It's been fully 15 months since this blog first reported that BIS was contemplating additional restrictions on exports to the Chinese military. Since then, we and others have spilled a generous amount of digital ink on the subject of the proposed China military end-use rule. (Minor digression -- as late as October of last year, Bureau of Industry and Security (BIS) officials were talking about a "Conventional Catch-All" proposal and disavowing any specific connection to China. Not long after Update 2005, they dropped the pretense.)
Now the government seems to be picking up the pace, formally publishing its proposal last month and holding four public meetings on it over the past week and a half. There's still ample time to comment on their regulation (until November 3), but many companies are now considering how the rule, as written, would impact their businesses and compliance programs.
For those of you who aren't yet familiar with the general outline of the BIS proposal, here's the one sentence summary -- the proposed rule would requires exporters/reexporters to seek a license from BIS to export/reexport items classified under certain ECCNs to China if they know the items are intended for a military end-use. There's certainly more to it than that, which is why you should read the whole thing, but that's the idea in a nutshell.
Today let's focus on how the new regulation could change the way US companies export encryption products to China. Frankly, this proposal's treatment of cryptography is very strange, though probably unintentionally so. It seems to leave high-strength encryption products eligible for License Exception ENC's unrestricted flavor untouched. 5A002 and 5D002 aren't on the draft list (intended for a new Supplement No. 2 to Part 744 of the EAR) of items destined to be subject to the military end-use license requirement. (Anything eligible only for ENC Restricted would probably require a license for export to China for a military end-use anyway since the consignee would most likely be considered a government end-user. If you're not versed in US export controls on encryption, take a gander at the published BIS guidance).
Fair enough. It's not like exporters are going to complain about their ECCNs being left off the list of stuff about to get slapped with additional controls. But then things gets weird. 5A992 and 5D992 are listed in Supp. 2. Sure, much of the content of those ECCNs is carved-out, including all mass market, short range wireless, and limited functionality crypto. What's not carved out? Weak (i.e. ≤ 56-bit) non-mass market encryption. Huh? So I can continue to export ENC Unrestricted-eligible 5X002 crypto of unlimited strength for a military end-use in China, but not a weaker 5X992 version of that same product?
Looks to me like maybe BIS overlooked the intricacies of their own highly complex encryption controls. After all, a straight reading of the CCL and the Country Chart would indicate that a license is already required to export NS1-controlled 5X002 items to China...so no need to include it on the list of stuff subject to the new rule, right? Except that ENC overcomes the NS controls for 5X002 hardware and software. And China is an eligible destination under ENC. So if you make a weak non-mass market encryption product, why bother with 5X992? Just upgrade the encryption, get a review for ENC Unrestricted eligibility and export away for as many Chinese military end-uses as you like. And if your product is already approved for ENC Unrestricted, you're equally good to go.
In actuality, BIS will almost certainly clean up this contradiction before the rule goes final. My guess is that they will add the 5X002 ECCNs to Supplement No. 2 or specify limits on the use of ENC.
Would anyone who attended the public meetings care to comment? Did the BIS staff address encryption specifically?