Reforming U.S. Export Controls to Reflect the Threat Landscape

Written by
Zach Weinberg
May 5, 2021

By Zach Weinberg 

Abstract

Certain features of U.S. export controls fail to reflect the immediate threat from East Asia and the emerging threat from Europe as it relates to the theft of American defense and dual-use technologies. While both the Obama and Trump administrations made a concerted effort to better regulate the commercial sale and shipment of technologies deemed sensitive for reasons of national security, one critical component of the export controls regime—the U.S. Department of Commerce (USDOC) country-specific export control licensing requirements—has yet to be revised to account for European and East Asian industrial espionage. Imposing the most export licensing requirements on average to countries in Europe and East Asia would accurately account for the persistent attempts to illicitly acquire U.S. defense technologies. Instead, countries in the Near East and South and Central Asia are, on average, assigned the most reasons for control listed on the Bureau of Industry and Security (BIS) Commerce Country Chart (CCC)—likely a carry-on objective from the U.S. Global War on Terror (GWOT) when military operations were heavily focused on these regions. Furthermore, BIS imposes a blanket set of export controls on countries throughout Sub-Saharan Africa, failing to recognize the varying risk profiles posed by different African states. These misallocated export controls demonstrate how specific trade barriers fail to move beyond an outdated GWOT mentality and result in over-regulating the Near East, South and Central Asia, and Africa. The following paper proposes the need for a thorough review of the CCC to ensure that it accurately reflects a country’s current risk profile and takes into consideration the consistent industrial espionage threat from East Asia and the emerging threat from Europe. As a result of this type of export control reform, there would be a relaxation of licensing requirements levied on regions that show little interest in illicitly procuring American defense technologies.


Introduction

America’s threat landscape has turned the page from a post-9/11, Global War on Terror posture, to a new environment characterized by the active, international ambitions of peer adversaries from the likes of Russia and China. No longer predominantly in the form of terrorism and insurgencies in Iraq and Afghanistan, this latest threat resides at the nexus of national security and private industry, and materializes as industrial espionage and the illicit targeting of U.S. military, dual-use, and other defense technologies.

Moscow and Beijing’s persistent efforts to illicitly acquire U.S. defense technologies—classified technology, military critical technology, sensitive company documents, dual-use technology, proprietary information, and controlled technology for reasons of national security—has made Europe and East Asia hotspots for where industrial espionage operations take shape (Counterintelligence Awareness n.d.). Russia and China are the most active, individual countries targeting U.S. defense technologies, but due to their far-reaching espionage networks that extend beyond their borders, there is a larger, regional pursuit of America’s most sensitive information, emanating from East Asia and Europe. 

While East Asian and European-originated attempts to steal U.S. technologies are predominantly launched from China and Russia proper, there are many illustrative examples of espionage operations stemming from their surrounding regions. China has used Singapore and Singapore nationals in its espionage operations, and, although a far cry from the magnitude of Beijing’s efforts, North Korea is also known to target U.S. technologies (Atherton 2017; Choi 2018; and Tucker 2020). The 2020 SolarWinds breach serves as an example of regional European culpability where, as a byproduct of Russian intelligence operatives being “deeply rooted” in its neighbors, the malicious code employed in the cyber espionage attack allegedly came from Belarus, Poland, and the Czech Republic (Sanger et al. 2021 and Dodds 2021).

The U.S. executes a myriad of defenses including trade control laws like the Arms Export Control Act (AECA), the International Emergency Economic Powers Act (IEEPA), and the Export Control Act (ECA) of 2018 to deny U.S. military and dual-use technologies from falling into the hands of its adversaries (Fergusson and Kerr 2020). [1] An enforcement system made up by the U.S. State Department’s Defense Trade Control (DDTC) International Traffic and Arms Regulations (ITAR); the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC); and the U.S. Department of Commerce (USDOC) Bureau of Industry and Security’s (BIS) Export Administration Regulations (EAR) —on which this paper will focus—maintains oversight of the aforementioned trade laws (Carlson and Lichtenbaum 2016).

A critical component of U.S. export control regulation and the EAR is the BIS Commerce Country Chart (CCC), which stipulates USDOC country-specific export licensing requirements and the reasons that the U.S. government has imposed controls on each of the world’s 193 countries.

As an instrument to protect U.S. defense and dual-use technologies from being acquired by adversaries who covet such applications, one would think that the CCC would consider industrial espionage and reflect the behaviors of European and East Asian nation state actors by subjecting the countries within these two regions to the most country-specific export license requirements. Instead, research reveals that Europe and East Asia have, on average, some of the fewest country-specific export license requirements. 

Furthermore, regions that demonstrate little interest in procuring American technologies or have reduced their targeting efforts over the last five years—like the Near East and Central and South Asia—face, on average, some of the highest number of country-specific controls. 

The CCC does not accurately reflect the dangers emanating from Europe and East Asia. Instead, it imposes, on average, the most controls on countries in the Near East, Central and South Asia, and Africa—likely a carryon objective from the U.S. Global War on Terror (GWOT) when military operations were heavily focused on these regions. These misallocated export controls display a failure of imagination to move beyond a post-9/11 security posture and to recognize America’s evolving threat landscape.

Using quantitative methods, this paper first identifies that East Asia is a consistent actor and Europe is an emerging actor in stealing U.S. export-controlled technologies. The paper then proposes that the BIS CCC be reviewed and updated to reflect the listed countries’ current risk profiles and to take into consideration the growing industrial espionage originating from East Asia and Europe. Furthermore, the paper advocates for a new reason for control to be added to the BIS export control regime, to be levied specifically on countries who engage in industrial espionage—both government sanctioned espionage activity as well as circuitous involvement—as a consequence of Russia and China’s far-reaching espionage networks. 

These misallocated export controls demonstrate how specific trade barriers fail to move beyond an outdated GWOT mentality and result in over-regulating the Near East, South and Central Asia, and Africa.

Trade restrictions in the current BIS export control regime are based on factors like nuclear non-proliferation, missile technology, regional stability, and anti-terrorism, but nothing that speaks directly to industrial espionage. Including this additional reason for control, however, will help to more appropriately impose export licensing requirements, placing priority on Europe and East Asia instead of the priority that is currently placed on the Near East, Central and South Asia, and Africa.

 

Brief History of Export Controls

Export controls are “the set of laws, policies, and regulations that govern the export of sensitive items for a country or company” (UT 2021). Specifically, U.S. export controls are U.S. laws that limit foreign access to the most sensitive equipment, software, technology, and weapons as a means to promote America’s national security interests and foreign policy objectives (U.S. State Department 2011). For the purposes of this paper, national security straddles both national defense and foreign relations and refers to the protection of a nation from attack or other threat by maintaining a military advantage over adversaries and by the guarding of state secrets. Furthermore, this paper uses the U.S. Department of Defense Center for Development of Security Excellence (CDSE) definition of threat to mean “the intention and capability of an adversary to undertake detrimental action against an asset or an asset owner’s interest,” and uses asset to refer to a U.S. company’s proprietary defense technology that is subject to export controls for reasons of national security.  

