This week’s post was co-authored with Kathryn M. Rattigan, David E. Carney and Edward J. Heath. We are members of Robinson+Cole’s Manufacturing Industry Team and regularly counsel clients on trade compliance, anti-corruption compliance, and other corporate compliance issues.
The recent enforcement activities of the newest federal strike force serve as a warning to U.S. manufacturers and other businesses involved in the export of products that the government is doubling down on prosecuting trade violations. The expressed mission of the multi-agency Disruptive Technology Strike Force (Strike Force) is “to counter efforts by hostile nation states to illicitly acquire sensitive U.S. technology to advance their authoritarian regimes and facilitate human rights abuses.” The latest Strike Force criminal indictments focus on technology such as:
- Aerospace and defense source code,
- Aircraft components,
- Microelectronic components used in unmanned aerial vehicles (UAVs),
- Laser welding machinery.
There is every reason to expect that the Department of Justice’s (DOJ) future targets will extend beyond the kind of individual defendants who have been the focus of the 24 criminal indictments to date and include legitimate companies whose compliance program deficiencies allow the illicit exports to occur. Ensuring that a company’s trade compliance program meets or exceeds the expressed standards of the DOJ and the Department of Commerce (DOC) is now more essential than ever.
Compliance Keys
- Exposure Risk for Manufacturers and Distributors. The export-diversion schemes prosecuted to date share a common element—a bad actor sought to exploit innocent U.S. manufacturers and distributors by misrepresenting their identity and end-use plans or by seeking to compromise the manufacturer’s computer systems. As U.S. export controls (particularly those aimed at Russia and China) have expanded over the past several years, schemes like those alleged in these indictments have proliferated. Failing to be alert for the warning signs of such schemes may expose a company to becoming a victim of sanctions evaders or, worse, an enforcement target for ignoring red flags. The Export Administration Regulations prohibit companies from engaging in a transaction with the knowledge that a violation has occurred or will occur. “Knowledge” is not limited to actual knowledge; it can also be inferred from turning a blind eye to red flags in a transaction. As a result, having personnel trained to identify and respond appropriately to red flags suggesting that diversion could be occurring can be crucial to avoiding export violations.
- Precautions to Detect and Prevent Imposter Schemes.
- First, a written risk-based export control compliance plan can be a valuable aid in detecting diversion schemes and other illicit behavior. Such plans detail procedures employees must follow for conducting diligence on new and existing customers and transactions, evaluating when export licenses are required for a transaction, and detecting and responding to red flags. They provide clear guidance on when and how to escalate potential issues. Such a compliance plan gives employees the tools to help them identify when their company may be facing a diversion scheme and how to respond appropriately before a transaction is executed.
- Second, companies can emphasize conducting “know your customer” (KYC) diligence on transactions. The importance of such diligence is heightened when new customers are involved, when business with an existing company is expanding to new products, or to involve new product destinations. The DOC has published extensive guidance on KYC diligence (often in conjunction with other U.S. government agencies and with enforcement authorities in allied countries). This week, the DOC and export control authorities from the other G7 countries issued new guidance that identifies items most likely to be the subject of diversion efforts by Russia, lists common red flags suggesting potential export control and sanctions evasion in a transaction, and suggests some diligence best practices to prevent diversion and evasion. This new guidance echoes similar guidance issued by U.S. and allied government agencies over the last two years for detecting diversion schemes in the current environment of export controls and sanctions regarding Russia and China. (For example, our summary of the joint guidance issued last year by export-control authorities in the United States, the United Kingdom, Canada, Australia, and New Zealand addressing 45 types of goods at high risk for diversion and recommended KYC diligence steps can be found here.) Companies should be tracking and incorporating, as appropriate, these guidance updates
- Third, companies can be knowledgeable about the potential uses of their products and technology. This knowledge informs when and where a company may face diversion risk. Products and technology with permissible uses could be a target for diversion where they can be used for purposes the U.S. government restricts. For example, in one of the recent Strike Force cases, U.S. v. Postovoy, the alleged diversion scheme targeted a company whose microelectronic components could be used in drones and UAVs. Keeping U.S.-origin components out of such vehicles used by Russia in the war with Ukraine has been a major U.S. export control policy priority. Similarly, in another Strike Force case, U.S. v. Teslenko, the alleged diversion scheme targeted a company whose laser welders had applications that could aid Russia’s nuclear weapons program. Knowing the market for illicit uses for a company’s products and technology helps a company tailor its compliance efforts by identifying what products may be attractive to bad actors and what specific red flags may be of most concern regarding the company’s products and technology.
