Wither ITAR?
Perhaps common sense is finally prevailing in our bureaucratic dis-industrial complex?
TL;DR
“Why is this time different?” All too often this is the first question asked to cynically dismiss a new idea and fall back on lazy thinking.
In the past, our aerospace & defense industries have remained highly insular government cartels, with large regulatory moats protecting the incumbents. Silicon Valley start ups swam across these moats at their own peril. These moats took the form of security classification barriers and ITAR/EAR restrictions which gave the “Big Six” aerospace contractors and their subsidiaries an inside track on plum research & development contracts and foreign sales and even procurement of foreign components for both the military and non-military aerospace environment. As much as they complained about it, the big defense contractors actually benefited from these regulations, because as Bill Gurley put it in the speech below, “regulation is the friend of the incumbent”:
However, we’ve recently seen a paradigm shift in this respect - people inside the Pentagon and elsewhere are not just waking up and realizing that these outdated rules and regulations are actually endangering, rather than helping protect, national security. They are starting to actually do something about it.
A glimmer of hope is emerging that the most ridiculous aspects of ITAR may finally be moving into the rearview mirror. News is coming out this past month that the US Commerce Department is exempting the UK and Australia from ITAR/EAR regulations in whole cloth: language included in the 2023 National Defense Authorization Act (NDAA) made this possible. This dropping of the ITAR wall will greatly facilitate defense technology exchange with these countries and will almost certainly lead to greater collaboration and integration of the defense industries across the alliance.
So this time is different because the regulatory barriers protecting the Big Six defense cartel are finally changing in favor of more open competition, and it couldn’t happen soon enough. With a shift towards a competitive edge based on our ability to ingest and process mountains of training data into AI models or open source software iterating as quickly as possible, speed to field rather than secrecy is what will matter most in the 21st century battlefield.
This week I want to talk a little bit about arms regulations (I’m going to keep this at the process level and stick with publicly available sources here to stay as far away from anything sensitive as possible), as well as share some of my own personal anecdotes. My general opinion is we are starting to head into the right direction and that the worst of this is behind us but the pressure has to stay on, if not accelerate, to modernize and simplify these regulations if we want to improve the competitive landscape of the defense industry and sharpen our competitive edge to stay a couple steps ahead of any future adversary.
Nebbishes fetishize accesses, professionals dread them
This is a certain mystique that surrounds classified information. For those who never held a security clearance, there are fantasies of secret alien bunkers under Area 51 or Mach 10 aircraft hiding in a hangar in the desert (piloted by Tom Cruise, of course).
Hollywood glamourizes it, but for those who have lived in closed rooms with bad lighting, bad cafeteria food, worse bathroom facilities and even worse Powerpoint for endless stretches of time, we’d prefer to avoid it whenever we can going forward. Classification slows everything way down and creates endless headaches as people second guess what they can and cannot say. For some programs the “Get Smart” experience of rooms within rooms within rooms isn’t far off from the truth:
But the mystique factor still remains: one VC recently quipped on X that “If your VC firm doesn’t have an SCI clearance, you are just LARPing in defense.” High level clearances have become the latest prestige accessory for VCs to distinguish the defense players from the defense tourists. It kind of reminds me of how as a young aerospace engineer, we learned to interpret the status symbol of executives by how many boxes they had filled in on their other “checkerboard” badge. We even used to make fun of “ticket collectors” who were executives who seemed useless other than they were “cleared into everything.”
Let’s go beyond the obvious question of “why does someone who just writes checks and sits on boards have need to know?” Why a VC, whose job relies on maximizing rate of quality deal flow and an oftentimes heavy travel schedule abroad would be excited about the prospect of a multi-year clearance process and all its restrictions going forward like this is beyond me. You are signing up for a long tedious background check, endless foreign contact reporting, pre facto and post facto travel reporting requirements, not to mention the five year accounting by a clerk about every unexplained $10,000 transaction in your bank account you’ve had in the past five years (which thanks to inflation happens a lot more these days). If you relish the prospect of finding out that your nanny, who has been living with you for 18 months, is actually a dual Canadian citizen and you now have to report yourself to security, more power to you!