An example of a technology that is subject to U.S. export controls includes night vision goggles. Although a seemingly benign technology that could be employed for everyday civilian use by an underground technician, when in the hands of an American adversary, night vision goggles could provide a tactical advantage on the battlefield. To avoid a situation where American enemies acquire these types of dual-use technologies (i.e. technologies applicable for both civilian and military purposes) and to verify their ultimate civilian end-use, an export license issued by the U.S. government may be required to approve the technology transfer. If the technology transfer is deemed to go against America’s national security interests (i.e. the purchaser is affiliated with an adversarial foreign military, terrorist organization, narcotics trafficker, etc., or the receiving country poses certain risks that the technology could be procured by such undesirables), the technology can be barred from export all together.

Throughout their history, export control laws have sought to keep up with America’s changing threat landscape—from countering fascist regimes of the early twentieth century, to global proliferation of nuclear weapons and the emanating threat from the Soviet-bloc, to the rise of Islamic terrorism and the global drug trade—while at the same time, keeping pace with longstanding calls for reform and de-regulation voiced by private industry. And while select elements of the current U.S. export controls regime fail to reflect the espionage threat emanating from East Asia and Europe, the history of U.S. export controls shows that it is not necessarily due to an inability to evolve.

The history of U.S. export controls reaches back to American independence, but this paper pays attention to the more recent past, beginning with the Export Control Act of 1949 when the three contemporary reasons for controlling exports—national security, foreign policy, and short supply—came into effect (Aoi 2016) (Figure 1).

While select elements of the current U.S. export controls regime fail to reflect the espionage threat emanating from East Asia and Europe, the history of U.S. export controls shows that it is not necessarily due to an inability to evolve.

The evolution of U.S. export control regulations post-1949 has been to “strike a balance between the need to protect technology essential to U.S. national security and the desire to promote U.S. trade” (Fergusson and Kerr 2020). As such, changes to the laws fall primarily into two categories: first, in response to national security threats facing America, and second, to deregulate complicated and rigid controls in the interest of the U.S. economy. [2]

Export control laws and policies aimed at deregulation and the promotion of U.S. trade include the Export Administration Act of 1969 (EAA), the Omnibus Trade and Competitive Act of 1988, and several initiatives during the Clinton Administration in the mid-1990s to relax computer and encryption software controls and to simplify the EAR. While these are important policy changes, efforts made in the interest of the U.S. economy during times of détente will not be the focus here. Instead, this paper will highlight the amendments and additions to U.S. export control laws made for reasons of national security to provide context for where these regulations stand today.

Figure 1: U.S. Export Control Regime, 1949-2020

 

 

Timeline of U.S. Export Control Regime, 1949 - 2020
Key: Red = Legislation that primarily places restrictions on U.S. exports ; Green = Legislation that primarily relaxes restrictions on U.S. exports. This timeline, created by Zach Weinberg, highlights the most substantial changes and revisions to U.S. export controls from 1949 to 2020, however it is not an exhaustive list of all U.S. export control laws.

Export control reforms that fall into a national security category follow a trajectory in tandem with the evolution of the global security threats facing America. At the onset of the cold war, the Truman Administration established the Export Control Act of 1949 in an effort to prevent U.S. dual-use and defense material from flowing to the Soviet bloc (Chapman 2013). Its enactment was a direct reflection of the new security threat (Fergusson 2009). The act denied countries within the Soviet sphere of influence any items that could contribute to their military capability and challenge America’s military preeminence. To meet the developing, dual “Sino-Soviet” threat, the U.S. and its NATO allies expanded their controls on exports to Eastern Europe and communist China under the Coordinating Committee for Multilateral Export Controls (CoCom) program in 1952 (Berman and Garson 1967).

As the threat to U.S. national interests moved to the Near East and South and Central Asia, so did export controls. The export control authority provided by the International Emergency Economic Powers Act of 1977 (IEEPA) was imposed on Iran in 1979 as a response to the Iranian Hostage Crisis (Aoi 2016). That same year, the EAA was amended to address the “mounting evidence that the Soviets had used Western dual-use technology, obtained both legally and illegally as a result of relaxed trade controls, to modernize its conventional and strategic forces [during the invasion of Afghanistan]” (Aoi 2016). After the collapse of the Soviet Union, export control efforts like the 1994 Nonproliferation and Export Control Cooperation (NEC) were enacted to stem the proliferation of nuclear weapons into the new states emerging from former Soviet territory (Aoi 2016). 

Following the attacks on September 11, 2001, export controls evolved in tandem with the U.S. Global War on Terror (GWOT). With President George W. Bush’s guidance to “direct every resource at our command—every means of diplomacy, every tool of intelligence, every instrument of law enforcement, every financial influence, and every necessary weapon of war—to the destruction and to the defeat of the global terror network,” so too were changes brought to U.S. export controls (Bush 2001). [3] USDOC announced the evolution of the Bureau of Export Administration (BXA) to BIS to reflect the enlarged national, homeland, economic and cyber security mandate (Aoi 2016).

In 2009, the Obama Administration sought to deflate the ballooned mandate of the post-9/11 U.S. export controls regime and launched the Export Control Reform (ECR) Initiative to “re-strike the balance between national security and export competitiveness” (Fergusson and Kerr 2020). To address the wide array of critics who saw the U.S. export controls system as “being too rigorous, insufficiently rigorous, cumbersome, obsolete, inefficient, etc.,” the Obama Administration proposed a new system based on a single export controls licensing agency, a unified controls list, a single enforcement agency, and a single integrated information system (Fergusson and Kerr 2020). The ECR was implemented in 2013, and while certain strides were made to create a single system, much of the final phase of the ECR’s three-phased implementation strategy was left to subsequent administrations. [4]

The Trump Administration picked up the mantle and championed the Export Control Reform Act of 2018 (ECRA) specifically to “address concerns regarding the release of critical technologies to end uses, end users and destinations of concern, primarily China” (Wolf et al. 2018). This law speaks directly to the industrial espionage threat emanating from East Asia and attempts to “protect U.S. technological advances through closer scrutiny of technology transfers to foreign persons” (Leiter 2019).

