing Rule: Practical Insights on Supply Chain and the Compliance Path Ahead

Joshua Fitzhugh
Vice President, Global Trade
Flex

C. Devi Bengfort Keller
Director, Government Relations
Texas Instruments

Christina Zanette
Assistant General Counsel, Export Compliance
Honeywell

Matt Bell
Global Practice Leader, Export Controls, Sanctions & Trade
FTI Consulting

• What are the short and long-term computing supply chain impacts of BIS’ latest China-focused export controls covering semiconductors and supercomputing technology? As with any complex and novel export control rule involving innovative technologies and supply chains, many anticipate that the new rules will likely have unintended consequences.
• This panel of experts will address the future of the U.S. microelectronics sector and supply chain amid unprecedented regulatory change. Don’t miss practical takeaways for your compliance work ahead!

Extended Networking Break

Practitioner Recommendations for Next Generation Global Multilateral Export Control Regimes

Emily Benson
Senior Fellow, Scholl Chair in International Business
Center for Strategic and International Studies (CSIS)

Mathilde Latour
Global Export Trade Corporate Counsel
Cisco (France)

Richard Tornberg
Group Legal Counsel Trade Compliance
Ericsson AB (Sweden)

• How can next generation multilateral export control regimes answer current regime limitations? How can new digital technologies close important gaps in multilateral export control compliance and enable exports that would otherwise be denied? Attend this session to gain real-world insights for managing evolving regimes and preparing for anticipated changes.

Luncheon

Complying with BIS’ Advanced Computing Controls on China: Decoding Licensing, Impacted ICs, and Gap Analysis

Veronica Palacios
Senior Manager, Global Trade Compliance
Celestica

Mark Renfeld
Senior Export Compliance Manager
Hewlett Packard Enterprise

• Updating licensing requirements for items controlled under ECCNs 5A002 or 5D002 that meet or exceed the performance parameters of the new ECCNs 3A090 or 4A090
• Updating licensing requirements for mass market encryption hardware and software items controlled under ECCNs 5A992 or 5D992
• Restrictions on US persons activities: US persons (citizens, permanent residents, asylees, and refugees) that support the development or production of integrated circuits (IC’s) in China now requires a license
  • What kind of IC’s are involved?
  • What ECCN’s are relevant?
  • Are any license exceptions available?
• Gap analysis: Updating compliance programs to make sure legal, engineering, and trade compliance are all in the loop with these new controls
  • Lontium Semiconductor: A Chinese chipmaker IPO that will test U.S. restrictions and raise questions about Washington’s curbs on ‘U.S. Persons’
• Understanding China’s own encryption requirements
  

Navigating the Finer Points of Category 5, Part Two, the Final “Cyber Rule”

Michael F. Angelo
Chief Security Architect
Micro Focus LLC (Houston, TX)

Doron Hindin
Associate General Counsel, International Trade
McKinsey & Company (Israel)

The long-anticipated “cyber rule” and debated export controls on intrusion software have balanced U.S. foreign policy and national security concerns with the need for maintaining a regulatory framework that allows for legitimate cybersecurity transactions. The language of the interim rule reflected several years of negotiations codified in the multilateral 1996 Wassenaar Arrangement and incorporated significant U.S. stakeholder input received by BIS over the years through its various attempts to propose the controls. How should industry be applying this rule? What questions should they be asking outside counsel to ensure compliance?

• Are items that are being exported outside the U.S. controlled as cybersecurity items?
• Do other standards apply, e.g., ITAR, certain encryption controls, or surreptitious listening or national security controls?
• Mapping the country of destination for these items and its eligibility under License Exception ACE
• Defining the proposed “end users” of these items and whether they would fall within one of the categories of government end users
• Determining the proposed end use or purpose for these items, including whether any exception would apply
• Regulations being proposed that might require companies to maintain a detailed and up-to-date Software Bill of Materials (SBOM)
• Comparing the Cyber Rule with other countries’ cyber-surveillance mitigation efforts

Networking Break

Optimizing Your Encryption Compliance Program: Revisiting Your Organization’s Risk Profile and Detecting Weak Spots

Jason Rhoades
Global Sanctions Director, International Trade Group
Intel

Garisma Kadakia
Global Trade Compliance
Micron Technology

Michelle Aragon
Senior Manager, Trade Compliance
Leonardo DRS

Ajay Kuntamukkala
Partner
Hogan Lovells

• Introduction – 2022 has been a defining year for regulatory compliance. We have had unprecedented sanctions targeting Russia, implementation of UFLPA, and expanded national security focus on export controls within PRC.
• Due Diligence Program – Most companies have a due diligence program in today’s day and age. The ambiguity and frustration stems from how to continue to make it more effective.
• Delve into certain components that companies have integrated within their current processes
• Industry specific challenges – Semiconductor companies, telecommunication companies, aerospace companies, O&G, etc.
• Differences and similarities between different industries
• Working with verified entities – How much due diligence is enough?
• How to conduct a risk assessment as part of your compliance program
• How to manage your compliance program with remote employees

