GAO Finds US Military's Critical Technologies List Outdated, Useless

chicksdaddy writes "The U.S. Department of Defense has stopped updating its main reference list of vital defense technologies that are banned from export, according to a new report from the Government Accountability Office (GAO), The Security Ledger reports. The Militarily Critical Technologies List (MCTL) is used to identify technologies that are critical to national defense and that require extra protection — including bans on exports and the application of anti-tamper technology. GAO warned six years ago that the Departments of State and Commerce, which are supposed to use the list, found it too broad and outdated to be of much use. The latest report (GAO 13-157) finds that the situation has worsened: budget cuts forced the DOD to largely stop updating and grooming the list in 2011. Sections on emerging technologies are outdated, while other sections haven't been updated since 1999. Without the list to rely on, the DOD has turned to a hodgepodge of other lists, while officials in the Departments of State and Commerce who are responsible for making decisions about whether to allow a particular technology to be exported have turned to ad-hoc networks of subject experts. Other agencies are looking into developing their own MCTL equivalents, potentially wasting government resources duplicating work that has already been done, GAO found."

Critical Technologies?

[Alwin+Henseler]

(..) technologies that are critical to national defense and that require extra protection — including bans on exports and the application of anti-tamper technology.

They mean Blu-Ray movies?

Re:Critical Technologies?

[AK+Marc]

Ban the numbers 0-9. Nothing will get out then.

Or ban the export of jobs...

Re:Critical Technologies?

[bmo]

> They mean Blu-Ray movies?

No, they mean the "do not remove under penalty of law" tags on the mattresses.

--
BMO

Re:Critical Technologies?

[ShanghaiBill]

Or ban the export of jobs...

That is better than requiring the export of jobs, which is what the current policy does in practice. If you want to be able to sell a technology world-wide, then you need to do your R&D outside of America. If you do it inside, you will subject to export restrictions while your non-American competitors cleanup.

In the 1990s, I worked for a company that included cryptography in our products. Since it was illegal to export anything developed in the USA, we decided to do all our cryptography development in Shanghai, China. But it turned out it was difficult to manage a split team, and consolidating in the USA was impossible. So we laid of all our American engineers that were unwilling to move to Shanghai. I moved there, and it was a fantastic experience. I learned to speak Mandarin, and even ended up starting a family there. But from a policy perspective, it was completely insane. What was more frustrating was that it seemed to be universally recognized as stupid policy, but still persisted for years.

Re:Critical Technologies?

[AK+Marc]

hihao meiguoren. I'd move to china to take a job if the wife would let me.

And yes, most policies are silly, ones like this achieving the opposite of their stated goal.

Re:Critical Technologies?

[cold+fjord]

Since it was illegal to export anything developed in the USA, we decided to do all our cryptography development in Shanghai, China.

It is usually more efficient to cut out the middleman.

I hope your cryptographic products aren't protecting anything important in the West.

Re:Critical Technologies?

[mister_playboy]

It's just a longtime joke here. The tags always say something like "may not be removed except by the consumer"

Many people don't understand the last part refers to them...

Re:Critical Technologies?

[bmo]

It used to be that there wasn't that exception printed on the tags.

It's a "recent development" (last 25 years) that the exception has been printed.

From wikipedia:

In addition, in one episode of the popular 1970s show, Sanford and Son, Fred finds a tag with the warning label on and misjudges it to mean that if it is removed, he could go to jail. He tears it up and exclaims "power to the people!" This was before the words "...except by consumer" were added. Even the mattress company Serta created a commercial where its famous counting sheep were thrown in jail for tearing off of the law label after the mattress's owner said she didn't need them anymore.

--
BMO

Re:Critical Technologies?

[bmo]

It's a consumer protection law created in 1936, to help prevent customers from buying infected/contaminated bedding. It lists the kind of stuffing, whether it's new/recycled, etc. It's illegal for the manufacturer or seller to remove, but not the consumer. But the exception for the consumer wasn't printed on the label for most of its history, so it became a joke that if you tore it off your own mattress, you'd go to jail.

http://en.wikipedia.org/wiki/Law_label

--
BMO

Re:Critical Technologies?

[DirtyLiar]

Infected / contaminated or INFESTED bedding, you mean.