The Trump Administration continued to put China “on notice,” challenging the People’s Republic of China’s (PRC) exploitation of Chinese “firms to steal and divert [U.S.] technologies to support the Chinese military,” most notably via the “theft of cutting-edge U.S. technology by the PRC acting through Huawei” (Leiter 2019 and Ford 2020). In an attempt to meet the threat from not only China but Russia as well, the Trump Administration increased the number of European and East Asian companies and persona non grata named on the Specifically Designated Nationals List (SDN) and the BIS Entity List. It also published the first Military End User (MEU) List, prohibiting the sale of U.S. defense technologies to 58 Chinese and 45 Russian companies (Trade Enforcement 2020).

While the Trump Administration did much to address the persistent efforts from China and Russia to illicitly acquire U.S. dual-use and military technologies, the ECRA did not require changes to country-specific licensing requirements (Wolf et al. 2018). Washington preferred, instead, a scalpel approach with Russia and China that called out specific offenders via the MEU list and the BIS Entity List, rather than restricting sensitive exports to these countries as a whole. Failing to update the USDOC CCC and to use its more exhaustive country-specific licensing policies placed critical national security due diligence responsibilities into the hands of exporters, re-exporters, and transferors, and brought into question the consistency of America’s export controls regime to address today’s evolving threat landscape.

Analyzing and eventually discerning if USDOC export controls accurately reflect the growing threat from Europe and East Asia, as it relates to the theft of American defense and dual-use technologies, will be the focus henceforth. 

 

Methodology 

To discern if USDOC export controls are consistent with the overall threat landscape—i.e. that the regions of the world most responsible for targeting America’s defense and dual-use technologies are, on average, subject to the most country-specific export licensing requirements—two sets of data are needed: 1) the number of industrial espionage attempts to illicitly procure export-controlled technologies and which country is responsible for each attempt; and 2) the number of export control licensing requirements levied on each of the world’s countries.

The latter is readily available. The BIS CCC identifies which out of the 16 reasons for control are levied on each country throughout the world. (For example, military and dual-use technology exports to Turkey are controlled for four out of the sixteen control reasons. Turkey’s four control reasons concern Chemical and Biological Weapons; National Security; Missile Technology; and Regional Stability). The number of reasons for control assigned to a country is proportionate to the overall concern the U.S. has for that country’s risk profile.

The former, however, is not as readily available. While anecdotal evidence and illustrative examples are plentiful, there is currently no authoritative, publicly available, quantitative data repository of industrial espionage attempts to target export-controlled technologies at the time of this writing. The U.S. National Counterintelligence and Security Center, as well as an array of policy think-tanks, risk advisory firms, and media outlets, conclude that Russia and China “are the most capable and active actors tied to industrial espionage and the theft of U.S. trade secrets and proprietary information,” but little quantitative data is presented to substantiate these claims (NCSC 2018). Instead, qualitative case studies and reference to mounting FBI investigations and unsealed U.S. indictments are used to illustrate the threat (Reuters 2020) [5].

Such unavailable data, however, is understandable—industrial espionage is covert by nature. Furthermore, foreign intelligence entities (FIEs) largely target private industry, which prefers to avoid public disclosure of any unauthorized access or proprietary theft that could potentially damage brand reputation or reduce consumer confidence (Schmidt 2019). [6]

Industry also remains suspicious of law enforcement, fearing that government assistance would inevitably lead to unwanted public disclosure, making the business community hesitant to ask for help in the face of an information or technology breach (Larence and Powner 2007). While the relationship between the public and private sector has greatly improved in recent years due to a concerted effort to create valuable public-private partnerships (PPPs), private sector collaboration with the FBI and other U.S. law enforcement is largely kept outside public view and incidents come to light only years after the fact (U.S. DOJ 2009) [7]. (The exception to this is when personally identifiable information and protected health information is at risk, prompting private industry to publicly disclose incidents as required by health breach notification rules and various U.S. state laws for consumer protection (FTC 2019).

While public data related to incidents of export-controlled technology theft is unavailable, there is comparable data accessible that serves as an adequate proxy. The U.S. Defense Counterintelligence and Security Agency (DCSA) releases an annual report on “efforts to obtain unauthorized access to classified information or technologies resident in the U.S. cleared industrial base” (DCSA 2019). [8] These reports on suspected incidents of industrial espionage against classified technologies offer a window into what efforts are likely taking place against U.S. export-controlled technologies.

To be clear, there are shortcomings to the DCSA data. For one, DCSA’s publicly released reporting lumps countries into broad regions, rather than attributing suspected incidents of industrial espionage to specific countries. [9] This has the potential of distorting the analysis. Although it is understood that China is likely the biggest culprit in East Asia and the Pacific and Russia is likely the biggest culprit in Europe and Eurasia, the data does not reveal the other regional players who contribute to the reporting. To understand the nuances of the regional activity, one has to rely on illustrative examples like the SolarWinds breach which shows evidence of industrial espionage activity originating from various countries in Eastern Europe. 

Furthermore, DCSA’s regional categorizing is, at times, too broad. For example, the reporting places the entire Western Hemisphere into a single regional category, and lumps together Europe and Eurasia. DCSA’s regional naming conventions themselves occasionally leave something to be desired, especially when referring to Sub-Saharan Africa as simply “Africa.” DCSA’s reporting is also just a reflection of incident occurrences and does not take into consideration the different magnitudes or sophistication of the attempted theft.

Another shortcoming of using the DCSA data set is that export-controlled technologies and classified technologies are not synonymous. Their differences rest primarily on two features: the level of sensitivity and ownership. In terms of the level of sensitivity, export-controlled technologies are regulated in the interest of national security. Classified technologies, on the other hand, are regulated because their unauthorized disclosure could reasonably be expected to cause damage, serious damage, or exceptionally grave damage to national security (EO 12356, Section 1.1). For technology to be considered classified, it must also be owned by and under the control of the U.S. government—even if it may physically reside with or be developed by a private sector defense contractor (EO 12356, Section 6.1). Export-controlled technologies, however, are under company ownership.

