Assistant Attorney General John P. Carlin Delivers Remarks at Practising Law Institute’s Coping with U.S. Export Controls and Sanctions 2015 Conference
Washington, DC United States ~ Friday, December 18, 2015
Remarks as prepared for delivery
Thank you for that introduction, and for the opportunity to be a part of this important discussion.
As you all know, foreign governments and other non-state adversaries of the United States are engaged in an aggressive campaign to evade U.S. sanctions regimes and acquire sensitive U.S. technology. In so doing, they threaten our economy, our prosperity and, most importantly, our national security. Disrupting these national security threats is among the highest priorities of the Department of Justice, and the National Security Division.
But the responsibility of protecting our nation from these threats is a shared one. Your clients – the companies you represent – and thus, you, have a critical role to play.
Because our companies have our nation’s crown jewels in their possession. They house information targeted by thieves ranging from foreign powers bent on economic and military superiority, to individual criminals who know the market demand for this information, to terrorists who wish to create weapons of mass destruction.
Of course, companies have a responsibility to comply with the export control and sanctions regime. We must also recognize that our companies are not immune from becoming unwitting victims of thieves and spies. We live in an age where the threats we face are not limited to unlawful shipments and deliveries of goods. Threats are also posed by insiders and through cyberspace. Therefore, to protect what we value, our national assets, companies must learn how to comply with the law and how to protect themselves.
That is why it is good to see such a strong turnout. Lawyers are on the front line helping clients adapt to an ever evolving export control regime. Lawyers shape strategy – hardening collective defenses and counseling companies on best practices.
For example, sitting here today, you know to help your clients comply with export controls and sanctions. Regimes designed to keep export controlled data and trade secrets out of the hands of rogue nations or terrorists.
But have you had the chance to counsel those same clients when a cyber-hacker exfiltrated that information? If you have not, unfortunately, it may only be a matter of time. Cases involving the theft of export-controlled information via hacking are no longer uncommon.
Recently, we’ve brought cases where hackers targeted cleared U.S. defense contractors and stole massive amounts of sensitive data related to military technology, including export-controlled software. These cases are not the first of their kind, and they will almost certainly not be the last.
You have the power to help your clients protect themselves. In a modern, interconnected world, there is quickly emerging a blending of practice areas. Trade controls blends with data privacy, and export controls and sanctions trigger questions not only of compliance but of cybersecurity.
It is a fascinating time to be a practicing lawyer in this area, but one that brings with it grave responsibility.
Today, we’ll talk about a broad range of issues that go into being a modern export control practitioner.
National Security Division
But first, I can explain a bit about the National Security Division of the Department of Justice.
The National Security Division was created in the wake of the September 11th terrorist attacks, in part in response to a specific recommendation from the WMD Commission.
The Commission identified intelligence failures that contributed to the attacks. It highlighted the danger of the so-called wall between foreign intelligence and law enforcement. We needed to be able to connect the dots. We needed to change.
So in 2006, Congress created the National Security Division, creating the first new litigating division in the Department in almost half a century. The National Security Division brings all of the department’s resources to bear. We bring down the wall, uniting prosecutors and law enforcement officials with intelligence attorneys and the Intelligence Community.
We are responsible for executing the highest priority of the Department of Justice – to protect this nation from the full range of national security threats we face. We are proud to have this essential mission.
At the top of our priority list is protecting our nation from terrorist threats. In recent days, you’ve heard everyone from the president to the attorney general and the director of the FBI speaking at length about the steps we are taking to combat that threat each and every day.
Just yesterday, we arrested Jalil Ibn Ameer Aziz, 19, a U.S. citizen and resident of Harrisburg, Pennsylvania, on charges of conspiring to provide, and attempting to provide, material support to the Islamic State of Iraq and the Levant (ISIL). Aziz is alleged to have served as an intermediary between ISIL supporters. Passing location information, including maps and a phone number, to assist persons seeking to travel and travel to and wage jihad with ISIL.