We all know why...

Because if there was a definitive list, the applications of those technologies would become obvious as well as what level of sophistication is deemed dangerous. For example, if we banned certain wide-band radio transmitters, on the grounds that they can be used for neural interfaces to manipulate humans, then we are telling people what they need to buy.

So, its really sort of a potential shopping list for the enemy.

Maybe because those kinds of lists are useless

[NoNonAlphaCharsHere]

I remember, in the 80's, Xenix was "export restricted", especially libc.a if it had "crypt.o" in it - like the algorithm hadn't been published many years prior to that. Anybody remember the big Toshiba machine-tool controller foorah that supposedly allowed the Soviets make quieter submarine propellers?

Does anybody think that our enemies-du-jour (and our friends, too) aren't reading all our science journals and buying samples of all manner of products for reverse engineering? Or for that matter, does anybody really think that we aren't doing the exact same thing, all over the world?

Lists like these are like "the seven words you can't say on television" - just a dare for somebody to do it.

Re:Maybe because those kinds of lists are useless

[bmo]

>I remember, in the 80's, Xenix was "export restricted", especially libc.a if it had "crypt.o" in it

That's because until the Clinton administration, encryption under US law was classified under "munitions."

Since World War II, many governments, including the U.S. and its NATO allies, have regulated the export of cryptography for national security considerations, and, as late as 1992, cryptography was on the U.S. Munitions List as an Auxiliary Military Technology.[1]

From wikipedia.

It was one of the reasons why Phil Zimmerman almost went to jail for making PGP.

>Anybody remember the big Toshiba machine-tool controller foorah that supposedly allowed the Soviets make quieter submarine propellers?

It wasn't just a controller, it was an entire milling machine or two. Very large ones worth a lot of money.

We made some faces at Japan and quickly forgot about it. Because it wasn't like we were getting those machines back.

--
BMO

Re:Maybe because those kinds of lists are useless

[Genda]

I sentence you to death by cipher at dawn!

Re:Maybe because those kinds of lists are useless

[Daniel+Dvorkin]

Does anybody think that our enemies-du-jour (and our friends, too) aren't reading all our science journals and buying samples of all manner of products for reverse engineering?

Large, powerful nations have a habit of denigrating their enemies. Said enemies can't just be on the other side; they have to be stupid and cowardly and barbaric and, in general, barely human. What's never explained, of course, is how people who are this all-around worthless can simultaneously pose a deadly threat which must be guarded against every minute of every day.

To be fair, to some degree this is human nature and everybody does it, but superpowers seem to be particularly prone to this kind of thinking. Sooner or later it always bites them in the ass.

Re:Maybe because those kinds of lists are useless

[cold+fjord]

When it comes to sophisticated products or technologies, marketing announcements, journal articles, even refereed papers are fine things. However, if you are actually trying to build the thing yourself, you need an actual recipe to do it, and sometimes the real secret, the art of it, is in the recipe, the actual implementation. Think of something so simple as rubber, which had been known for hundreds of years or more, but had defeated previous attempts to improve its utility. That is until Charles Goodyear invented the vulcanization process.

In terms of software, even when an algorithm is published, that is only part of the story. The implementation is a key element. Is it implemented correctly? Is the software written in a robust, reliable manner? Is it easy to use correctly to perform its key function? There have been many encryption utilities written, not all of them useful, not all of them correct, not all of them secure. Even if you get an encryption algorithm correct, your operational practices may render it vulnerable.

More than a few countries do themselves a disservice in terms of military infrastructure by trying to use sophisticated equipment without the necessary infrastructure, training, and spare parts needed to use it effectively. They are fooling themselves. Just because you have it doesn't mean that you can use it effectively.

Stealing IP doesn't always work out for you either. You may not have the necessary technology to build the item. You may steal "doctored" plans for a real item that is designed to fail in subtle ways, as did the Soviets.

Sometimes a shoddy copy is good enough for what you need. Other times it is useless.

Sometimes, even if you had the magic, you lose it, and may no longer be able to summon a dragon when needed.

Of course, in other cases, reverse engineering is relatively straight forward, and a new, dangerous competitor can come out of nowhere.

