GAO Finds US Military's Critical Technologies List Outdated, Useless

chicksdaddy writes "The U.S. Department of Defense has stopped updating its main reference list of vital defense technologies that are banned from export, according to a new report from the Government Accountability Office (GAO), The Security Ledger reports. The Militarily Critical Technologies List (MCTL) is used to identify technologies that are critical to national defense and that require extra protection — including bans on exports and the application of anti-tamper technology. GAO warned six years ago that the Departments of State and Commerce, which are supposed to use the list, found it too broad and outdated to be of much use. The latest report (GAO 13-157) finds that the situation has worsened: budget cuts forced the DOD to largely stop updating and grooming the list in 2011. Sections on emerging technologies are outdated, while other sections haven't been updated since 1999. Without the list to rely on, the DOD has turned to a hodgepodge of other lists, while officials in the Departments of State and Commerce who are responsible for making decisions about whether to allow a particular technology to be exported have turned to ad-hoc networks of subject experts. Other agencies are looking into developing their own MCTL equivalents, potentially wasting government resources duplicating work that has already been done, GAO found."

Critical Technologies?

[Alwin+Henseler]

(..) technologies that are critical to national defense and that require extra protection — including bans on exports and the application of anti-tamper technology.

They mean Blu-Ray movies?

Re:Critical Technologies?

[AK+Marc]

Ban the numbers 0-9. Nothing will get out then.

Or ban the export of jobs...

Re:Critical Technologies?

[bmo]

> They mean Blu-Ray movies?

No, they mean the "do not remove under penalty of law" tags on the mattresses.

--
BMO

Re:Critical Technologies?

[ShanghaiBill]

Or ban the export of jobs...

That is better than requiring the export of jobs, which is what the current policy does in practice. If you want to be able to sell a technology world-wide, then you need to do your R&D outside of America. If you do it inside, you will subject to export restrictions while your non-American competitors cleanup.

In the 1990s, I worked for a company that included cryptography in our products. Since it was illegal to export anything developed in the USA, we decided to do all our cryptography development in Shanghai, China. But it turned out it was difficult to manage a split team, and consolidating in the USA was impossible. So we laid of all our American engineers that were unwilling to move to Shanghai. I moved there, and it was a fantastic experience. I learned to speak Mandarin, and even ended up starting a family there. But from a policy perspective, it was completely insane. What was more frustrating was that it seemed to be universally recognized as stupid policy, but still persisted for years.

Re:Critical Technologies?

[AK+Marc]

hihao meiguoren. I'd move to china to take a job if the wife would let me.

And yes, most policies are silly, ones like this achieving the opposite of their stated goal.

Re:Critical Technologies?

I'd move to china to take a job if the wife would let me.

Move there, and who knows?

Maybe you'll end up finding a brand new wife in China.

Them Chinese babes are cute.

Re:Critical Technologies?

> They mean Blu-Ray movies?

No, they mean the "do not remove under penalty of law" tags on the mattresses.

--
BMO

The tag's already been implemented, they need a notification system to let us know that its been removed.

Re:Critical Technologies?

[cold+fjord]

Since it was illegal to export anything developed in the USA, we decided to do all our cryptography development in Shanghai, China.

It is usually more efficient to cut out the middleman.

I hope your cryptographic products aren't protecting anything important in the West.

Re:Critical Technologies?

I've heard about the USA mattress tags.
What are they about?
Why can't you remove them?
Why would you want to remove them?
Why is it illegal, it's ... a mattress.

I mean, these *are* the things you put on your bed to sleep on, right? I'm not confusing "mattress" with some other US specific meaning of the word?

Re:Critical Technologies?

[mister_playboy]

It's just a longtime joke here. The tags always say something like "may not be removed except by the consumer"

Many people don't understand the last part refers to them...

Re:Critical Technologies?

[bmo]

It used to be that there wasn't that exception printed on the tags.

It's a "recent development" (last 25 years) that the exception has been printed.

From wikipedia:

In addition, in one episode of the popular 1970s show, Sanford and Son, Fred finds a tag with the warning label on and misjudges it to mean that if it is removed, he could go to jail. He tears it up and exclaims "power to the people!" This was before the words "...except by consumer" were added. Even the mattress company Serta created a commercial where its famous counting sheep were thrown in jail for tearing off of the law label after the mattress's owner said she didn't need them anymore.

--
BMO

Re:Critical Technologies?

