MK Data Services

by Craig Ridgley (bio)

Why is classifying encryption so difficult? It's not just because encryption is complicated and technical. It's because the fundamental reasons for controlling encryption are at odds with the very nature of today's encryption. The controlling regulations are in place ostensibly to comply with the Wassenaar Arrangement of 1996, and to give our government (literally) insight to domestic encryption. But today encryption is ubiquitous. It is in practically everything digital that we use today; Bluetooth headsets, printers, cell phones and PDA's, and even refrigerators. It is everywhere, and the government has been struggling to keep up with the overwhelming volume of Encryption Review Requests. That and President Obama's export reform initiative have resulted in the June 25th encryption controls changes, and the "optimization" of the Category 5 Part II negative list. It is this "negative list" that causes the "heavy lifting" in encryption classification. The hard part is not figuring out what constitutes "robust" encryption; the hard part is figuring out what is NOT robust encryption. 

There are a total of eleven (11) Notes in Category 5 Part II of the CCL that exclude certain encryption items from classification in Category 5 Part II, or from classification under 5A002, which are subsequently classified under 5A992 instead. If you would like to learn more about encryption classification, I will be holding a Webinar on November 18th from 2:00 PM to 3:30 PM (EST) where I will provide an overview of encryption classification, its unique aspects in terms of U.S. export controls, prevailing regulatory interpretations, and approaches to risk management for compliance managers advising businesses. 

To learn more about my upcoming Webinar Encryption Classification: What You Need to Know click here.