Re:Maybe because those kinds of lists are useless

[arglebargle_xiv]

I remember, in the 80's, Xenix was "export restricted", especially libc.a if it had "crypt.o" in it - like the algorithm hadn't been published many years prior to that. Anybody remember the big Toshiba machine-tool controller foorah that supposedly allowed the Soviets make quieter submarine propellers?

It wasn't just Xenix, it was about half of all the high-tech in existence. Those lists have always been a joke, both because they were totally out of touch with current technology, and because they seemed to have been generated by throwing darts at a Mouser catalogue. Back when it was still COCOM I once had to go through the IT section of the control lists, and found that something like a third of all the products sold in the computer store down the road were (in theory) export-controlled, things like "chips with more than 208 pins", a complex list of graphics performance that was leading-edge in the 1980s but was by the time the lists were published exceeded by anything faster than an S3 Trio64, anything that did adaptive routing which must have been high-tech in the 1970s some time but by the time it was featured on the control lists any Unix kernel and every router did it, and I can't remember all the other nonsense in there (Linux, even in the form it was in back then, had so much controlled technology in it you could practically open an arms fair with it). If the lists had been enforced as written, half the US computer industry would have had to stop all exports and/or been shut down as illegal arms traders. You just had to rely on the fact that they were never enforced unless you really pissed off the wrong people in the government, at which point they'd suddenly discover all sorts of violations that you'd committed.

Re:Maybe because those kinds of lists are useless

[loufoque]

When you say it's important to remember Pearl Harbor, you mean it's important to remember how the US government let the Japanese ransack a military base to gather public opinion for war?
Are you also implying that the same thing happened with 9/11?

Re:Maybe because those kinds of lists are useless

[DirtyLiar]

Actually it's more simmilar to the days when software producers made public announcements declairing their copy-protection to be un-hackable. That was a real call-to-arms to the leagons of socially-challenged, pimpelly faced, snot-nosed, don't-have-anything-better-to-do-all-weekend kids around the world to put grampa back in his place. It took the Software Insustry years to realize that for every single person they put on making copy-protection 40 hours a week, that there were hundreds of kids out there willing to invest every waking hour into breaking it, and do it just for the bragging rights. And that bragging about it just made them focus on your products.

Re:Maybe list = secret?

If you insist on having such a list, (and presumably keep it secret)

That's brilliant. Make a list of things that can't be exported and keep it a secret. So any exporter of technology gets to guess at what may or may not get their cargo seized.

Another List

[the+eric+conspiracy]

There should be a list of products that are encouraged for sale to our enemies.

Ideas:

Boeing batteries
Ford Pinto
Fen-Phen
Bon Vivant Vichyssoise
Pop Tarts
Twinkies
Intel Pentium (original version)
UML
Microsoft Windows ME

They will regret messing with us!

Re:Another List

[NoNonAlphaCharsHere]

What's the difference between a bowl of Bon Vivant Vichyssoise and the electric chair?
You don't need a spoon with the electric chair.

Re:Another List

[Genda]

One is a viscous, horrible dispenser of death, and the other is a piece of prison furniture?

Re:Another List

[CohibaVancouver]

Boeing batteries

By "Boeing Batteries" I presume you mean batteries made by GS Yuasa Corp of Kyoto, Japan & purchased by Boeing for installation in the 787?

Re:Another List

[mister_playboy]

Don't forget the Firestone tires... :)

Do Not Export This Post!

[Sooner+Boomer]

RSA in perl (and dc)

#!/bin/perl -sp0777iX+d*lMLa^*lN%0]dsXx++lMlN/dsM0j]dsj $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/) ...and of course /. is munging the format...

Re:Do Not Export This Post!

[DirtyLiar]

Too late!

Cool!

[sgt+scrub]

Now Americanz can sell computerz with openSSL configured to for'nerz like Mark J. Cox, Ralf S. Engelschall, Dr. Stephen Henson, Ben Laurie, and...

Re:Maybe list = secret?

[icebike]

If you manufacturer something on this list there is a pretty good chance the military is your biggest customer already, and you already know your kit is sensitive.

Re:Maybe list = secret?

[icebike]

We make that stuff in this country?
Who knew?!

Do what the Chinese do...

[Genda]

Sell everything to everyone, make certain there are abundant back doors to allow American defense systems to disarm weapons using American Technology so they can't be used against us and let the good times roll.