[bmo]

It's a consumer protection law created in 1936, to help prevent customers from buying infected/contaminated bedding. It lists the kind of stuffing, whether it's new/recycled, etc. It's illegal for the manufacturer or seller to remove, but not the consumer. But the exception for the consumer wasn't printed on the label for most of its history, so it became a joke that if you tore it off your own mattress, you'd go to jail.

http://en.wikipedia.org/wiki/Law_label

--
BMO

Re:Critical Technologies?

[DirtyLiar]

Infected / contaminated or INFESTED bedding, you mean.

Re:Critical Technologies?

We had a similar experience. Our industrial system required a pulse generator that happens to run afoul of nuclear weapons exports restrictions. It's a completely legitimate non-weapons use but commercial technology has simply caught up with that happens to be necessary to trigger a nuclear weapon. And >70% of the manufacturing companies that could use the product are outside the US and thus banned from receiving exports with the tech. So we designed around the restricted item and simply found a Chinese company who could build the unit to spec. Just drop that into the system and it works exactly the same but bypasses munitions restrictions handily. And we also got it cheaper for US consumption so we shit-canned the US/Canadian manufacturer's product and now use the Chinese product for US customers as well. Basically the entire purpose of the ban is trivially and rightfully subverted because the restrictions are hopelessly out of date.

Budget cuts?

Budget cuts prevent the DOD from maintaining a list? Really? I'm so fucking stupid I'm actually expected to believe that?

Re:Budget cuts?

Budget cuts prevent the DOD from maintaining a list? Really? I'm so fucking stupid I'm actually expected to believe that?

It's not just some part-time secretary punching some words into a spread sheet. You have to pay, or contract out, people to spend the time and lab resources to do a full analysis on all the various technologies out there. Then you have to circulate the analysis through a variety of different departments such as the Pentagon, CIA, etc. so they can examine it and if needed, raise concerns about how it may be applied. Then you have to run it all by some type of policy review board before handing it to the secretary to punch up the list. Every one of those steps has mountains of paperwork associated with it, security classifications cause big headaches (no, we can't say why this should be restricted, that's classified) etc.
Believe what you want, but the process is pretty damn expensive and as most of what gets reviewed is stamped "approved" it's the type of thing which usually gets cut first when the budget axe falls.

Re:Budget cuts?

so your advice is to let it rot so it cost much more to install a half assed system in a rush when it does fail instead of taking care of what you have now

fuck you

Re:Budget cuts?

[cold+fjord]

And when the government standards, like export restrictions, fall far enough behind the state of the art, hilarity can ensue.

Apple tries to get G4 export ban lifted
Apple PowerMac G4 Commercial - Super Computer
Sci/Tech - Apple launches 'desktop supercomputer'

Re:Budget cuts?

$100/minute for most meetings of this sort, when you figure in the fully burdened cost of everybody in there. 2 meetings? $10K!

We all know why...

Because if there was a definitive list, the applications of those technologies would become obvious as well as what level of sophistication is deemed dangerous. For example, if we banned certain wide-band radio transmitters, on the grounds that they can be used for neural interfaces to manipulate humans, then we are telling people what they need to buy.

So, its really sort of a potential shopping list for the enemy.

Maybe list = secret?

[icebike]

Seems kind of pointless to even create such a list, when it simply becomes a "Steal me" shopping list for foreign intelligence. Kind of like doing their homework for them. Half the stuff on the list is probably manufactured in other countries already.

If you insist on having such a list, (and presumably keep it secret), the only sensible list would be an automatically "sunsetted" list, where you list something that will automatically fall off the list after X years, where X has a value between 1 and 5. That way, each item could be evaluated every X years to determine if its already been replicated somewhere else, and protection is pointless.

Re:Maybe list = secret?

If you insist on having such a list, (and presumably keep it secret)

That's brilliant. Make a list of things that can't be exported and keep it a secret. So any exporter of technology gets to guess at what may or may not get their cargo seized.

Re:Maybe list = secret?

[icebike]

If you manufacturer something on this list there is a pretty good chance the military is your biggest customer already, and you already know your kit is sensitive.

Re:Maybe list = secret?

If you manufacturer something on this list there is a pretty good chance the military is your biggest customer already

Some items are also consumer devices. Manufacturer != exporter.

Re:Maybe list = secret?

[icebike]

We make that stuff in this country?
Who knew?!

Re:Maybe list = secret?

[Teun]

Hmm, it's a couple of years ago when in Lafayette I decided to buy a boxed version of Red Hat.
Once out of the shop I noticed a printed warning on the box that it could not be sold to certain nationalities because of encryption used.

No one in the shop asked me where I would take it nor was I asked at the border when leaving.

Excellent security policy...

Hmmmm

Nano-deathbots to the highest bidder! Do I hear $50 Million?