In the dysfunctional security clearance administration environment of a decade ago, where year+ wait times for program accesses were common place and many programs were “billet limited” (ie a limited number of people could be accessed at any given time) and development of the exact same technology was frequently compartmentalized across different customers, the importance of getting cleared into a lot of programs became a career enabler.
Many careers were propelled forward not on merit but because some 22 year old with a fairly innocuous, and therefore highly clearable, background (ie - no foreign relatives, never smoked pot, few foreign contacts, grew up lower middle class so minimal foreign travel) got read into the right set of programs early on and therefore had access to more opportunities. It was the Big Six equivalent of going to Stanford and all your friends becoming VCs so you can easily get funded. Middle managers in these companies are actually told (though never in writing) to take into consideration how fast certain new college hires can get cleared.
“America’s penchant for relying on excessive secrecy to maintain its national security should no longer be viewed as a fix but rather as a problem” - Over-classification, How Bad is it, What’s the Fix? (Non-Proliferation Education Center)
Further compounding this dysfunction was the backlog of security clearance background investigations in the early to mid to late 2010s as the (still not defunct) Office of Personnel Management (OPM) started to buckle under its own weight. Anecdotally, the background check refresher backlog (not new, but already cleared) was at one point as bad as 2 1/2 to 3 years without using so called “silver bullets’ to move people to the top of the pile. This was particularly amazing since cleared personnel were supposed to be reinvestigated every five years.
Thankfully, some reforms came to the system that have made things more functional, though more work is still ahead. Some of this was precipitated as a course correction to the Bradley Manning and Edward Snowden leaks which exposed a lot of vulnerabilities in how we watch over our cleared workforce.
The Trump administration, while it did not fully succeed in breaking up OPM due to legislative antibodies from the Virginia delegation (those pesky in-district jobs), did manage to get security clearances moved over to the Defense Counterintelligence and Security Agency (DCSA) and the difference was immediate in terms of time to execute investigations: going from years to several months in less than two years. Other key reforms included continuous background (CB) checks rather than the 5 year reinvestigations and a move to the concept of clearances being attached to a person rather than a program. Recent efforts such as SCIFs as a service take advantage of this trend towards “clear the person not the program.” All of these have made the workforce more fungible and helped ameliorate some of the workforce shortages which were causing massive delays on critical programs.
Another critical reform came as government agencies like the NGA threw away the 50 legacy classification guides they had and consolidated into a single guide. The proliferation of different guides was a result of different programs from different eras all converging and bureaucratic entropy. Clearing the decks cleared a lot of headspace from worrying about “what room am I in again and what can I say here?”
One of the more frustrating aspects of national security work was that different rules often applied for the exact same information under different rules and it was literally impossible for normal people to keep straight. Actions like the ones the NGA actually fix this and improve the security of information in the process since you only have to remember one thing and not, say twelve, about a particular subject.
“In this brave new world, less secrecy, not more, will be needed to deter, dissuade, and effectively bargain with hostile states and non-state actors. Washington will need more clearly articulated declaratory military deterrence and retaliatory policies; more demonstrated, quick rates of military innovation and acquisition; and significantly more sensitive information and intelligence sharing with private firms, allies, and friendly states. This does not mean eliminating secrecy but, rather, establishing the right amount of secrecy at the right level—and no more.” - Over-classification, How Bad is it, What’s the Fix? (Non-Proliferation Education Center)
For those of us with experience, who live and breathe this stuff, clearances are just part of life and we are happy to do our part to secure critical security systems that defend our country, full stop. But we also try to keep work in the open as much as we can because we recognize that speed, moreso than secrecy, is how we will win future wars. Basic things developers take for granted like Python functions libraries oftentimes require months of reviews and approvals to be downloaded to the high side, which can really slow things down. In an era where the acquisition OODA loop is moving from decades to months, this can be the difference between victory and defeat.
ITAR- the other constant headache
The same applies even moreso to some of our export restrictions like the International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR). These laws, which started in the 70s with the best of intentions, have since grown through thousands of amendments into a Lilliputian morass tying down the Gulliver of the American aerospace & defense industry. In the space sector, these regulations grew to be such a headache that the French communications satellite firm Alcatel used to market an “ITAR free satellite” and several other European firms also followed suit. However, with millions in fines or even prison time possible, it’s understandable why some would be so nervous to touch anything ITAR related or risk legal exposure by under-classifying technology as non-ITAR.