Re:Do what the Chinese do...

[cold+fjord]

What happens when those features are disabled?

It turns a mach 2 jet bomber into a compact, contemporary styled, and very fast lounge suite.

Netscape.

I for one sleep better at night knowing Czechoslovakia will not get their red hands on the advanced cryptography present in Netscape's Navigator 3.0 Gold.

Re:Budget cuts?

Budget cuts prevent the DOD from maintaining a list? Really? I'm so fucking stupid I'm actually expected to believe that?

It's not just some part-time secretary punching some words into a spread sheet. You have to pay, or contract out, people to spend the time and lab resources to do a full analysis on all the various technologies out there. Then you have to circulate the analysis through a variety of different departments such as the Pentagon, CIA, etc. so they can examine it and if needed, raise concerns about how it may be applied. Then you have to run it all by some type of policy review board before handing it to the secretary to punch up the list. Every one of those steps has mountains of paperwork associated with it, security classifications cause big headaches (no, we can't say why this should be restricted, that's classified) etc.
Believe what you want, but the process is pretty damn expensive and as most of what gets reviewed is stamped "approved" it's the type of thing which usually gets cut first when the budget axe falls.

Re:Budget cuts?

[cold+fjord]

And when the government standards, like export restrictions, fall far enough behind the state of the art, hilarity can ensue.

Apple tries to get G4 export ban lifted
Apple PowerMac G4 Commercial - Super Computer
Sci/Tech - Apple launches 'desktop supercomputer'

Re:Maybe list = secret?

[Teun]

Hmm, it's a couple of years ago when in Lafayette I decided to buy a boxed version of Red Hat.
Once out of the shop I noticed a printed warning on the box that it could not be sold to certain nationalities because of encryption used.

No one in the shop asked me where I would take it nor was I asked at the border when leaving.

Excellent security policy...

Colossal waste of time

[Corwn+of+Amber]

Bans on export, when any blueprint can be sent anywhere at all in about zero time, they're guarding a door with no wall.

How much are those bozos PAID?

Re:Colossal waste of time

[donaggie03]

I suppose the idea is that blueprints aren't very helpful if you don't have the manufacturing capability or the parts/raw materials/computer code/etc needed to build whatever it is you have the blueprints for.

Re:Colossal waste of time

[Corwn+of+Amber]

Argument invalid : Tools have blueprints.

Re:Just Like Obama

[Impy+the+Impiuos+Imp]

The vast majority of people don't see government's massive power as a problem as long as "their guy" is wielding it. Then power inevitably changes (Democrats are on a furious masturbatory kick right now that History Is Now Over) and only then does that side suddenly become concerned with constitutional issues.

Both sides do it over and over as the decades go by, never learning the lessons the founding fathers did which was why they limited government originally.

Power will change hands again. It always does.

China released a statement about this

[futhermocker]

Please ban export of future Windowsâ versions

Re:Just Like Obama

[peragrin]

That is one of the few things that is good about hte USA. At most every 8 years a different group will take over and try to take away a different set of rights.

Republicans have the economic sense of 10 year olds. "I can always get more money out of mommy", And go after civili liberties trying to force their view on the people.

Democrats realize that you can't cut income and increase spending , but don't really want to decrease spending to compensate. And they go after things like copyright, patent laws(just about all the really stupid copyright extensions were written by democrats)

In other words...

[Shaman]

....they are using Microsoft products and vertical applications with no source code. How long has the open source community been saying that this was insanity?

Re:Just Like Obama

[lightknight]

Can we get a TV Trope out of this? I feel it should be in their database somewhere...

Technology is not just computers/software

[Likes+Microsoft]

I've looked over the comments on this thread with frustration, seeing that the conversation swiftly derailed into being *just* about Crypto. The MCTL covers all areas of technology that may be deemed militarily critical. It is not really possible to find a publicly hosted .gov or .mil site that gives much info any more, but this university page stills shows the 20 areas covered: http://www.wright.edu/rsp/Security/T1threat/Mctl.htm , including things like space systems and nuclear technologies.

Great...

[DirtyLiar]

... so how are we supposed to know what we can and cannot export?

Especially since "ignorance is not a defence"?