Issue Summary
United States export controls on computer technology originated in the by-gone Cold War, when their intent was to retard the then Soviet Union and its allies from reaching military parity with the US and its western allies.
Since the Cold War's end, debate has arisen on how US computer controls should be updated and reformed to better serve today's US national security and economic interests. There are three primary aspects to this debate:
Performance-Based Controls. Mandated by the 1998 National Defense Authorization Act (NDAA), these controls were recently changed to a new metric, "Adjusted Peak Performance," stated in "Weighted Teraflops" (WT). The current level of .75 WT applies to exports to so-called Tier 3 countries. While this change has been positive, this level will have to be changed in the future to keep pace with technological advances in widely available commercial computers.
End-Use Controls. These controls are referred to as the Enhanced Proliferation Control Initiative (EPCI), and prohibit the export of any US products to proliferators of weapons of mass destruction (WMD). They were established after the Gulf War, as Iraqi efforts had brought concern that low-level technologies, including low-level computers, can aid the development and manufacture of WMD by rogue nations. The Administration has proposed to extend end-use controls to military applications in China.
Knowledge Controls. US companies are required to obtain export licenses for many of their foreign-born employees before they can work on certain technology projects, even at the companies' US facilities.
Sun's Position
Performance Controls on Computers Are No Longer Effective
High performance commercial computing used to be controllable, and performance-based controls on computers served US national security interests. With today's technologies, this is no longer true for the following reasons:
- Due to advances in microprocessor speeds, today's personal computer already exceeds yesterday's supercomputer in computing power.
- The US is not the only source of high performance computers. A significant number of major systems producers exist outside of the both the US and the Wassenaar group, including companies that have developed high performance systems included in the top 500 systems.
- Advances in clustering, networking, scalability, and remote access have caused computing power to become easy to purchase or access globally.
As the US Department of Defense wrote back in the late 1990's, "our ability to control the acquisition of computer hardware is already largely ineffective and will be increasingly so within a very short time frame." To pretend otherwise is, as the Defense Science Board has written, "at best unhelpful to the maintenance of military dominance, and, at worst, counterproductive."
The recent change to Adjusted Peak Performance, measured in WT, is needed and useful as WT is easier to calculate and more accurately reflects performance across computer architectures. However, the fundamental problems remain: (1) computer performance controls are no longer effective, and (2) thresholds stated in the new metric will have to be reviewed on a regular basis to reflect changes in technology.
Critics have recommended that these performance controls be abandoned, and replaced by increased protections on the two areas most critical to the US military's advantages in using computing power for military purposes: specially designed military software and databases.
Recommendations:
Repeal the current statutory requirement for MTOPS-based controls on computers, and subsequently move to eliminate such performance-based controls entirely; Review and strengthen protections against the export or diversion of specially designed military software and databases.
Proliferation End-User Restrictions Need Improvement
Sun and other US suppliers of commercial computing technology want to prevent potentially dangerous exports to WMD proliferators and rogue nations, and we've incorporated rules, procedures, and technologies to protect against such sales. However, the US government does not publish a list of such WMD proliferators, so a company has no easy way to determine if a potential customer is an end-user of concern. And this becomes even more difficult for customers wishing to download products from the Internet.
If a company does request assistance from the US government, it could wait as long as 18 months for an answer; and if the government identifies the potential customer as an end user of concern, it does so only to the inquiring company, not to that company's competitors.
Under the current EPCI controls, companies are compelled to maintain their own mini-CIA, and they face stiff penalties if their in-house intelligence efforts fall short.
The three international WMD control regimes (Missile Technology Control Regime, Nuclear Suppliers Group and the Australian Group) do not impose controls on commercial computer technology which they consider unimportant for WMD design, testing, or production. The lack of multilateral support makes these controls ineffective.
Current problems with end-use controls will be compounded if a current proposal to extend military end-use controls to a range of civilian products to end-users in China is promulgated. These controls would apply to items that have already been decontrolled, either because they are already available without restriction, or because they have not been deemed strategically valuable. Sun is concerned that unilaterally expanding end-user controls to already decontrolled items would not enhance US national security, while increasing US exporter costs, and introducing an unnecessary competitive disadvantage for US exports to certain entities such as airports.
Recommendations:
Review and improve the EPCI controls, instituting new procedures built upon US government identification of WMD proliferators. Seek greater multilateral cooperation on export restrictions to WMD proliferators and rogue nations. Do not unilaterally extend additional end-use controls to previously decontrolled computers.
Controls on Employee Access Need Improvement
To remain globally competitive, US IT companies must employ the best engineering and technical talent we can find. This often means employing foreign-born engineers and computer scientists. In addition, we are integrating our global engineering sites into an efficient cross-border unit.
US "deemed export" and other controls on the sharing of information and data with foreign-born employees do not recognize these industry developments, and treat these employees -- and their involvement in corporate design and engineering projects -- as though they are external foreign parties.
In doing so, these controls unnecessarily hamper efficient completion of projects within a company, and impose a major, immediate, and increasing burden on US IT companies.
Such controls are responsible for the single largest category of export license applications for US IT companies.
An exemption from these requirements has been in place for encryption technologies, without harm to US National security.
Recommendation:
Review and reform current requirements that US companies get an export license for each foreign-born employee before allowing access to company-owned commercial information.
| 