ITAR regulations can result in months, if not years, of reviews, rulings and appeals for those seeking to share just components, let alone system, technology with our allies. I’ve watched rooms of engineers clam up when asked basic questions because they had no clear ITAR delineations to work with - losing out on major export opportunities that would bolster our allies as a result.
On the Boeing/Russian joint-venture in the 90s and 2000s called Sea Launch, there was literally a wall in the middle of the launch control room so that the Russians couldn’t see what was happening on the screens on the American side because of ITAR - even though the exact same telemetry was often coming in on their terminals, albeit in Cyrillic. This came about after a number of real and supposed ITAR violations, though since the rocket was Russian, it’s a little unclear how much this was really impacted. Nonetheless, I’m sure a physical wall really fostered collaboration and mission assurance.
Contrast this with what many of the drone engineer warriors in Ukraine are doing: there they are frequently pushing out code improvements to thwart Russian tactics, technology and procedures (TTP) on a commercial continuous integration/continuous development (CI/CD) timeline multiple times a day and people are freely collaborating using open source software and discussion forums like Slack and Signal 24/7 across time zones and nationalities. It’s impossible to think that any consideration can be given for ITAR knowledge transfer at this kind of pace of development. Not to mention prolific purchase of products from companies like Hawkeye360 and Vannevar Labs. The times they are a changing!
When the acquisition OODA loop in Ukraine is 3-30 days, regulations that restrict component information for months or years suddenly come into focus as completely ludicrous.
ITAR headaches at the working level
I recall working on a weather satellite sensor called VIIRS (Visual Infrared Imagery Radiometer Suite) early in my career and seeing all the same boilerplate restrictions on its drawings, component procurement documents and specifications that described relatively mundane components like screws and resistors that read something like this:
“This (document/presentation) may contain technical data as defined in
the International Traffic In Arms Regulations (ITAR) 22 CFR 120.10.
Export of this material is restricted by the Arms Export Control Act (22
U.S.C. 2751 et seq.) and may not be exported to foreign persons without
prior written approval from the U.S. Department of State.”
Literally nothing about a screw is ITAR and the vast majority of technical documents contain information that is completely irrelevant to national security. This is purely the result of overuse of boilerplate and then no one wanting to go through the headache of removing the boilerplate. Nothing on a screw drawing is actually ITAR.
The same facility often worked on sensors for foreign governments with the exact same technologies and integrated components they built on their soil which came with none of these restrictions. Particularly in the last couple of decades, as the military industrial complex has become the tender rather than the caboose driving state of the art component design versus Commercial Off The Shelf (COTS) components, these rules have become increasingly more and more unnecessary and outdated.
A new hope
As I mentioned in the intro, there is now hope emerging that the most ridiculous aspects of ITAR may finally be moving into the rearview mirror. This past week the US Commerce Department announced it is drafting rules to exempt the UK and Australia from ITAR/EAR regulations in whole cloth: language included in the 2023 National Defense Authorization Act (NDAA) made this possible. This dropping of the ITAR wall will greatly facilitate defense technology exchange with these countries and will almost certainly lead to greater collaboration and integration of the defense industries of our three countries.
What’s particularly remarkable about this is that ITAR reform has been on the agenda for literally the past four administrations (I remember first hearing about it during the Bush 43 administration) but it has always been a can kicked down the road. Kudos to whomever it was in Congress and the administration that decided to do something about it, finally. The defense ties between the US, UK and Australia are numerous, in the tens billions of dollars in trade and as our closest allies besides maybe Canada or New Zealand, these barriers should come down. We oftentimes share classified intelligence with these countries through FIVE EYES channels- it’s unclear to me why ITAR info should be a barrier.
Numerous examples exist of defense collaborations at the corporate level. A couple years ago, Anduril acquired Unmanned Underwater Vessel (UUV) maker Dive Technologies and immediately went to work on selling its XL-UAVs through an Australian subsidiary. Meanwhile BAE Systems, through US subsidiaries, is like a fixture on the wall in the American defense industry (and the 7th largest contractor worldwide), building everything from Naval ships to the Electronic Warfare suite for the F-15X and the F-35. Palantir has a huge presence in England as well as every other major defense contractor.