Although it may not seem so at first, fighting terrorism and preventing the illegal export of U.S. technology are interrelated goals. Take the case of Feras Diri. Diri is indicted in the very same district as Aziz. We allege he was involved in a scheme to illegally export U.S. goods to Syria in violation of U.S. sanctions. Some of these good were dual-use items. It doesn’t take much to imagine the consequences of those items falling into the wrong hands once it reaches Syria.
One of the most significant national security threats we face, is the protection of our nation’s assets – including export controlled information, as well as other sensitive information that may be targeted by nation states and terrorists. In so doing, we take an intelligence-driven, threat-based approach.
We have an entire section devoted to this work – the Counterintelligence and Export Control Section, or simply CES. We changed the name as part of a restructure to reflect the significance of export control and sanctions enforcement. This year, CES also finalized a new Strategic Plan, setting forth an aggressive, comprehensive approach. We know from experience that those seeking to do us harm will look for any available vulnerability to exploit. They use all tools against us; it is our responsibility to do the same. Our strategy is driven by the intelligence picture we see, which helps us prioritize and focus on the areas of most significant threat.
Our Priorities and Our Regime
Two of our highest priority areas involve China and WMDs. Both are subject to export controls and regulations.
Our economy profits from exports, and we support the flow of goods across borders. But we must balance economic gain with the real threat to national security posed by certain technologies falling into the wrong hands.
That is why our export control regime is so important. It is the best way to keep sensitive military and dual-use technologies, or even information that could be used in weapons of mass destruction, from ending up in the hands of terrorists and other adversaries. They protect our innovation from being turned against us.
With an ever-growing and evolving set of threats targeting our sensitive technologies and information, we must be vigilant. We must look at how transactions could make us more vulnerable, and do everything in our power to mitigate those vulnerabilities.
Take China – despite a long-standing U.S. arms embargo, China continues to surge efforts to acquire advanced U.S. military technology. China seeks U.S. persons with expertise to illegally provide services and know-how related to sensitive, export-controlled U.S. technology for military gain. As an example, they targeted U.S. experts on jet engines to assist in developing Chinese-made engines. If successful, our military edge over China is reduced; our country is put at greater risk. Knowing what China seeks and why is essential to any sound export compliance and training program.
Likewise, a high priority remains Iran.
Earlier this year, the United States, Iran, the E.U. and five other nations reached a Joint Comprehensive Plan of Action (JCPOA).
The sanctions relief specified in the JCPOA does not go into effect until Implementation Day – which does not occur until after Iran has completed all necessary nuclear steps, as verified by the International Atomic Energy Agency.
Even after Implementation Day, sanctions relief will not affect most laws and regulations enforced by the Department of Justice.
With few exceptions, U.S. or foreign persons involved in the export or re-export of U.S. goods or services to Iran remain subject to prosecution under the Iranian Transactions and Sanctions Regulations, as do U.S. persons involved in Iranian transactions.
The only sanctions relief relates to:
the export, re-export, sale, lease or transfer to Iran of commercial passenger aircraft, parts and services for civil end-uses;
the import of Iranian-origin carpets and foodstuffs; and
certain transactions involving Iran by foreign entities owned or controlled by a U.S. person.
Looking beyond the sanctions to other U.S. export regulations, the JCPOA will have no effect on the International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR). Likewise, our commitment to prosecuting cases where defense articles on the U.S. Munitions List (USML), defense services and items subject to the EAR are exported to Iran remains as strong as ever.
So as a practical matter, what does this mean? Bottom line, companies and individuals, whether U.S. or foreign, need to remain vigilant when it comes to any possible commercial or financial interactions with Iran. We will continue to investigate and, where appropriate, prosecute U.S. export control and sanctions cases involving Iran under our domestic authorities. Because anything else is simply unacceptable.
The export control and sanctions regime in place exists to protect this nation from the proliferation threat. From sensitive information and technology that could pose a grave danger in the wrong hands making its way to terrorists. From our innovation being used to develop weapons of mass destruction or ballistic missiles.
Iran remains a designated state sponsor of terrorism, and we will not take our eye off of countering Iran’s efforts to support international terrorism and other destabilizing activities in the region.
