Man the Firewalls: Cyber Intrusions and Compliance Risks under U.S. Export Control Laws

摘要

An epidemic of foreign-based cyber attacks upon the computer networks of U.S. industry presents an array of compliance challenges and questions for companies involved in technologies subject to U.S. export controls. Is the loss or "exfiltration" of export-controlled technology by means of a cyber intrusion an "export" under U.S. export control laws, and could such an exfiltration constitute a violation of such laws? What, if any, obligations does a victimized company have to disclose a cyber attack to the government, and what factors should a company consider in weighing whether to make such a disclosure? Are government-mandated standards for cyber defenses emerging with which companies must now comply in implementing their information security programs? This article addresses these questions in the context of the International Traffic in Arms Regulations ("ITAR"), administered by the U.S. Department of State's Directorate of Defense Trade Controls, and the Export Administration Regulations, administered by the U.S. Department of Commerce's Bureau of Industry and Security.