It’s likely the dropping of the ITAR wall will only facilitate these matters and perhaps encourage more defense contractors to follow suit with Anduril in multi-national development efforts like the Ghost Shark Autonomous Underwater Vehicle. There are numerous advantages to being able to build across nine different time zones (Australia 3, UK 1, US 5) - effectively enabling continuous around the clock development and take advantage of naturalization laws in the UK and Australia that allow better talent uptake (and perhaps cheaper labor) than many US engineering hubs have access to.
We still have a long way to go
In these posts I try to strike a balance between applauding critical progress and pointing out that more change is still needed. Perhaps the solution here is to acknowledge that the regulations are almost entirely unworkable and need to be rethought rather than worked around through country by country exemptions?
It is important to realize that while reforms to ITAR and streamlining of our security system are laudable, these reforms are being well outpaced by the advance of technology and that the laws on the books are still standing in the way of necessary collaboration and research that would help us maintain our technological advantage. While some have gone as far as to say that ITAR should be done away with entirely, I think it’s important to realize that the physical export procedures tied to the US Munitions List (USML) still have merit, if properly applied.
Where the problems exist is with the information sharing restrictions, which create all sorts of unnecessary headaches, stifle innovation and collaboration and oftentimes have prior restraint/free speech issues. Indeed EAR ran into the exact same problem in the 1996 when it was applied to Cryptography in the Bernstein case. This same case also ruled that computer code itself can be a form of protected speech. It’s clear that these provisions are outdated, ineffective and tread on shaky civil liberty ground.
“The complexity is such that observance of ITAR is rarely based on observation of its provisions, but rather out of fear of prosecution from inadvertent transfers. Further, its outdated provisions undermine its credibility as an effective tool for export control. The reform initiative will not change that reality.”- The Decline and Fall of the ITAR Empire
Indeed, many companies have learned that the best way around these controls is to develop their products and intellectual property entirely on private funds (ie as start ups) and then to assert that they fall under export exemptions for the bulk of their technology, generally referred under clause EAR 99. For example, many autonomous vehicles guidance systems and sensors fall under this clause. This is an easy loophole to stay below the regulatory radar, but for those without savvy lawyers or experienced players or have unwittingly started work without thinking about it, this may be an issue.
One possible fix would be that R&D and acquisition programs from the government could adopt classification guides that reach down to encompass ITAR information but reclassify it with markings such as “Controlled Unclassified Information” or U/FOUO (For Official Use Only) where the program offices themselves have the burden placed on them to prove something needs to be controlled rather than relying on boilerplate restrictions applied at the worker level in companies that overclassify and create global headaches.
Another would be a re-evaluation of everything on the USML to exempt technologies which aren’t explicit munitions (so called dual-use technologies) where multiple foreign instances of the same technology are readily available without commerce restrictions. The burden really should be on the government to prove that something shouldn’t be exported rather than on the private citizen or entity to prove that it can be (since innocent before proven guilty is a guiding principal in the US constitution), but right now it feels too often like the opposite.
One technological fix could be doing away with “boilerplate” statements stamped on every file and dataset in favor of “semi-open” sourcing AI co-pilots that could review generated materials and provide a determination, which could then be added as metadata to the files allowing better guards to be put in place. These same AGI co-pilots could also be applied to classified data as well and could aid in critical things like document review prior to declassification and release. While it’s likely this may create some “escapes” due to Type 1 errors, this approach seems better than relying on government censors and private security personnel who may lack the technical expertise in certain topics within our rapidly evolving and highly multi-disciplinary technology base to make a determination.
In conclusion: recent progress gives me some hope that change is finally coming in a good way in our defense regulatory and classification regime. These changes will reduce barriers to entry for upstarts that provide vital competition to established incumbents in the defense industrial complex and help us get critical new products and technologies in the hands of our warfighters and partner nation warfighters faster. However, we have a long way to go and there is still much room for improvement that can both remove barriers to innovation and actually improve protections on the information that is actually critical to protect.