U.S. companies – particularly in large international corporate structures, must understand this reality.
The risks – not only compliance-based risks, but security risks – must be front of mind, and we hope that as the lawyers who counsel, advise and represent these companies, you will talk frankly about them.
At the Department of Justice, we continue to prioritize corporate misconduct related to export control and sanctions violations. The deputy attorney general issued guidance and directed changes to the U.S. Attorneys’ Manual to reflect the department’s sharpened focus in this area including on individual corporate defendants.
To provide you clarity as you advise clients, we will provide guidance to make clear our current practices on voluntary self-disclosure of export and sanctions criminal violations. We want to be transparent about our process and the factors we consider when assessing voluntary self-disclosures. That way, the benefits for your clients are clear, and you can provide clear counsel.
Because when a company voluntarily self-discloses export control and sanctions misconduct, fully cooperates and appropriately remediates, we will grant the company a significantly reduced penalty. That can include a non-prosecution agreement (NPA), a reduced period of supervised compliance, a reduced fine and forfeiture and no requirement for a monitor.
If one or more aggravating factors are present to a substantial degree – like numerous willful shipments of defense articles to a foreign terrorist organization – a more stringent resolution might be necessary. In all cases, however, the company that voluntary discloses will find itself in a better position one that does not.
We are also discussing these issues with our regulatory partners to help you understand how the Department of Justice fits in to the broader regime. The Department of Justice guidance we ultimately issue on VSDs will not supplant or supersede obligations to regulators. Our ultimate goal is to be more transparent, so that companies will have more certainty about the benefits of self-disclosure are when dealing with prosecutors. In the end, we think this is good for our national security mission and good for business.
Voluntary self-disclosure is responsible. But even if you choose not to pursue the route of voluntary self-disclosure and cooperation, your corporate clients need to remain vigilant or they may suffer serious consequences.
Time and again, we have shown that willfully facilitating illegal transactions will not go unpunished.
Earlier this year, Schlumberger Oilfield Holdings Ltd. (SOHL), a wholly-owned subsidiary of Schlumberger Ltd., one of the largest oil and gas services companies in the world, pleaded guilty and agreed to pay a penalty of over $232 million for conspiring to violate the International Emergency Economic Powers Act (IEEPA) by willfully facilitating illegal transactions and engaging in trade with Iran and Sudan.
What it ultimately came down to, was that one subsidiary failed to adequately train its employees to ensure that all U.S. persons, including non-U.S. citizens who resided in the United States, complied with Schlumberger Ltd.’s sanctions policies and compliance procedures.
We will not hesitate to prosecute individuals and entities that facilitate illegal transactions in violation of U.S. sanctions.
Vigilance is essential. Policies and procedures are simply not enough. They must be fully executed and reinforced. Simply “checking the box” by implementing an export control and sanctions compliance program without the proper support or follow through will not insulate a company from prosecution.
Another point to keep in mind is the need to know your markets and your people. When you’re part of a large corporate family with many segments located overseas, some subject to very different export control laws in foreign countries, you have be careful to ensure that conduct illegal in the U.S. does not become practice here. If you have doubts, check with your regulator. Something a foreign national employee does overseas may have been entirely legal there, but once transferred here, is a crime.
When working with your clients on these and other difficult issues, implore them to be vigilant. These are complicated areas, and it takes sound advice and a high level of scrutiny to ensure compliance.
Unfortunately, compliance is only one piece of the puzzle. Because, in addition to the compliance risks that are common in global operations, your corporate clients – and, in fact, even potentially their outside counsel –also are vulnerable to the threats from insiders and hackers.
Insider threats – threats from trusted employees and contractors – is now a significant problem. And they are threat to national security when they steal sensitive export-controlled technology.
For instance, Mozaffar Khazaee stole materials from each of three defense contractors who employed him, including materials relating to the F35 Joint Strike Fighter. He attempted to illegally export a shipping container’s worth of those proprietary, export-controlled materials to Iran in order to gain employment there. After pleading guilty, he received 97 months in prison.