- Cybersecurity Vigilance to Prevent Technology Theft. Another case announced alongside the Strike Force cases, U.S. v. Wei, is a reminder that U.S. manufacturers of sensitive technology face a multifront effort by foreign malign actors to gain access to that technology. In addition to ensuring up-to-date export controls and sanctions compliance programs, U.S. manufacturers should consider measures to protect their technology from misappropriation through cyber intrusion by implementing appropriate processes and tools to prevent and detect such activity by these actors. These processes and tools can include:
- Regularly sharing cyber hygiene tips and training on current phishing schemes and conducting phishing tests to increase employee awareness of these risks,
- Maintaining system hygiene by regularly scanning systems for vulnerabilities and unauthorized accounts, monitoring access logs for suspicious activity, and prohibiting automatic email forwarding to external addresses to prevent data leakage,
- Installing a secure email gateway to filter out spam, malware, and phishing attempts and employing email authentication techniques (e.g., SPF, DKIM, and DMARC),
- Tracking and monitoring all endpoints and mobile devices to detect suspicious activities and regularly auditing access logs to identify violations or attempted violations of access policies, and
- Restricting administrative and privileged account access to minimize potential damage and limiting remote access to critical data and functions.
The Indictments
The six most recent indictments relating to the Strike Force’s efforts confirm that export control and sanctions compliance, particularly concerning Russia, China, and Iran, is a significant enforcement priority for the DOJ and other government agencies. As one Strike Force member stated, the DOJ, “through the work of the Strike Force, will continue to do all [it] can to prevent advanced technologies from falling into the hands of our adversaries and protect our national security.” These indictments and a related indictment announced simultaneously highlight the risks of manufacturers and distributors falling victim to schemes like those alleged in the indictments or becoming the focus of enforcement efforts for committing export control violations.
U.S. v. Postovoy. A Russian citizen living in the United States was indicted for conspiring to violate the Export Control Reform Act (ECRA), to smuggle, launder money, and defraud the United States. After Russia invaded Ukraine, the individual used a series of companies he owned around the world to obtain and unlawfully export microelectronic components that could be used in drones and UAVs from the United States to Russia. The individual concealed and misstated end-user and destination information in communications with U.S.-based distributors.
U.S. v. Song. A Chinese national was indicted for wire fraud and aggravated identity theft in connection with attempts to obtain software and source code from the National Aeronautics and Space Administration (NASA), research universities, and private companies. Over several years, the individual “spear phished” individuals at NASA, the Air Force, Navy, Army, and Federal Aviation Administration; research universities; and aerospace companies in an attempt to obtain code to which the individual suspected the victims had access. At all relevant times, the individual, who assumed the identities of persons known to the victims, was an employee of a Chinese state-owned aerospace and defense contractor.
U.S. v. Teslenko. A U.S. resident and a Russian national were indicted for smuggling and conspiracy to violate the ECRA, smuggle, and defraud the United States. For approximately six years, the individuals exported laser welding machines from one’s employer in the United States to a Russian company involved in Russia’s nuclear weapons program. The individuals falsified export documentation to conceal the end user.
U.S. v. Goodarzi. A dual U.S. and Iranian citizen was charged with smuggling UAV components to Iran from the United States. For four years, the individual obtained U.S.-originated parts and either transshipped them, typically through the United Arab Emirates or transported them in his own checked luggage during trips to Iran. The individual had acknowledged in numerous emails with U.S. suppliers that the parts could not be transferred to Iran because of sanctions. The individual also lacked the proper export license to send these items to a sanctioned country like Iran.
U.S. v. Nader. A dual U.S. and Iranian citizen was indicted for violating U.S. economic sanctions and other federal laws in connection with procuring U.S.-originated aircraft components for Iran’s armed forces. Customers in Iran placed orders with the individual, who, in turn, directly or through others, contacted U.S. companies for the components. The individual falsely identified himself or his U.S.-based company as the end user of the components. The individual attempted to export the components, including transshipment to Iran, on several occasions; however, DOC agents detained each export.
U.S. v. Wei. In addition to the above criminal cases brought through the work of the Strike Force, the DOJ announced the indictment of a Chinese national on charges of fraud, conspiracy, computer intrusion, and aggravated identity theft for unlawfully accessing the computer network of a U.S. telecommunications company. The individual—a member of the People’s Liberation Army—and co-conspirators accessed the company’s systems in 2017 and stole documents relating to communications devices, product development, testing plans, internal product evaluations, and competitive intelligence. The individual attempted to install malicious software to maintain access to the company’s systems; his access continued for approximately three months.