Despite the data shortcomings and the differences between classified vs. export-controlled technologies, there are merits to using DCSA’s data on targeting classified information as a proxy to understanding the targeting of export-controlled technologies. For one, there are linkages between the two types of technologies—such as the U.S. civil nuclear sector and U.S. nuclear defense capabilities—and these similarities allow for some extrapolation as to which U.S. adversaries most covet American export-controlled technologies (Ford 2018). It is a fair assumption that countries working to illicitly acquire U.S. classified technologies are similarly working to illicitly acquire other defense technologies, such as those subject to U.S. export controls. [10]

The linkages between classified technologies and export-controlled technologies are further reinforced by the similar ways the U.S. government categorizes them. BIS divides EAR export-controlled technologies into ten broad categories itemized on its Commerce Control List (CCL). These ten categories roughly correspond to the 29 more nuanced Industrial Base Technology List (IBTL) categories that DCSA implements to group U.S. classified technologies. (Figure 2) Incidents of industrial espionage against classified technologies serve as an adequate proxy for incidents of industrial espionage against export-controlled technologies because export-controlled and classified technologies have a similar risk profile based on national security concerns. [11]

Figure 2: Commerce Control List (CL) ≈ Industrial Base Technology List (IBTL)

 

 

This chart, created by Zach Weinberg, compares the BIS Commerce Control List Categories (left) with the Defense Counterintelligence and Security Agency Industrial Base Technology List (right). Sources: BIS CCL , DCSA Targeting of US Technologies Report) 
This chart, created by Zach Weinberg, compares the BIS Commerce Control List Categories (left) with the Defense Counterintelligence and Security Agency Industrial Base Technology List (right). Sources: BIS CCL , DCSA Targeting of US Technologies Report

Using IBTL categories, DCSA annually reports the number of suspected industrial espionage attempts—i.e. suspicious incidents or outreach to facilities and employees with security clearances—to illicitly procure U.S. classified technologies, and attributes these attempts to a suspected region of origin. From FY15 to FY19, U.S. cleared companies have reported, on average, approximately 47,000 incidents of suspicious contact to DCSA per year. From this total number, DCSA identifies that roughly 6,000, or approximately 12.5 percent, are likely actual espionage incidents. (Figure 3)

Figure 3: FY15-FY19 Suspected Incidents of Industrial Espionage Against Classified Technologies

 

 

Figure 3: FY15-FY19 Suspected Incidents of Industrial Espionage Against Classified Technologies
This table was created by the author, Zach Weinberg. 

Because publicly available DCSA reporting groups the origin of suspected espionage attempts into regions rather than individual countries, USDOC export control country-specific licensing requirements listed on the CCC of the EAR must also be grouped into corresponding regions before any analysis takes place. 

Once each country is categorized into corresponding regions, a point system is easily applied to reveal the regional ranking based on the average number of export licensing requirements (i.e. reasons for control) imposed per country within each region. [12] See Figures 4 and 5 below.

Figure 4: Sample Export License Point System

 

 

This table, created by Zach Weinberg, is a reformatted version of the Commerce Country Chart (CCC), based on Supplemental No. 1 to part 738 of BIS Export Administration Regulations. 
This table, created by Zach Weinberg, is a reformatted version of the Commerce Country Chart (CCC), based on Supplemental No. 1 to part 738 of BIS Export Administration Regulations. 

Figure 5: Regional Ranking Based on Reasons for Control (Most to Least Regulated)

 

 

Regional Ranking Based on Reasons for Control (Most to Least Regulated)
This table was created by the author, Zach Weinberg. 

Analysis and Findings

East Asia is an Immediate Threat, Europe is an Emerging Threat—But Regions are Subject to the Least Export Licensing Requirements

By compiling, assembling, and reviewing the foreign targeting of U.S. classified technologies data provided by DCSA over a five-year period, it becomes apparent that East Asia and the Pacific has consistently been the region most active in targeting U.S. classified technologies (Figures 6a and 6b). Understanding that regions who illicitly target U.S. classified technologies also target export-controlled technologies, DCSA data suggests that East Asia is the most active region in this domain as well.

Figure 6a: FY15-FY19 Industrial Espionage Attempts Attributed to Region

 

 

Figure 6a numbers were calculated and compiled by Zach Weinberg.
Figure 6a numbers were calculated and compiled by Zach Weinberg.

Efforts to illicitly acquire U.S. technologies originating from Europe and Eurasia have slightly increased, rising from 11 percent of attributed reporting in FY15 to 14 percent in FY19, suggesting that Europe and Eurasia are an emerging threat. [13] Reinforcing this finding, in FY18 Europe and Eurasia overtook South and Central Asia as the third most active region targeting U.S. technologies, and continued to advance this lead into FY19. Like East Asia, a similar assumption can be made that there is an emerging threat relating to the theft of U.S. export-controlled technologies from Europe, as it likely mirrors the emerging threat Europe poses for U.S. classified technology as revealed by DCSA data.

Although the threat from the Western Hemisphere also rose over the five-year period, a DCSA analyst considers this a relatively “small portion” of overall reporting and that it is “likely that some of these [Western Hemisphere] entities are front ends or brokers working for procurement networks that originate in other regions,” and thus not statistically significant (DCSA 2017).


Figure 6b: FY15-FY19 Industrial Espionage Attempts Attributed to Region

 

 

Figure 6b: FY15-FY19 Industrial Espionage Attempts Attributed to Region (Graph)
Figure 6b numbers were calculated and compiled by Zach Weinberg.

While this data suggests that East Asia is a consistent threat and Europe is an emerging threat facing U.S. sensitive technologies, Europe and East Asia are, counterintuitively, the regions subject to the least number of country-specific license requirements per the BIS CCC. [14] On average, in January 2021, Europe and Eurasian countries were subject to 6.5 out of 16 reasons for control, and East Asia and the Pacific countries were subject to 9.68. Ironically, the regions that have demonstrated a declining interest in illicitly procuring and targeting U.S. technologies—the Near East and South and Central Asia—received some of the highest average numbers of export licensing requirements; 11.56 out of 16 and 10.15 out of 16 control reasons, respectively.

Because of the clear threat originating from East Asia and the emerging threat originating from Europe, this paper initially hypothesized that USDOC country-specific export control licensing requirements would reflect this reality and subject these regions to the most export license requirements. A review of the regional ranking of export licensing requirements, however, disproves the hypothesis and instead reveals the inverse. 

This finding shows that USDOC country-specific export control licensing requirements fail to reflect the dangers facing America from Europe and East Asia. Despite the evolving threat landscape facing U.S. defense and dual-use technologies from peer adversaries, the BIS CCC remains relatively static. One can see how static the BIS CCC is when comparing the average number of export license requirements per country within a region from May 2019 to April 2021. Despite an almost two-year period, changes to the average number of export license requirements have been negligible. [15]

U.S. Licensing Requirements Reflect an Outdated, Global War on Terror Mindset and Heavily Regulates the Near East and South and Central Asia

Rather than adjusting the CCC to reflect the evolving threat from European and East Asian peer adversaries, the BIS has subjected countries in the Near East and South and Central Asia to the most export control licensing requirements. 

This allocation of export license requirements reflects America’s post-9/11, Global War on Terror (GWOT) posture, which was militarily focused on these regions, primarily in Iraq and Afghanistan. [16] The emphasis that USDOC continues to place on the Near East and South and Central Asia suggests a failure of imagination to move beyond these conflicts. USDOC licensing requirements remain in a GWOT mindset, despite the changes over the preceding decades. 