Although that sentence sends a strong message to any insider who would consider violating the trust of his or her employer, deterrence alone is not enough.
So what can you do to address this problem? Report incidents of suspected insider theft as soon as they are detected. Create detailed internal training and compliance programs designed to neutralize threats before they even occur, and provide evidence of willful or knowing conduct in the event an insider is not deterred.
Cyber-Enabled Export Violations
That helps with threats from within our perimeters. But unfortunately, we also face them from outside our borders. That is why another of our export control enforcement priorities is to combat cyber exfiltration of sensitive U.S. technologies, including ITAR-controlled technical data.
In the digital age, foreign nations and their agents can now steal information, including export-controlled technical data and technology, without setting foot on American soil. Left unchecked, cyber espionage can erode our strategic advantages across commercial and military spectrums.
When possible, we will use investigations, arrests and prosecutions, to disrupt efforts to steal from you and your clients. We will also look to use all other legally available tools to deter, like sanctions, designations, diplomacy and other tactics.
But your partnership is critical. You can harden your defenses, create resilient systems, evaluate your cyber hygiene and cooperate with law enforcement when your defenses simply aren’t enough.
That is why we at the National Security Division and others throughout the U.S. government, including the FBI, have made cooperation with the private sector a key component of our export control strategy.
We work with U.S. companies, across all industry sectors, to ensure that our national security interests are protected. We have spent time and energy in face-to-face sit downs so that we may better understand the concerns and challenges faced by U.S. companies, share guidance and information, and be there to help with protection, detection, attribution and response. We can warn our companies that manufacture or sell targeted U.S. parts and technology when certain bad actors are seeking the particular parts and technology they make.
Corporate outreach helps sensitize industry to the threat and thereby maximizes the prevention of export control and sanctions violations. We believe that through such efforts we can help stem the flow of those sensitive goods out of the U.S. to malicious end-users that would use them to threaten our national security interests and the safety of our warfighters.
It’s likely that many of you here today have clients that we’ve already met with recently to discuss these types of issues. If you do not, we would certainly welcome the opportunity to do so in the future.
In conclusion, we recognize that our export control laws and sanctions regimes are complex and have a significant impact on the U.S. economy. But they are there to protect against the many threats we face.
And you play a critical role in that effort. You and your clients can successfully negotiate the current export control and sanctions regimes and help keep America safe.
Scrutinize closely each and every transaction undertaken with a foreign counterparty, whether a good or a financial transaction.
Make sure that you understand the relevant compliance and sanctions regimes and how they apply.
Make a voluntary self-disclosure to the National Security Division when you discover a willful violation of U.S. export control laws.
Develop robust training and compliance programs.
Focus not only on internal compliance, but on the threats posed by insiders and through cyberspace.
Harden your cyber defenses.
Develop a relationship with law enforcement, so that we may share valuable information with you to help you protect yourself, and be there to help you respond when your defense may simply not be enough.
Profits may be the lifeblood of our corporations, but cutting corners here in the interest of the bottom line, is potentially catastrophic. You and your clients risk enforcement actions, financial penalties and prison time. But perhaps more significantly, doing so can provide a dangerous capability to an adversary who wishes to bring about damage, destruction or death to many. So understanding and addressing how to comply with these regimes and neutralize these threats is not only the responsible thing to do, but the only thing to do.
The National Security Division will continue to approach export controls and sanctions with a broad and varied toolkit. We will continue to vigorously pursue and prosecute those who violate our nation’s export control laws, but that is not how we define success. Success is working with you to increase education and compliance and to prevent sensitive controlled technologies from falling into the wrong hands. We will combat threats posed by insiders and through cyberspace. And we will coordinate with our colleagues throughout the federal government to use an all tools approach – prosecution, listing, sanctions and other means of disruption – to combat national security threats.
With the careful calibration of these tools and with an eye toward mitigating vulnerabilities and defending against threats, we can protect the national security while simultaneously fostering economic growth and job creation.
Thank you for inviting me here this morning, and for your interest in these issues.