It reads like a spy novel. A dual U.S.-Russian citizen admitted to operating as an unauthorized agent of the Russian government and exporting leading-edge semiconductors for use by Russia’s military, Reuters reported.
Alexander Fishenko, founder of Arc Electronics Inc., was among 11 people charged in 2012 in connection with what authorities said was an elaborate procurement network intended to evade federal export controls, according to Reuters. About $30 million worth of technology was sold to Russian military and other entities.
According to media reports, Arc identified itself as a manufacturer of technology for lighting equipment and navigation systems. Fishenko pleaded guilty and in July was sentenced to 10 years in prison and was ordered to forfeit more than $500,000.
The U.S. government and the electronics supply chain have numerous safeguards in place to prevent sensitive technology from being exported to entities hostile to the United States. It also has a number of anti-counterfeiting practices and strategies. Would any of them have prevented this type of scam?
In recent months several companies have proposed using Big Data as a security measure. The concept — simplified — works like this: electronic components have a unique set of data attached to them even if they come from the same batch. Packaging, testing and other post-manufacturing data can be correlated into a unique “fingerprint” for a component. This fingerprint can then be used to authenticate individual devices.
A variation on the same theme tracks the data that is external to the product. As components pass through the hands of their manufacturers, buyers, assemblers and end customers, data would identify who bought the component, how much they paid, where it was shipped, and what kind of product it ended up in. This system seems like it could rout out a fake-company scam.
The U.S. government has export controls in place to protect sensitive technology. Export Administration Regulations (EAR) cover commercial, dual-use, and minor military commodities. “Dual-use” refers to items which have both commercial and military applications.
International Traffic in Arms Regulations (ITAR) controls the export of specific military and space-related commodities through direct commercial sales and through the U.S. Government’s Foreign Military Sales (FMS) Program. The U.S. government identifies and flags nations, businesses and individuals that are prohibited from receiving certain goods and makes that information available to businesses.
The electronics supply chain already uses and shares data for trade compliance efforts. A large percentage of electronics components are not sold directly from supplier to end customer: they pass through various channels. Electronics distributors, the middlemen of the electronics industry, work with component suppliers and end customers on export control. Suppliers provide distributors with the export jurisdiction of the devices they manufacture. Distribution passes that information on to customers.
Export-controlled technical data has a unique set of rules designed to ensure that it is not inadvertently released or “exported” to foreign persons either inside or outside the United States, explains Gary Wash, director trade compliance for distributor TTI Inc. As an ITAR-registered company, TTI is required to have procedures in place to trace processing steps of ITAR-controlled transactions from the time it receives controlled parts to the time they are shipped.
Once a part TTI purchases is identified as export-controlled, the distributor sets controls in its purchasing system with appropriate identifiers to indicate it as EAR or ITAR-controlled. “When orders for that part hit the system, our sales and product teams are trained to recognize and treat it as an order requiring review and approval by the Office of Trade Compliance,” said Wash. “System security will not allow the order to process until such time export due diligence has been performed and compliance requirements are satisfied. Restricted party screening is part of the review process, with a goal of ensuring that none of the end users of our products downstream are trade-prohibited parties.”
The existing system should have raised a red flag on Arc even if it were buying components directly. According to prosecutors, seven of Arc’s top 10 clients were specially authorized by the Russian Ministry of Defense to procure parts for its military, and the company functioned as the U.S.-based arm for one Moscow-based client, Apex System LLC. Fishenko and his co-conspirators hired and trained a cadre of Russian-speaking sales people to lie to vendors about why Arc was seeking controlled technologies and to falsify export records. According to Fishenko’s lawyers, Arc was intended to be a lawful export company, but “wrongly fostered a laissez-faire attitude toward the licensing requirements.”
Would Big Data have helped? Possibly. A deeper analysis of the individuals and clients associated with Arc could have set off alarm bells somewhere along the line. But there are still a number of problems associated with Big Data as it pertains to supply chain and export security. The first is the data itself: the EU is contemplating privacy laws that further restrict the kind of information electronics supply chain companies share as standard operating procedure (SOP). Point-of-sale (POS) information is provided by distributors to component makers so suppliers know how to best target their technology and marketing efforts. Aspects of EU privacy practices could make sharing this information out of bounds for the supply chain.
Then there is private industry vs. the U.S. government. The electronics supply chain relies heavily on government data to monitor export controls. Private companies have developed the data-based tracking technologies discussed above. Will private enterprises be responsible for collecting and analyzing supply-chain data? Will they then “own” the data? Where will the data be stored? Who will determine who gets access to the data? What happens once data gets flagged, and who will investigate and resolve the problem?
These questions only scratch the surface of possible conflicts. Private companies are loath to share competitive information with one another and, in Apple Inc.’s case, have resisted U.S. government requests to “unlock” data. Electronics companies are reluctant to report suspect counterfeit components to the Government-Industry Data-Exchange Program (GIDEP) because GIDEP requires transparency. Once a company reports its suspicions, that company, its suppliers and customers are associated with possible supply-chain vulnerabilities.
Yes, Big Data could help secure sensitive technology. But before data can be capitalized on for anti-counterfeiting and export control, government and private industry have a number of things to hammer out. Agreement on a standard is one of them. Getting the buy-in of a Hewlett-Packard, Dell, Cisco or IBM could help other electronics supply chain partners to come to a consensus on a technology or process that works for private industry. Getting government and industry to pull together is an entirely different matter.