A five-year review of foreign targeting of U.S. technologies from FY15 to FY19 clearly shows how the threat facing America has evolved. Attempts to steal U.S. military applications originating from the Near East have declined over the five-year period in review, from 21 percent of reported incidents in FY15 to 16 percent in FY19. All the more telling, reporting attributed to the Near East dramatically dropped to a 13 percent low in FY18, while reporting attributed to East Asia jumped from 35 percent to 40 percent that same year.

The emphasis that USDOC continues to place on the Near East and South and Central Asia suggests a failure of imagination to move beyond these conflicts.

A similar decline has been observed in South and Central Asia. In FY15, South and Central Asia represented 20 percent of reporting and was identified as the third most active region attempting to illicitly acquire U.S. technologies. By FY19, however, South and Central Asia represented only 11 percent of reporting and its regional ranking was replaced by Europe and Eurasia, as the threat from this region steadily rose. Despite DCSA reporting clearly showing Europe supplanting the danger from South and Central Asia, USDOC country-specific licensing requirements remained unaffected.

To be clear, this paper does not propose that the threat from the Near East and South and Central Asia has evaporated. Industrial espionage from Iran remains a formidable threat, and U.S. nuclear technology remains coveted by countries like Pakistan and India (Toon et al. 2019). 

With that said, however, the threat, which heavily focused on the Near East and South and Central Asia during the GWOT era, has shifted to East Asia and Europe. America’s threat landscape has turned the page from terrorist organizations and rogue regimes of the Near East and South and Central Asia, to the international ambitions of peer adversaries in East Asia and Europe. U.S. export country-specific licensing requirements should reflect that reality.

Blanket Export Licensing Requirements in Sub-Saharan Africa Fail to Reflect the Nuances of Individual Countries

Africa is subject to the fourth most export license requirements, despite consistently being the least active region targeting U.S. dual-use and defense technologies. Even though this discrepancy further illustrates how the BIS CCC fails to accurately reflect the threat at hand, an additional, more concerning problem is also at play: with USDOC’s African export licensing requirements being practically identical from country to country, the agency has imposed a blanket set of regulations that neglects the nuances and differences across the African continent. 


Figure 7: Sample of African Countries and Export Licensing Requirements

 

 

Figure 7: Sample of African Countries and Export Licensing Requirements
This sample of African Export Licensing Requirements, compiled by Zach Weinberg and sourced from the BIS CCC, demonstrates the uniformity of export license requirements that are imposed on African countries. 

Aside from Rwanda and South Africa, all of the other 49 African countries listed on the BIS CCC are subject to the same country-specific export controls for identical reasons. Regardless of violent conflict in Mali, the strength of Nigeria’s economy, authoritarian rule in Angola, the population boom in Ethiopia, Chinese military relations in Djibouti, the poverty of the Democratic Republic of the Congo, the free and fair government of Botswana, etc., all of these countries receive the same barriers to American dual-use exports.

This type of one-size-fits-all export license requirements does not apply to any other region except for Africa, mistakenly suggesting—and perpetuating an archaic stereotype—that there is a homogenous quality among African states that does not exist in other parts of the world.

Earlier in this paper, a snapshot of South and Central Asian countries on the BIS CCC was provided to illustrate the use of a point system to determine the ranking of regions and their export license requirements. (Figure 4) This figure, however, also demonstrates how USDOC typically accounts for country differences in the distribution of license requirements. India is subject to export controls for different reasons than Pakistan; Uzbekistan compared to Kazakhstan; Maldives compared to Sri Lanka; etc. Countries in Africa, however, are not afforded such nuances.

This blanket series of export license requirements in Africa not only fails to reflect the evolving threat landscape that primarily stems from East Asia and Europe, but they also unnecessarily prescribe commercial barriers and regulations on U.S. companies conducting—or interested in conducting—business in Africa. Rather than imposing export controls on each African country for the danger, or lack thereof, that they pose towards the theft of U.S. defense and dual-use technologies, USDOC export controls instead, perpetuate a faulty bias of sameness across Africa by failing to recognize group differences.

This failure to recognize the nuanced risks that differentiate African states stems from the CCC method. The CCC is managed by BIS with input from a mélange of other U.S agencies, including the U.S. Department of State, Nuclear Regulatory Commission, and the U.S. Treasury’s Office of Foreign Assets Control. It is also informed by various international agreements. These agreements include the Wassenaar Arrangement (WA) of 1996, which ensures that any conventional arms or dual-use technologies transferred to a signatory country will “not contribute to the development or enhancement of military capabilities;” and the Australia Group (AG) of 1985, which is an informal forum of countries who assert that their “exports do not contribute to the development of chemical or biological weapons” (WA 2020 and AG 2007). It is a state’s participation, change in participation, or failure in participation with these multilateral export control regimes that ultimately dictates many of the reasons for control assigned on the CCC. [17]

South Africa, which is party to the Wassenaar Arrangement, is the only African country to participate in either of these two international agreements. This is directly reflected in the CCC, which shows South Africa as the African country subject to the least export restrictions, and as being one of the few African countries to break away from the blanket series of export license requirements levied onto the rest of the continent. 

Rather than imposing export controls on each African country for the danger, or lack thereof, that they pose towards the theft of U.S. defense and dual-use technologies, USDOC export controls instead, perpetuate a faulty bias of sameness across Africa by failing to recognize group differences.

Aside from South Africa, there are no other African states who are partied to the WA, AG, etc. Due to the reliance on these agreements as some of the few vetting mechanisms for U.S. exports, however, most African countries appear the same on paper (i.e. they do not participate in the agreements) and thus receive almost all of the same export restrictions. 

Based on extensive field interviews, this failure to implement U.S. export controls that consider the nuances between African states is further exacerbated by a lack of urgency in Washington to prioritize African trade policies. This leaves an impression that African countries would derive little benefit from being able to purchase dual-use materials. For these critics, the results of a cost-benefit analysis would be unfavorable to African states: African countries would need to spend considerable resources to meet the membership criteria of these multilateral export control regimes, but then do not have the commercial infrastructure or industries that require dual-use technologies to see a return on the investment. This, of course, fails to take into account U.S. businesses who have dual-use technologies in their portfolios that would seek new markets and opportunities in Africa, should export restrictions lessen.

As long as USDOC continues to compile the CCC based on these often outdated, Western-centric international agreements, export control laws will continue to reflect a bygone area rather than today’s multipolar world.

Instead, U.S. export controls remain largely dependent on the WA and AG, which is made up of predominantly Western countries who subscribed to an American-led global world order of the 1980s and 1990s. As long as USDOC continues to compile the CCC based on these often outdated, Western-centric international agreements, export control laws will continue to reflect a bygone area rather than today’s multipolar world. [18]

To address the shortcomings of the CCC, a thorough review of country-specific export licensing requirements is needed to identify and eliminate unnecessary export barriers levied on Africa, especially for those countries that are inactive in industrial espionage against the U.S. 