A Terry Gilliam Movie?

Are bubble-gum and nylon stockings still on that list? Or just the apps?

Maybe because those kinds of lists are useless

[NoNonAlphaCharsHere]

I remember, in the 80's, Xenix was "export restricted", especially libc.a if it had "crypt.o" in it - like the algorithm hadn't been published many years prior to that. Anybody remember the big Toshiba machine-tool controller foorah that supposedly allowed the Soviets make quieter submarine propellers?

Does anybody think that our enemies-du-jour (and our friends, too) aren't reading all our science journals and buying samples of all manner of products for reverse engineering? Or for that matter, does anybody really think that we aren't doing the exact same thing, all over the world?

Lists like these are like "the seven words you can't say on television" - just a dare for somebody to do it.

Re:Maybe because those kinds of lists are useless

[bmo]

>I remember, in the 80's, Xenix was "export restricted", especially libc.a if it had "crypt.o" in it

That's because until the Clinton administration, encryption under US law was classified under "munitions."

Since World War II, many governments, including the U.S. and its NATO allies, have regulated the export of cryptography for national security considerations, and, as late as 1992, cryptography was on the U.S. Munitions List as an Auxiliary Military Technology.[1]

From wikipedia.

It was one of the reasons why Phil Zimmerman almost went to jail for making PGP.

>Anybody remember the big Toshiba machine-tool controller foorah that supposedly allowed the Soviets make quieter submarine propellers?

It wasn't just a controller, it was an entire milling machine or two. Very large ones worth a lot of money.

We made some faces at Japan and quickly forgot about it. Because it wasn't like we were getting those machines back.

--
BMO

Re:Maybe because those kinds of lists are useless

[Genda]

I sentence you to death by cipher at dawn!

Re:Maybe because those kinds of lists are useless

Beats death by cypher.

Re:Maybe because those kinds of lists are useless

[Daniel+Dvorkin]

Does anybody think that our enemies-du-jour (and our friends, too) aren't reading all our science journals and buying samples of all manner of products for reverse engineering?

Large, powerful nations have a habit of denigrating their enemies. Said enemies can't just be on the other side; they have to be stupid and cowardly and barbaric and, in general, barely human. What's never explained, of course, is how people who are this all-around worthless can simultaneously pose a deadly threat which must be guarded against every minute of every day.

To be fair, to some degree this is human nature and everybody does it, but superpowers seem to be particularly prone to this kind of thinking. Sooner or later it always bites them in the ass.

Re:Maybe because those kinds of lists are useless

[cold+fjord]

When it comes to sophisticated products or technologies, marketing announcements, journal articles, even refereed papers are fine things. However, if you are actually trying to build the thing yourself, you need an actual recipe to do it, and sometimes the real secret, the art of it, is in the recipe, the actual implementation. Think of something so simple as rubber, which had been known for hundreds of years or more, but had defeated previous attempts to improve its utility. That is until Charles Goodyear invented the vulcanization process.

In terms of software, even when an algorithm is published, that is only part of the story. The implementation is a key element. Is it implemented correctly? Is the software written in a robust, reliable manner? Is it easy to use correctly to perform its key function? There have been many encryption utilities written, not all of them useful, not all of them correct, not all of them secure. Even if you get an encryption algorithm correct, your operational practices may render it vulnerable.

More than a few countries do themselves a disservice in terms of military infrastructure by trying to use sophisticated equipment without the necessary infrastructure, training, and spare parts needed to use it effectively. They are fooling themselves. Just because you have it doesn't mean that you can use it effectively.

Stealing IP doesn't always work out for you either. You may not have the necessary technology to build the item. You may steal "doctored" plans for a real item that is designed to fail in subtle ways, as did the Soviets.

Sometimes a shoddy copy is good enough for what you need. Other times it is useless.

Sometimes, even if you had the magic, you lose it, and may no longer be able to summon a dragon when needed.

Of course, in other cases, reverse engineering is relatively straight forward, and a new, dangerous competitor can come out of nowhere.

Re:Maybe because those kinds of lists are useless

[arglebargle_xiv]

I remember, in the 80's, Xenix was "export restricted", especially libc.a if it had "crypt.o" in it - like the algorithm hadn't been published many years prior to that. Anybody remember the big Toshiba machine-tool controller foorah that supposedly allowed the Soviets make quieter submarine propellers?

