Government auditors released a report Tuesday flagging several weaknesses in “deemed export” compliance at colleges and universities, although the report also chided the Defense Department, FBI, and other security agencies for not doing enough to help higher education understand its deemed-export duties.
The Government Accountability Office released a review of the export compliance programs at nine large universities, and found that the schools struggled with risk assessments, training, export compliance manuals, and internal audits of their export controls. The GAO report also interviewed other higher education compliance officers, who confirmed that, yep, deemed-export compliance is a tricky thing for universities to get right.
Then again, those compliance officers interviewed by the GAO also said they struggle to have a productive relationship with government agencies in charge of enforcing deemed-export regulations, and the compliance officers had a good point. For example, the FBI has given security threat briefings to university compliance officers — but those briefings included classified material, which means the compliance officers can’t use that material to train faculty and staff about deemed-export risk.
The GAO report also faulted the Directorate of Defense Trade Controls, which enforces export control regulation under the State Department, for failing to offer sufficient guidance about risk assessments. Which certainly helps to explain why compliance officers are struggling with that very task.
Deemed-export issues arise when foreign nationals work with highly sensitive technologies as part of their jobs, and then return to their home countries either with that know-how inside their heads or research work stored on their laptops. Chinese visiting scholars working on artificial intelligence, Iranian grad students studying virology — that sort of thing.
For higher education in particular, deemed-export compliance can be a significant risk because federal law exempts “fundamental research” from the export control licenses that are typically necessary.
So what constitutes fundamental research, and when might a college trip into deemed-export trouble? That was what the GAO report explored.
Needed: Guidance in Context
What struck me in the GAO report was that regulators and university compliance officers alike are struggling with how to communicate deemed-export risks to their respective audiences in a useful manner. The regulators aren’t doing a great job talking to higher ed compliance officers, and compliance officers aren’t doing a great job talking to faculty and staff.
Take this passage from the GAO report:
Officials from two universities stated that researchers typically do not see themselves as exporters, which makes it difficult to explain to them how export control regulations pertain to university research. For example, one official told us that it is difficult to explain the concept of a deemed export within an open, academic setting to university researchers. Officials at two universities also noted that the term “defense service,” a type of export subject to the ITAR, is a difficult concept to explain to university researchers who do not consider their work to be a “service.”
Meanwhile, here’s another passage about the DDTC and its lack of guidance about risk assessments:
According to DDTC, the agency has not added guidance related to risk assessments to the export compliance guidelines because it assumes that exporters conduct a risk assessment for each compliance element as a matter of course. GAO’s Standards for Internal Control in the Federal Government state that management should communicate quality information externally so that external parties can help the entity achieve its objectives and address related risks.
Yes, the DDTC should know what happens when you assume. That said, the DDTC and university compliance officers are both limping through failures of good communication with other parties necessary for effective compliance and internal control. (The COSO internal control framework captures that point in Principle 15: The organization communicates with external parties regarding matters affecting the functioning of internal control.)
I’m more sympathetic to the university compliance officers, since regulators aren’t giving them good guidance, but the entire episode demonstrates how important good communication is to a successful compliance program.
The GAO report urged DDTC, the Bureau of Industry and Security, and other relevant agencies to do better at providing useful guidance. University compliance officers said they were especially keen on tightly focused help such as FAQs and best practices, rather than sweeping new guidance on effective programs like the private sector sometimes sees from the Justice Department.
University compliance officers, meanwhile, can take the GAO findings about weaknesses in deemed-export compliance programs and compare your own weaknesses to what the GAO found elsewhere.