Black Duck Blog

Eran Strod
Director of Product Marketing
estrod@blackducksoftware.com

Last week I attended the BIS Update conference in Washington, D.C. For those of you that are not familiar, the Update conference, put on by the Bureau of Industry and Security (BIS), is an annual conference of nearly 1,000 export compliance professionals, government officials, attorneys and business leaders who assemble in DC to network and learn about changes in US export policy. The world economy as we know it would not exist without this tight knit community who essentially shepherd the export of US-origin products through a maze of Commerce Department regulations to eager customers around the world.

What does export compliance have to do with open source software?

As renowned analyst Bob Igou from Gartner Research recently wrote “40% of open source software is used as building blocks in larger software development projects.” (1) One of the challenges that companies face when leveraging hundreds of thousands or even millions of lines of open source code is that it is very time consuming and expensive to understand what’s in that code, including knowing if it contains regulated code. From a legal perspective, ignorance is not an alibi. If code is in a product that a company is shipping, then that company is on the hook to make certain it is compliant. That is especially true for software that contains strong encryption which is regulated by the Bureau of Industry and Security of the US Department of Commerce. And we aren’t talking theoretical risk here. Penalties for violating the regulations include prison (up to 20 years), fines of $250K (or 2X the value of the transaction) and worse.

Just to give you an example of one of the boundaries. “Weak” encryption can be self-classified without notification or government review. Weak currently means:

•56-bit or less Symmetrical
•64-bit or less Symmetrical & “Mass Market” (2)
•512-bit or less Asymmetrical
•112-bit or less Elliptic Curve

We spoke with about 60 compliance professionals at BIS Update and I repeatedly heard this feedback: they cannot do their jobs (keeping their companies compliant) if software development organizations do not give them good information about the encryption content inside products. One compliance professional described fighting with a product manager who insisted there was no encryption in a popular software platform that was being bundled into their system, when in fact she (the compliance specialist) knew that to be false from previous experience.

Conflicts like these can be easily resolved when the facts are established. Our message at the show was we can automate this process and make it easy to analyze and find encryption, even create a cryptographic bill of materials for projects. When you “Know Your Code” you can stop arguing about facts and get back to the business of creating value for your company.

(1) “User Survey Analysis: OSS Spending Intentions Hold Steady While IT Services for OSS Continue to Evolve, North America, 2009,” Bob Igou, August 27, 2009 (Gartner Document ID: G00170359)
(2) “Mass Market” is formally defined in the Export Administration Regulations

For more information regarding product management and export compliance, I recommend reading “What Makes Complying with Export Controls Involving Encryption So Hard?” by noted attorney Ben Flowe Jr.