Close of Day One

Registration and Continental Breakfast

Co-Chairs’ Opening Remarks

Anne Marie Griffin
Director of Trade
Microsoft

Roszel C. Thomsen II
Partner
Thomsen and Burke LLP

Russia Sanctions and their Intersection with Encryption Controls

Michael S. Casey
Partner
Wilson Sonsini Goodrich & Rosati (UK)

Sven De Knop
Partner
Sidley Austin LLP

Brian J. Egan
Partner
Skadden, Arps, Slate, Meagher & Flom LLP

Kevin J. Wolf
Partner
Akin Gump Strauss Hauer & Feld LLP

• New policies of denial for items that require a license
• The three new ways in which a foreign-produced item is subject to the EAR
• The expanded scope of the Russia- and Belarus-specific military end-use and military end-user rulesn
• The limited availability of license exceptions
• Deemed export rule issues
• New controls pertaining to the occupied Donetsk and Luhansk regions

Quantum Computing and Cryptography: Perspectives on the Next Wave of End-to-End Encryption

Dr. Venu Ranganathan
Director, Export Compliance
Microsoft

Jai Singh Arun
Global Head of Strategy and Product Management
IBM Quantum Safe Solutions, IBM Research

Dr. Amit Elazari
Head of Cyber Security Policy
Intel

Anne Marie Griffin
Director of Trade
Microsoft

As computers become more powerful, more resources become available via the cloud, and existing cryptographic systems such as PKI are already susceptible to exploitation, it is only a matter of time before data protection is weakened on a global scale. Where does the future of quantum computing stand as well as quantum-based cryptography?

Networking Break

FIRESIDE CHAT

Sanctioning Source Code Versus Privacy

Paul Ahern
Chief Enforcement Counselor
U.S. Department of the Treasury

Following two cyber-attacks on digital transaction tools that provide privacy for cryptocurrency transactions, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned these “currency mixers”. Is sanctioning the source-code behind these digital tools in the name of national security more important than personal privacy?

The Intersection of Export Controls, Sanctions, Human Rights, and Surveillance: Due Diligence Best Practices for Managing Legal and Reputational Risks

Kevin Cuddy
Government & Regulatory Affairs, Export Regulation Office
IBM

Brooks Allen
Counsel
Skadden Arps

• Human rights-based denied party list sanctions and the importance of screening
• Understanding your product portfolio for products of potential concern
• Understanding and implementing government guidance for conducting human rights due diligence
• Best practices for standing up a transactional review process for human rights
• Internal and external multi-stakeholder engagement best practices
• BIS human rights end use controls

India: SCOMET Developments, Encryption Terms of Conditions and Trade Control Updates

Rohit Jain
Partner
Economic Laws Practice (India)

Garima Prakash
Senior Associate
NASSCOM (India)

• Department of Transportation and Internet Service Providers encryption terms of conditions
• Developments under SCOMET
• Proposed amendments in SCOMET related to export of Drones and proposed General Authorization for Export of Drones
• Certification requirements under specific quality control orders
• Updates to India’s customs laws: CAROTAR Rules
• Department of Transportation and Internet Service Providers encryption terms of conditions
• Applying license requirements for exchanging information among subsidiaries under India’s Global Authorization for Intra-Company Transfer (GAICT)
• Certification requirements under specific quality control orders
• Updates to India’s customs laws: CAROTAR Rules
• The new anti-absorption regime and quantitative controls
• The DGTR and the first investigation conducted under India’s Safeguard Measures (Quantitative Restrictions) Rules 2012

Luncheon

Cloud Encryption and Sharing and Storing of Cloud Data: Mitigating Data Privacy and International Tech Transfer Risk

Chris Timura
Of Counsel
Gibson Dunn

Daniel Fisher-Owens
Partner
Berliner Corcoran & Rowe LLP

How are organizations protecting cloud data and what are the most important key encryption features?

• Encryption features
• Key management supported by KMIP
• Granular access controls
• BYOK management support

Combatting Ransomware and Deepfakes

David Aaron
Senior Counsel
Perkins Coie
Former National Coordinator, Non-Traditional Collector Threat, National Security Division, Counterintelligence and Export Control Section U.S. Department of Justice

Tom Winterhalter
Supervisory Special Agent
Federal Bureau of Investigation

Even if your organization has not been the targeted victim of a ransomware or deepfake attack, you have likely felt their impact. The cascade of attacks has caused a ripple effect through value chains, straining almost every organization’s ability to deliver their services and products. What can you do to disrupt the ransomware/deepfake business model?

• Proposed regulations requiring new cyber incident reporting: The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)
• Definitions and criteria of various terms, such as “covered entity,” “covered cyber incident,” “substantial cyber incident,” “ransom payment,” “ransom attack,” “supply chain compromise” and “reasonable belief”
• The expected time and costs associated with reporting requirements
• Deepfakes and related data encryption technology export controls to China
• Maintaining appropriate records of ransomware remedial measures
• Communications with regulatory authorities
• Analyses regarding sanctions and export controls
• Accounting for technical data that an attacker could have accessed, so that such information can be shared with the Department of Commerce’s Bureau of Industry and Security ("BIS")
• If relevant, payments made

Closing Roundtable Discussion: More Takeaways for 2023 and Beyond

Roszel C. Thomsen II
Partner
Thomsen and Burke LLP

Close of Conference