 

Conclusion

There is a clear disconnect between the regions of the world that are most stringently barred access to U.S. defense technologies, compared to the regions that covet and steal—and therefore should be strictly barred from accessing such technologies. Instead of accurately reflecting the consistent industrial espionage threat from East Asia and the emerging threat from Europe, and thus subjecting these two regions to the most country-specific export licensing requirements, export controls administered by USDOC continue to prioritize the Near East and South and Central Asia.

This misallocation of U.S. export controls on the Near East and South and Central Asia instead of Europe and Asia comes despite a reduction in the foreign targeting of U.S. defense technologies by the former and an increase by the latter. In the case of Africa, it is neither that has led to stringent export licensing requirements. Instead, licensing requirements are imposed on African states even though the region shows little culpability in illicitly acquiring U.S. defense technologies. 

The consequence of such misalignment offers potential vulnerabilities on controlled exports to Europe and East Asia that can be exploited by bad actors. This misalignment also results in the overregulation of the Near East and South and Central Asia, placing undue burden on U.S. companies doing business in these regions. These ill placed regulations show a failure of the U.S. export controls system to strike a balance between the need to protect technology essential to U.S. national security and the desire to promote U.S. trade.

What makes USDOC’s refrain from updating country-specific export licensing requirements surprising is that most other aspects of the U.S. export controls system have been updated to reflect the evolving threat originating from East Asia and Europe. The Trump administration clearly recognized America’s changing threat landscape with the inclusion of 58 Chinese and 45 Russian companies on the MEU List and the regular updating of the BIS Entity List. Furthermore, government agencies, risk advisory firms, and foreign policy think-tanks continue to sound the alarm on East Asia and Europe. [19] America knows this threat is real, yet country-specific export licensing requirements remain static.

In terms of Africa, there is clear recognition that, unlike East Asia and Europe, the African region is not the problem. The BIS Entity List includes approximately 20 barred African entities. This compares to the over 100 entities listed for Central and South Asia, the over 200 listed for the Near East, the over 300 listed for East Asia and the Pacific, and the over 400 listed for Europe and Eurasia, with Chinese and Russian entities accounting for the vast majority in these last two regions. Although relatively few specific African entities are outright barred from U.S trade according to the BIS Entity List, companies located or operating in Africa are as a group subject to a blanket series of stringent licensing requirements outlined by the BIS CCC. 

America should reform the remaining aspects of its export controls system that fail to reflect the emerging threat from Europe and the consistent threat from East Asia. To accomplish this, the U.S. should raise the number of licensing requirements on Europe and East Asia and lift licensing requirements levied on regions that show little interest in illicitly procuring U.S. defense technologies. Instead, it appears to be the priority of the Biden Administration to continue the scalpel approach of the Trump Administration, focusing on specific entities rather than a more holistic regional threat. Highlighting President Biden’s preservation of his predecessor’s approach, new restrictions further limit exports to China’s Huawei Technologies Co. Ltd., “the telecommunications equipment maker placed on the trade blacklist [by President Trump] over U.S. national security concerns” (Freifeld 2020).

... the U.S. should raise the number of licensing requirements on Europe and East Asia and lift licensing requirements levied on regions that show little interest in illicitly procuring U.S. defense technologies.

A jumpstart to reimagining the U.S. export control regime could be to add a 17th reason for control to the 16 reasons that are currently in place. This new reason would subject export control restrictions to countries engaged in both government sanctioned espionage activity and circuitous involvement as a consequence of Russia, China or any other nation state’s far-reaching espionage networks. While the U.S. Code of Federal Regulations does include a supplemental table that identifies countries of national security concern to the U.S.—Country Group D of Supplemental No. 1 to 15 CFR Part 740—this appendix is primarily a tool to identify license exceptions and not meant to reflect countries of international espionage concerns.  

This proposal, however, does not come without its critics. Some may call the suggestion to lift export controls on the Near East, South and Central Asia, and Africa as naïve, and point to the remaining terror threat in these regions as evidence. Others may suggest that bad actors would exploit lessened restrictions in Near East, South and Central Asia, and Africa, giving rise to rampant transshipment of defense technologies through these regions in route to Europe and East Asia.

Still, others point to a flawed methodology that looks at all 16 reasons for control on the CCC as indicative of espionage tendencies, where only a few of the control reasons apply to the national security mandate of the Export Control Act of 1949, and the others (like Crime Control, Missile Technology, Regional Stability, etc.) apply to the foreign policy mandate (Fergusson, 2009). While there is merit in this distinction, this paper uses “national security” more holistically to include all aspects of the mandate prescribed by the Export Control Act of 1949.

Finally, there are others who would point to America’s large number of allies in East Asia and Europe, which would bring down the average number of export license requirements per country within these regions (i.e. that heavy requirements on China would be numerically counteracted by few requirements on South Korea, and thus, a per-region-country average is not conducive to identifying where the U.S. levy the most licensing requirements). These critics would advocate for reading between the lines in terms of DCSA’s regional data, arguing that by East Asia and the Pacific, DCSA really means China, and by Europe and Eurasia, DCSA really means Russia. 

Unfortunately for this last set of critics, the publicly available data is categorized into regions, which then shapes the paper’s methodology to ensure we are comparing “apples to apples.” Analysis can only be done on available data, and it would be inappropriate to infer a clandestine meaning hidden in terms like East Asia and Europe.

One should also be cautious in emphasizing that the threat against U.S. technologies is originating solely from China and Russia proper. Instead, there is evidence outside of DCSA data that points to a larger regional culpability in East Asia and Europe stemming from Chinese and Russian espionage networks extending into their regional neighbors. Russia’s far-reaching tentacles have been observed in the Czech Republic, and China’s in Singapore (Perlroth et al. 2021 and Tucker 2020). North Korea’s active pursuit of American military technology also cannot be discounted in terms of East Asia (Rixon 2018). It is known, however, that spheres of influence can extend even beyond regional borders, making it all the more necessary to review country-specific export licensing agreements.

The aforementioned critiques, however, do not alter the paper’s underlying argument that America’s export controls regime must reflect the threat at hand. A thorough review and revision of the country-specific export licensing requirements listed on the BIS CCC would add to this effort. The U.S. security landscape has evolved from a post-9/11, counterterrorism posture, and has moved to where national security intersects with private industry. As such, the U.S. must focus on thwarting the illegal export and theft of American defense technologies by preventing dual-use and other sensitive applications from falling into the hands of its enemies. 

*This article was edited by Aurélie Semunovic (The Graduate Institute, Geneva), Lynne Guey (Princeton University), and Sofia Alessandra Ramirez (Princeton University). 


