The recent OFAC sanctions on Russia’s FSB né KGB, which is the Kremlin’s spy agency, may have unintended consequences. According to this article on the Russian website by my friend Иван Ткачёв (Ivan Tkachev) the FSB, besides doing typical spy things, is also responsible for overseeing the importation of encryption devices into Russia. This shouldn’t come as a big surprise since the NSA, our very own spy agency, has its nose in the encryption export business as anyone who has ever filed an annual self-classification report or a semi-annual sales report for encryption products knows perfectly well.
For items where encryption is a primary function, an FSB approval of the product is necessary prior to import. For items where encryption is ancillary (such as mobile phones, laptops, etc.) notification must be given to the FSB. Clearly a request for approval filed by a U.S company with the FSB is now forbidden. Even a notification for ancillary encryption products may be problematic.
A prior designation of FAU Glavgosekspertiza Rossii, a Russian federal agency that it is required to approve construction project designs, created similar unintended consequences and led OFAC, on December 20, 2016, to issue a general license permitting U.S. companies to seek reviews from FAU Glavgosekspertiza Rossii for certain construction projects in Russia. Perhaps a general license will be issued to permit filing these encryption notices and approval requests with the FSB, but there is no telling when at this point.
The other issue which may occur and which would require action by the Bureau of Industry and Security is that the FSB was also added to the Entity List. If the notifications or approval requests contain any technology subject to the EAR, a BIS license is required. It seems likely that this will be the case given the broad definition of technology in the EAR unless all the information in the documents supplied to the FSB has been “published” as defined in section 734.7 of the EAR.