Foreign countries can access U.S. military secrets through various means, including cyberhacking, espionage, and theft. However, an increasingly troubling avenue for these breaches is unintentional disclosures by trusted defense contractors such as Boeing, 3D Systems Corp., and RTX Corp., the parent company of Raytheon.
In three recently disclosed cases, defense contractors failed to maintain proper safeguards for sensitive information related to military projects, including airplanes, helicopters, and missile systems. These lapses potentially endangered U.S. military personnel, and in at least one instance, a Chinese manufacturer used the leaked data to replicate unique technology from U.S. military vehicles.
These security breaches were not simply accidental oversights. The U.S. military has specific expectations when it shares technical data with defense contractors, relying on the export controls imposed by the U.S. Department of State (DOS) to prevent foreign adversaries like China, Russia, and Iran from accessing this data. Contractors are expected to adhere to the Arms Export Control Act (AECA) and the International Traffic in Arms Regulations (ITAR).
However, in each of the cases, weak internal controls allowed the restricted information to be distributed to unauthorized individuals or downloaded by foreign entities. These leaks represent an escalating risk to U.S. national security as defense contractors increasingly handle military secrets through vast networks of computer systems and subsidiaries. At the same time, the sheer volume of classified data continues to grow, adding pressure on these companies to correctly label, store, and track information as it moves through their networks while preventing unauthorized access.
The DOS oversees efforts to ensure military technical data does not fall into foreign hands, stressing that contractors must understand the seriousness of any improper data distribution. Although the government has imposed fines on offending companies, it has generally refrained from barring them from access to defense programs. The companies often use portions of the fines to improve compliance measures.
Unfortunately, available government and legal documents provide few specifics about what went wrong in these cases. However, based on what has been disclosed, here are the stories of three defense contractors whose export control compliance programs were found lacking.
Earlier this month, RTX agreed to pay a $200 million fine to the DOS for the illegal disclosure of sensitive technical data related to military aircraft and missile systems to 32 countries, including China. The issues stemmed from the company’s 2020 acquisition of Rockwell Collins. Before the merger, RTX overlooked that technical data held by Rockwell Collins had been misclassified, allowing unauthorized access to sensitive information. From 2017 to 2020, this data was shared with foreign employees and contractors not authorized to receive it. The oversight continued post-merger as RTX failed to adequately incorporate Rockwell Collins, now called Collins Aerospace, into its compliance procedures. Violations of AECA and ITAR persisted from 2020 to 2023, due to what the DOS described as “historical misinterpretation” by Rockwell Collins.
“In summary, despite the fact that respondent implemented corrective actions in each of the abovementioned disclosures to address the root cause of its jurisdiction and classification issues, it continued to discover—and in some cases continued to commit—violations resulting from historical incorrect jurisdiction and classification determinations,” the DOS’s charging letter stated.
Of the $200 million fine, the DOS suspended $100 million on the condition that RTX use the funds to rectify the issues. RTX also agreed to hire an independent compliance consultant to address the problems.
In March, Boeing, the world’s largest aircraft manufacturer, agreed to pay $51 million to settle export control violations related to the improper sharing of sensitive technical data with foreign employees and contractors, including individuals in China and Russia. The DOS’s charging letter indicated that from 2017 to 2022, Boeing failed to prevent foreign persons from downloading classified data due to misclassification of the technical information.
The aerospace giant also transferred sensitive data illegally in other ways, including when an Indian subsidiary retransferred technical data without proper authorization. Additionally, a trade compliance specialist at a U.S. subsidiary, Aviall Services, falsified five permanent export licenses, allowing restricted technical data to be sent to Portugal and Turkey without authorization. Boeing voluntarily disclosed the violations and took corrective actions.
Similar to RTX, the DOS suspended $24 million of Boeing’s fine, with the company committing to use that amount for compliance measures.
South Carolina-based 3D Systems, an international 3D printing and services company, was fined $20 million by the DOS in February 2023 for export control violations. 3D Systems ran an on-demand manufacturing unit called Quickparts.com, which handled products involving technical data under export control restrictions. From 2015 to 2018, Quickparts violated AECA and ITAR by allowing foreign persons to access protected data.
The company had no formal export control compliance program, no policies for handling or tracking technical data, and did not provide training for its employees on export control laws. A customer had warned 3D Systems about these issues as early as 2015, yet it took nearly two more years for the company to respond. The company kept unencrypted technical data on a German server until 2017 and forwarded this data to staff in China to evaluate and provide supplier quotations. The DOS noted that even after notifying 3D Systems of its obligations, the company was slow to act.
In one instance, 3D Systems exported a “metal alloy powder,” classified for national security and nuclear nonproliferation reasons, to China without authorization. The DOS suspended $10 million of the fine on the condition that the company use the funds to improve its compliance procedures.
The fines imposed on RTX, Boeing, and 3D Systems highlight the serious risks posed by lax security measures at defense contractors, with U.S. military secrets potentially falling into the hands of foreign adversaries.
By fLEXI tEAM
コメント