It wasn't just Xenix, it was about half of all the high-tech in existence. Those lists have always been a joke, both because they were totally out of touch with current technology, and because they seemed to have been generated by throwing darts at a Mouser catalogue. Back when it was still COCOM I once had to go through the IT section of the control lists, and found that something like a third of all the products sold in the computer store down the road were (in theory) export-controlled, things like "chips with more than 208 pins", a complex list of graphics performance that was leading-edge in the 1980s but was by the time the lists were published exceeded by anything faster than an S3 Trio64, anything that did adaptive routing which must have been high-tech in the 1970s some time but by the time it was featured on the control lists any Unix kernel and every router did it, and I can't remember all the other nonsense in there (Linux, even in the form it was in back then, had so much controlled technology in it you could practically open an arms fair with it). If the lists had been enforced as written, half the US computer industry would have had to stop all exports and/or been shut down as illegal arms traders. You just had to rely on the fact that they were never enforced unless you really pissed off the wrong people in the government, at which point they'd suddenly discover all sorts of violations that you'd committed.

Re:Maybe because those kinds of lists are useless

You just described the TSA, and the general all around "save me, I'm helpless" mentality that was, and still is, the reaction to 9/11.

It is important to never forget such things, just like Pearl Harbor, but it is equally important to get over them from an outrage perspective. We fought the Japanese and defeated them, but we don't use what happened in 1941 as a way to view Japan today.

It is equally important to remember that governments and multinationals thrive on fear and lack of perspective, and that they've got to hold the record for keeping public outrage and fear so high so long afterwards. Of course, in 1941 all mass media wasn't owned by mega corps, and that has plenty to do with it.

And by the way, it's still gonna bite us in the ass. Given how long this crap has gone on, it's going to be a really big bite too.

Re:Maybe because those kinds of lists are useless

[loufoque]

When you say it's important to remember Pearl Harbor, you mean it's important to remember how the US government let the Japanese ransack a military base to gather public opinion for war?
Are you also implying that the same thing happened with 9/11?

Re:Maybe because those kinds of lists are useless

[DirtyLiar]

Actually it's more simmilar to the days when software producers made public announcements declairing their copy-protection to be un-hackable. That was a real call-to-arms to the leagons of socially-challenged, pimpelly faced, snot-nosed, don't-have-anything-better-to-do-all-weekend kids around the world to put grampa back in his place. It took the Software Insustry years to realize that for every single person they put on making copy-protection 40 hours a week, that there were hundreds of kids out there willing to invest every waking hour into breaking it, and do it just for the bragging rights. And that bragging about it just made them focus on your products.

Another List

[the+eric+conspiracy]

There should be a list of products that are encouraged for sale to our enemies.

Ideas:

Boeing batteries
Ford Pinto
Fen-Phen
Bon Vivant Vichyssoise
Pop Tarts
Twinkies
Intel Pentium (original version)
UML
Microsoft Windows ME

They will regret messing with us!

Re:Another List

[NoNonAlphaCharsHere]

What's the difference between a bowl of Bon Vivant Vichyssoise and the electric chair?
You don't need a spoon with the electric chair.

Re:Another List

[Genda]

One is a viscous, horrible dispenser of death, and the other is a piece of prison furniture?

Re:Another List

[CohibaVancouver]

Boeing batteries

By "Boeing Batteries" I presume you mean batteries made by GS Yuasa Corp of Kyoto, Japan & purchased by Boeing for installation in the 787?

Re:Another List

[mister_playboy]

Don't forget the Firestone tires... :)

Do Not Export This Post!

[Sooner+Boomer]

RSA in perl (and dc)

#!/bin/perl -sp0777iX+d*lMLa^*lN%0]dsXx++lMlN/dsM0j]dsj $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/) ...and of course /. is munging the format...

Re:Do Not Export This Post!

[DirtyLiar]

Too late!

Cool!

[sgt+scrub]

Now Americanz can sell computerz with openSSL configured to for'nerz like Mark J. Cox, Ralf S. Engelschall, Dr. Stephen Henson, Ben Laurie, and...

Do what the Chinese do...

[Genda]

Sell everything to everyone, make certain there are abundant back doors to allow American defense systems to disarm weapons using American Technology so they can't be used against us and let the good times roll.

Re:Do what the Chinese do...

What happens when those features are disabled?

Re:Do what the Chinese do...

You have to be very careful when backdooring something you use. What happens when the enemy finds a way to access that backdoor?

Re:Do what the Chinese do...

[cold+fjord]

What happens when those features are disabled?

It turns a mach 2 jet bomber into a compact, contemporary styled, and very fast lounge suite.

Re:Do what the Chinese do...

I believe the parent is asking what happens when those features are disabled by the bad guys, as in they shut the back doors, so we can't go in and stop them anymore.

Netscape.