About the Author

Zach Weinberg is a joint MBA/MPIA graduate student at the University of Pittsburgh, where he is also a fellow at the Ridgway Center for International Security Studies. He can be reached at [email protected].


Acknowledgments

Zach would like to thank Dr. Phil Williams, Julia Zorzi, Jacquelyn Correll, and his JPIA editors, Lynne Guey and Aurélie Semunovic, for their helpful comments and continuous support. Any omissions or inaccuracies remain the sole responsibility of the author.


Notes

1. Aside from U.S. laws and regulations, other efforts to control the export or proliferation of U.S. defense technologies include international partnerships, training, international standards, end-user verification, international sanctions compliance, etc. (Ford 2018)

2. Export controls are primarily exercised for reasons of national security and trade promotion, but, at times, the U.S. government has also exploited export controls for strategic reasons. During the Obama Administration, certain trade barriers were lifted on Iran and Cuba as a gesture of good will to further foreign policy objectives.

3. For example, the U.S. Patriot Act of 2001 and other legislation has focused on “preventing funding of terrorists, targeted specific individuals, organizations [like the] Taliban, and states like Iran…Syria” (Chapman 2013).

4. For further reading related to the impact of ECR under the Obama Administration, see A. Stricker and D. Albirght’s 2017 report U.S. Export Control Reform: Impacts and Implications for Controlling the Export of Proliferation-Sensitive Goods and Technologies. The report explains that under ECR, items previously controlled by the Department of State per the U.S. Munitions List (USML) were migrated to BIS under the “600 Series.” Following the migration, there was an increase in exports of “600 Series” items, especially to countries like Japan, Canada, the UK, South Korea, Mexico, Israel, Germany, the UAE, etc. The use of Strategic Trade Agreement (STA) exceptions under ECR also increased, including shipments to the Netherlands, Australia, Sweden, Turkey, Taiwan, Singapore, India, South Africa, Hong Kong, etc. (Stricker and Albright 2017).

5. To be clear, this paper does not challenge that Russia and China are the biggest perpetrators of industrial espionage, simply that more quantitative data is needed to verify such claims.

6. Industry’s reluctance to announce such incidents comes even despite federal securities laws that require publicly traded companies to disclose certain incidents of unauthorized access, such as a cyber breach (Newman 2018).

7. An example of an incident coming to light years after the fact was the 2011 Chinese hack on U.S. Steel Corp. Cyber actors on behalf of the Chinese Government allegedly stole proprietary information from the company, which was only publicly disclosed in 2016 (Miller 2016).

8. While the author is currently employed by DCSA, he was neither a DCSA employee at the onset of the research project nor through its majority. Only publicly available sources were utilized and none of the findings were influenced or can be attributed to any privileged information afforded to the author as a DCSA employee. Furthermore, the views presented are those of the author and do not necessarily represent the views of the Department of Defense or its Components. 

9. The author submitted a Freedom of Information Act (FOIA) request for data that attributes suspect incidents of industrial espionage to specific countries. The author’s request was denied in full for reasons of national security.

10. The December 2020 detection of a Russian organized hack of 250 federal agencies and private corporations gives weight to such an assumption, citing public officials’ concerns about what “delicate but unclassified data the hackers might have taken” (Sanger et al. 2021).

11. Classified information is determined to be of national security concern per Executive Order 13526 and export-controlled information is determined to be of national security concern per the Export Control Act of 1949.

12. To simulate the U.S. embargoed countries (Cuba, Iran, North Korea, Syria, etc.) where all transactions (including imports and exports) without a license authorization are prohibited, this study applied all 16/16 reasons for control. 

13. This finding has been criticized in terms that it is unclear if a 11 percent to 14 percent rise in European and Eurasian industrial espionage attempts is statistically significant or not. When looking over an eight-year period (FY12 - FY19) instead of a five-year period (FY15-FY19), however, industrial espionage incidents attributed to Europe and Eurasia rise significantly from 9 percent to 14 percent. The reason the author did not extend the chart from FY12-FY19 is due to reporting inconsistencies where the Militarily Critical Technology List (MCTL) rather than the Industrial Base Technology List (IBTL) is used to categorize technologies in these earlier reports, which made the author hesitate on the compatibility of the data from these earlier years. 

14. This data also highlights a 3 percent increase in espionage activity originating from the Near East from FY18 to FY19. While this is a significant one-year increase, it is part of an overall downward trend in Near East activity from FY15 to FY19.

15. Despite being fairly minimal, recent changes to the Country Commerce Chart include the recession of Sudan as a state sponsor of terror in January 2021, thus removing Anti-Terrorism 1 and Anti-Terrorism 2 reasons for control per 86 FR 4929. This accounts for the average number of controls levied on African countries to decrease slightly from 10.00 in May 2020 to 9.96 in January 2021.

16. A 2013 report from Purdue University illustrates this GWOT mindset by summarizing U.S. export control targets as “Al Qaida, Iran, Syria, China, North Korea, Islamic Hawala Financial Transfers, Iranian Energy Sector, Arms Dealers, Weapons Smugglers, [and] Central Banks.” (Chapman 2013 – Italics added for emphasis) Even though a few East Asian countries are listed, significance is clearly placed on America’s counter terror, counter violent extremism posture in the Near East and South Asia. 

17. Recent examples of how participating in multilateral export control regimes dictates a state’s assigned reasons for control on the CCC include Ukraine and Mexico, who’s reasons for control were reduced due, in part, to membership in the Australia Group, Nuclear Suppliers Group, and the Wassenaar Arrangement (15 CFR Part 740).

18. Outdated indicators include that the Australia Group’s website has not updated its copyright since 2007 and it has been almost fifteen years—since the peak of the GWOT— when Croatia, the group’s most recent participating country, was added.

19. For widely circulated, public warnings and awareness concerning the rising threat to U.S. technologies at the hands of East Asia and Europe, see: U.S. National Strategy for Critical and Emerging Technologies (2020); U.S. Annual Intellectual Property Report to Congress (2020); DoD Critical Technologies: Plans for Communicating, Assessing, and Overseeing Protection Efforts Should Be Completed (U.S. Government Accountability Office 2021); Survey of Chinese-linked Espionage in the United States Since 2000 (CSIS 2020); China Is National Security Threat No.1 (Ratcliffe 2020); Uncovering Chinese Espionage in the U.S. (Eftimiades 2018); China’s Spies Are on the Offensive (Giglio 2019); U.S. Department of Justice Report to Congress Pursuant to the Defend Trade Secrets Acts (2018); The Economic Impact of Cybercrime and Cyber Espionage (CSIS 2013); etc.


