enterprisesecuritymag

How Emerging Export Control Rules Will Impact Emerging Technology Companies

By Sanjay Mullick, Partner, Kirkland & Ellis LLP And William Phalen, Associate at Kirkland & Ellis LLP and Mario Mancuso, Partner & Leader, International Trade and National Security Practice

Sanjay Mullick, Partner, Kirkland & Ellis LLP

The U.S. government is in the process of developing regulations that stand to have a meaningful impact on U.S. companies developing leading-edge technologies such as in artificial intelligence, robotics and quantum computing. These “export controls” which stand to be imposed by the U.S. Department of Commerce Bureau of Industry and Security (“BIS”) will affect to which countries companies can sell their products and services, as well as their development partners. This initiative is taking place against a larger backdrop of concerns that China poses a risk to U.S. national security and has become a strategic competitor of the United States in important advanced technologies such as 5G telecommunications. U.S. companies need to watch this space, as it will impact their business opportunities and compliance requirements going forward.

"The U.S. government is concerned that companies in the artificial intelligence space are strongly incentivized to share data sets, including information on U.S. persons, internationally at risk to national security"

Several Technologies are in Focus

When the regulatory process began pursuant to a November 2018 Advanced Notice of Proposed Rulemaking, BIS proposed 14 categories of technologies, on which to impose export controls. They implicate technologies with applications in, for example, autonomous driving, cloud computing, facial recognition, neural networks, and 3D printing. The categories are:

Concerns about Encryption

At its annual conference in July 2019, BIS officials expressed concerns about how emerging technologies particularly in the areas of artificial intelligence and quantum computing can impact the effectiveness of encryption, triggering national security concerns.

Artificial intelligence systems rely on encryption to protect sensitive information and data, such as the large data sets that are required to facilitate machine learning. Sharing such data securely is one of the biggest roadblocks to the mainstream implementation of artificial intelligence solutions, but it will be increasingly valuable for companies to provide data access to larger groups of collaborators so that they can extract intelligence from it. The U.S. government is concerned that companies in the artificial intelligence space are strongly incentivized to share data sets, including information on U.S. persons, internationally at risk to national security. BIS has indicated that it intends in certain cases to control the exchange of such data if the “end use” is an emerging technology such as artificial intelligence.

William Phalen, Associate at Kirkland & Ellis LLP and Mario Mancuso, Partner & Leader, International Trade and National Security Practice

Currently, cyber defenses rely heavily on the fact that it would take even the most powerful classical supercomputers an inordinate amount of time to unravel the cryptographic algorithms that protect data, computer networks, and other digital systems. But computers that harness quantum bits, or “qubits,” promise to deliver exponential leaps in processing power that could break today’s best encryption. BIS’s primary national security concern in this respect is that whichever country reaches quantum computing “supremacy” could unravel the cryptographic algorithms the world currently relies on, necessitating export controls before that occurs.

Export Controls Can Affect Many Activities

As part of its rule-making process, BIS is considering views from U.S. industry on whether export controls in these areas may impact innovation and access to international markets. This is relevant because export controls extend far beyond the physical shipment of goods out of the U.S. Under U.S. law, an “export” can also include:

• electronic transfers of technical information such as code and specifications;
• outsourcing of design and production; and
• technical training.

For example, though merely using software in a cloud currently may not be captured for these purposes, an “export” can include foreign remote access to source code and technical data in a cloud, such as algorithms on servers located in the U.S., as well as the release of technical information to foreign nationals, including in the U.S.

Commercial Impact

This broad sweep of export controls can mean that sales and the provision of services to certain customers or markets, or the employment of or contracting with certain foreign nationals or entities, all are prohibited without prior authorization. Such measures to limit or prevent foreign parties from gaining access to sensitive U.S. technology can impact many other types of transactions, such as M&A, investments, joint ventures, licensing arrangements, strategic alliances and collaboration with multinational enterprises.

Compliance Impact

Export controls can mandate U.S. government licensing without which activities implicating access to controlled technology may not commence or continue. These restrictions can also prompt companies to implement significant security measures, such as access restrictions for electronic data stored on shared drives and other systems. If technologies are subject to export controls, it becomes necessary to establish and implement effective compliance programs to avoid violations that can result in severe fines and penalties.

Headwinds Lie Ahead

The aim is to have export control regulations on emerging technologies in place in early 2020. Alongside this effort is a parallel process to impose export controls on “foundational technologies,” those that are mature and can be used in a wide variety of applications, potentially extending, e.g., to certain open source software and technology. These regulatory initiatives emanate from the Foreign Investment Risk Review Modernization Act of 2018 and the Export Control Reform Act of 2018, laws which significantly expanded the scope of foreign investment transactions subject to review by the Committee on Foreign Investment in the United States (“CFIUS”) and required BIS to modernize U.S. export controls. As a congressionally mandated undertaking, it is more likely meaningful export control rules will be imposed.

External forces may also have an impact on the ultimate contour of the regulations. This initiative is taking place within the larger “trade war” between the U.S. and China in light of U.S. concerns that China forces U.S. companies to transfer their technology and that it engages in theft of U.S. intellectual property. To the extent the Trump administration believes it has not yet achieved its objectives or to the extent China retaliates, restrictions such as those on the export of emerging technologies, may be more severe. Geopolitics makes it difficult to predict exactly what is going to happen. However, what does appear certain is that the regulatory landscape for companies involved with emerging technologies is set to become more complicated.

Check out: Top Encryption Solutions Companies

Read Also

Augmenting Cybersecurity in Healthcare Industry

Augmenting Cybersecurity in Healthcare Industry

Robert Napoli, CIO, Planned Parenthood of the Great Northwest and the Hawaiian Islands
Creative Solutions for Developing the Public Sector Cybersecurity Workforce

Creative Solutions for Developing the Public Sector Cybersecurity Workforce

Gregory Crabb, CISO, VP, United States Postal Service
Information Security: Your People, Your First Line of Defense

Information Security: Your People, Your First Line of Defense

Eddie Borrero, CISO, Robert Half [NYSE:RHI]
The Need of the Hour: Encryption

The Need of the Hour: Encryption

Frank J. Cilluffo, Director, Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security and the Center for Cyber and Homeland Security

Weekly Brief