I for one sleep better at night knowing Czechoslovakia will not get their red hands on the advanced cryptography present in Netscape's Navigator 3.0 Gold.

Re:Just Like Obama

you fucktards gave him executive authority and bitch and whine whenver he uses it

heres an idea, quit giving powers that undermine your own you fucktards

PS2

is considered a national security product. Nevermind, (by today's standards), basic encryption protocols.

Colossal waste of time

[Corwn+of+Amber]

Bans on export, when any blueprint can be sent anywhere at all in about zero time, they're guarding a door with no wall.

How much are those bozos PAID?

Re:Colossal waste of time

[donaggie03]

I suppose the idea is that blueprints aren't very helpful if you don't have the manufacturing capability or the parts/raw materials/computer code/etc needed to build whatever it is you have the blueprints for.

Re:Colossal waste of time

[Corwn+of+Amber]

Argument invalid : Tools have blueprints.

Re:Just Like Obama

[Impy+the+Impiuos+Imp]

The vast majority of people don't see government's massive power as a problem as long as "their guy" is wielding it. Then power inevitably changes (Democrats are on a furious masturbatory kick right now that History Is Now Over) and only then does that side suddenly become concerned with constitutional issues.

Both sides do it over and over as the decades go by, never learning the lessons the founding fathers did which was why they limited government originally.

Power will change hands again. It always does.

China released a statement about this

[futhermocker]

Please ban export of future Windowsâ versions

Re:Just Like Obama

[peragrin]

That is one of the few things that is good about hte USA. At most every 8 years a different group will take over and try to take away a different set of rights.

Republicans have the economic sense of 10 year olds. "I can always get more money out of mommy", And go after civili liberties trying to force their view on the people.

Democrats realize that you can't cut income and increase spending , but don't really want to decrease spending to compensate. And they go after things like copyright, patent laws(just about all the really stupid copyright extensions were written by democrats)

In other words...

[Shaman]

....they are using Microsoft products and vertical applications with no source code. How long has the open source community been saying that this was insanity?

gah. ITAR, EAR, they're all a pain in the rear

And list makers face an insurmountable task.. how do you describe dual-use militarily critical stuff so a clerk at Dept of State or Dept of Commerce can check your application, and say, yep, EAR99, that's what it looks like to me to.

And even worse than "stuff" is "information".. Technical Assistance in export control speak. Someone in a foreign country (on a internet forum perhaps) asks a question about something.. "how do I bypass this 30 GHz MMIC amplifier"... the answer to that question might or might not be export controlled. If the MMIC amp is in a building to building microwave link, no problem. If the MMIC amp is in a radar warning receiver or a spacecraft, big problem, because it's providing information on the design and construction of a defense article. Depending on who you talk to, telling "non-US persons" (an export control term of art) about some peer reviewed journal article published in the 60s might be deemed an export of export controlled technical information..

Re:Just Like Obama

[lightknight]

Can we get a TV Trope out of this? I feel it should be in their database somewhere...

The reason?

Marge, the admin assistant and the keeper of the list, is still using Excel while awaiting retirement and that fat pension check from the guvmint.

Speaking of Waste

The GAO is a waste of government resources itself because nothing ever gets properly resolved.

*And boom goes the dynamite*

Great, a shopping list for foreign goverments.

OPFOR: "Look ! The stupid Americans actually invested money into that market research necessary to determine what tech is worse stealing !"

Who ever thought this is a good idea in the first place ?! It basically a target list for infiltration and military-industrial thieves out there...

Not sure what crypto chips the Americans are using in their coms ?! Look up chip manufacturers in the list.
Not sure what the radar range of US ground stations ? Look up the list for dish restrictions.
Not sure how fast can the NSA crack your transmission ? Look up the FLOPS restriction and cross that with chip manufacturers revenue and winning contract to get an idea of how many flops your building against...

What an idiotic idea. Someone should have been hung for this one...

Import restrictions instead

So that deadly war machines aren't dependent on recycled parts stripped from old electronic junk in China's back alleys.

Technology is not just computers/software

[Likes+Microsoft]

I've looked over the comments on this thread with frustration, seeing that the conversation swiftly derailed into being *just* about Crypto. The MCTL covers all areas of technology that may be deemed militarily critical. It is not really possible to find a publicly hosted .gov or .mil site that gives much info any more, but this university page stills shows the 20 areas covered: http://www.wright.edu/rsp/Security/T1threat/Mctl.htm , including things like space systems and nuclear technologies.

Great...

[DirtyLiar]

... so how are we supposed to know what we can and cannot export?

Especially since "ignorance is not a defence"?