References

15 CFR Part 740 (2020). Amendment to Country Groups for Ukraine, Mexico and Cyprus Under the Export Administration Regulations, Department of Commerce, Bureau of Industry and Security. 
Accessed online: https://www.govinfo.gov/content/pkg/FR-2020-12-28/pdf/2020-26552.pdf

Allerton, K. (2017). “How North Korean Hackers Stole 235 Gigabytes of Classified U.S and South Korean Military Plans,” Vox.

Aoi, T. (2016). Historical Background of Export Control Development in Select Countries and Regions. Mitsui & Co., Ltd.

AG (2007). Australia Group Participants, The Australia Group. 
Accessed online: https://www.dfat.gov.au/publications/minisite/theaustraliagroupnet/site/en/participants.html

Berman, H., & Garson, J. (1967). United States Export Controls: Past, Present, and Future. Columbia Law Review, Vol. 67, No. 5, p.791-890.

Bush, G. W. (2001). President Bush’s Address to a Joint Session of Congress and the Nation.

Carlson, E., & Lichtenbaum, P. (2016). China-Related Export Control Risk. Covington

Chapman, B. (2013). Export Controls: A Contemporary History. Purdue University.

Choi, D. (2018). All the Ways China Could Keep its Eyes and Ears on the U.S.-North Korea Summit Without Being There. Business Insider.

Counterintelligence Awareness (n.d.). Understanding Espionage and National Security Crimes. Center for Development of Security Excellence (CDSE). Accessed online: https://www.cdse.edu/documents/cdse/ci-jobaidseries-understandingespionage.pdf 

DCSA (2019). Targeting U.S. Technologies: A Report of Foreign Targeting of Cleared Industry. Defense Counterintelligence and Security Agency. Accessed online: https://www.dcsa.mil/Portals/91/Documents/CI/FY19_Annual_Targeting_US_Technologies.pdf

DCSA (2020). Targeting U.S. Technologies: Summary of Fiscal Year 2019 Industry Reporting. Defense Counterintelligence and Security Agency. Accessed online: https://www.dcsa.mil/Portals/91/Documents/CI/FY20%20Targeting%20US%20Technologies%20Handout.pdf

DoD Risk Management (n.d.). Risk Management for U.S. Department of Defense Security Programs, Center for Development of Security Excellence (CDSE). Accessed online: https://www.cdse.edu/documents/student-guides/risk-management.pdf

Dodds, L. (2021). SolarWinds Hack May Have Started in Eastern Europe, U.S. Investigators Believe. The Telegraph.

DSS (2015, 2016, & 2017). Targeting U.S. Technologies: A Trend Analysis of Cleared Reporting. Defense Security Service. Accessed online: https://www.dcsa.mil/about/err/

EO 12356 (1982). U.S. Executive Order 12356 of April 2, 1982, National Security Information. Accessed online: https://www.archives.gov/federal-register/codification/executive-order/12356.html

Fergusson, I. (2009). The Export Administration Act: Evolution, Provision, and Debate. Congressional Research Service.

Fergusson, I., & Kerr, P. (2020). The U.S. Export Control System and the Export Control Reform Initiative. Congressional Research Service.

Ford, C. A. (2018). Chinese Technology Transfer Challenges to U.S. Export Control Policy. U.S Department of State.

Ford, C. A. (2020). U.S. National Security Export Controls and Huawei: The Strategic Context in Three Framings. Arms Control and International Security Papers, Vol. 1, No. 8.

Freifeld, K. (2020). “The Biden Administration Adds New Limits on Huawei’s Suppliers.” Reuters

FTC (2019). Data Breach Response: A Guide for Business. Federal Trade Commission. Accessed online: https://www.ftc.gov/system/files/documents/plain-language/560a_data_breach_response_guide_for_business.pdf

Larence, E., & Powner, D. Critical Infrastructure: Challenges Remain in Protecting Key Sectors. U.S. Government Accountability Office. Public Statement Before the Subcommittee on Homeland Security, March 20, 2007.

Leiter, M. (2019). Enhanced US Export Controls and Aggressive Enforcement Likely to Impact China. Skadden, Arps, Slate, Meagher & Flom LLP.

Miller, J. (2016). U.S. Steel Accuses China of Hacking. The Wall Street Journal

NCSC (2018). Foreign Economic Espionage in Cyberspace. National Counterintelligence and Security Center. Accessed online: https://www.dni.gov/files/NCSC/documents/news/20180724-economic-espionage-pub.pdf

Newman, C. (2018). When to Report a Cyberattack? For Companies, That’s Still a Dilemma. The New York Times.

Nixon, R. (2018). Smuggling of U.S. Technology is Outpacing Cold War Levels, Experts Say. The New York Times.

Perlroth, N. (2021). Widely Used Software Company May Be Entry Point for Huge U.S. Hacking. The New York Times.

Reuters (2020). China Theft of Technology is Biggest Law Enforcement Threat to U.S., FBI Says. The Guardian.

Sanger, D. (2021). As Understanding of Russian Hacking Grows, So Does Alarm. The New York Times

Schmidt, M. (2019). Why Companies Stay Private. Investopedia.

Stricker, A. and Albright, D. (2017). U.S. Export Control Reform: Impacts and Implications for Controlling the Export of Proliferation-Sensitive Goods and Technologies. Institute for Science and International Security.

Toon, O., et al. (2019). Rapidly Expanding Nuclear Arsenals in Pakistan and India Portend Regional and Global Catastrophe. Science Advances, Vol. 5, No. 10.

Trade Enforcement (2020). Commerce Department Will Publish the First Military End User List Naming More Than 100 Chinese and Russian Companies. U.S. Department of Commerce. Accessed online: https://www.govinfo.gov/content/pkg/FR-2020-12-23/pdf/2020-28052.pdf

Tucker, E. (2020). Singapore Man Sentenced to Prison for Spying for China in U.S. Associated Press.

U.S. State Department (2011). Overview of U.S. Export Control System: A Resource on Strategic Trade and Export Controls. U.S. Department of State. Accessed online: https://2009-2017.state.gov/strategictrade/overview/index.htm

USDOJ (2009). Operation Partnership: Trends and Practices in Law Enforcement and Private Security Collaboration. U.S. Department of Justice, Office of Community Oriented Policing Services. Accessed online: https://cops.usdoj.gov/RIC/Publications/cops-p169-pub.pdf

UT (2021). Export Control Definitions. University of Tennessee Knoxville. Accessed online: https://exportcontrol.utk.edu

WA (2020). About Us, The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. Accessed online: https://www.wassenaar.org/about-us/

Wolf, K. et al. (2018). International Trade Alert: The Export Control Reform Act of 2018 and Possible New Controls on Emerging and Foundational Technologies. Akin, Gump, Strauss, Hauer & Feld, LLP.