14th Annual Advanced Forum on Global Encryption, Cloud & Cyber Export Controls - WEB

May 15–16, 2024 | Canopy by Hilton San Francisco SoMa, San Francisco

14th Annual Advanced Forum on

GLOBAL ENCRYPTION, CLOUD & CYBER EXPORT CONTROLS

The Country’s Only Comprehensive, Practical Event of Its Kind

Session Highlights for 2024

“ U.S. Cloud Computing, AI and its Potential China Intersection: The AI EO and Potential Ways Forward

“ The Multi-Jurisdictional Cloud and End-Use Controls Landscape: Comparing U.S., EU, Canada and German Cloud Regulatory Efforts

“ Unlocking EAR Treatment of Software Releases and Access Information Transfers: 734.15 / 734.19 and the Encryption Nexus

“ The Advanced Semiconductor Rule and Your Encryption Compliance Roadmap in Practice: Implementing Mission-Critical 2023 Rule Updates

“ Quantum Computing and Safeguarding Export-Controlled Encrypted Data: Quantum-Safe Cryptography for the Age of Quantum Computing

“ Implementation of the Latest Wassenaar Arrangement Decisions: Streamlining the Information Security Control List

FIRESIDE CHAT

Lee Licata

Deputy Section Chief for National Security Data Risk

U.S. Department of Justice

Associate Sponsor

Exhibitor

Connect and Benchmark With:

ç Amazon

ç Oracle

ç Ericsson (Sweden)

ç FRA - Försvarets

radioanstalt (Sweden)

ç Rolls-Royce (UK)

ç McKinsey & Company (Israel)

ç Bloomberg LP

ç Qualcomm

ç Dell Technologies

ç IBM

ç URSA Inc.

ç Google

ç Leonardo DRS

ç Microsoft

ç NetApp

ç VIAVI

ç Service Now

ç Flex

ç Cadence Design Systems

ç Bentley Systems

ç Bloomberg LP

ç Center for Security and Emerging Technology (CSET)

DISTINGUISHED FACULTY

FIRESIDE CHAT

Lee Licata

Deputy Section Chief for National Security Data Risk

U.S. Department of Justice

CONFERENCE CO-CHAIRS

Michelle Aragon

Senior Manager, Trade Compliance

Leonardo DRS

Roszel C. Thomsen II Partner

Thomsen and Burke LLP

DISTINGUISHED FACULTY

Per Sundstrom

Head of Trade Compliance Technology

Ericsson (Sweden)

Andrea Popa

Senior Director, Global Trade Compliance

NetApp

Zvonimir Bandic Vice President, CPU R&D Cadence Design Systems

Jacob Feldgoise

Data Research Analyst

Center for Security and Emerging Technology (CSET)

Lillian Norwood Senior Manager, Global Trade Compliance

Amazon

Hector Rivera Director, Export and Sanctions Compliance

Qualcomm Technologies Inc.

Brian Falbo Senior Counsel

Dell Technologies LLC

Winnie Luk Director, Global Export Classification

Oracle

Joseph Stone

Senior Export Controls Manager, IT & Digital Rolls-Royce (UK)

Matt Silverman

Global Trade Director and Senior Counsel

VIAVI

Michael Miller

Trade Manager, Global Trade Compliance, Empowered Official Flex

Tansie Taylor Iwafuchi

Senior Manager, Export Controls, Global Trade Compliance

Microsoft

Thoth V. Weeda Compliance Counsel

Bentley Systems

Dr. Torbjörn Gustafsson

Crypto Mathematician

FRA - Försvarets radioanstalt (Sweden)

Doron Hindin

Associate General Counsel, International Trade McKinsey & Company (Israel)

Bob Bowen

Export and Trade Compliance Counsel Service Now

Yvonne Brye-Vela Data Security and Privacy

Google; Adjunct Professor

San Francisco State University

Jai Singh Arun

Head of IBM Quantum Safe Product Management & Strategy

IBM

David Kovar

Founder and Chief Executive Officer

URSA Inc.

Inna Sanamyan

Financial Regulatory Counsel

Bloomberg LP

Brian J. Egan Partner

Skadden, Arps, Slate, Meagher & Flom LLP

Yan Luo Partner

Covington & Burling LLP (China)

Alan Martin Hayes

Senior Counsel

OpenAI

Christopher Timura Partner

Gibson Dunn & Crutcher LLP

Melissa Duffy Partner

Fenwick & West

Ajay Kuntamukkala Partner

Hogan Lovells

John W. Boscariol Partner

McCarthy Tétrault LLP (Canada)

Stephan Mueller Partner

Oppenhoff (Germany)

Lothar Determann Partner

Baker & McKenzie LLP

Per Sundstrom

Head of Trade Compliance Technology

Ericsson (Sweden)

Cristina Brayton-Lewis Partner

White & Case LLP

Alison Stafford Powell Partner

Baker & McKenzie LLP

Shiva Aminian Partner

Akin Gump Strauss Hauer & Feld LLP

PRE-CONFERENCE WORKSHOPS

TUESDAY, MAY 14, 2024

WORKSHOP A  9:00 am–12:30 pm (Registration opens at 8:30 am)

Updating Your U.S. Encryption Compliance Roadmap: Classification, Licensing, Reporting, and a Primer on October 2023 Semiconductor Rule

Microphone-alt Andrea Popa, Senior Director, Global Trade Compliance, NetApp

Inna Sanamyan, Financial Regulatory Counsel, Bloomberg LP

Per Sundstrom, Head of Trade Compliance Technology, Ericsson (Sweden)

Melissa Duffy, Partner, Fenwick & West

This session is designed both for attendees new to encryption controls and for those who would like an in-depth refresher before the more advanced discussions of the main program. Take part in this practical and interactive working group as experts discuss the current state of U.S. encryption controls—with a focus on building and maintaining strong protocols to ensure compliance.

In addition to ample time for questions and discussion, benefit from speaker-prepared reference materials for your work after the conference. Topics will include:

• Proactive coordination with product development teams

» Who to contact and where to look toward mapping out your classification and licensing strategy

• Timing and planning of product classification reviews

» Utilizing early product analysis and evaluating intended use

• Overview of encryption classification rules under the EAR and ITAR

• Managing deemed exports and controls around software and technology

• Encryption reporting and export licensing requirements: EAR licensing requirements and exceptions, managing export license conditions and scoping limitations on encryption products

• Overview of October 2023 advanced computing export controls and intersection with encryption controls

Appreciated the workshops and the depth of information along with the topics covered.

Operationalizing Clouds as Data Infrastructure Amid Complex Export Controls: Navigating Complex Data Outsourcing Needs, Creating Strategic Service Contracting Relationships

Microphone-alt Zvonimir Bandic, Vice President, CPU R&D, Cadence Design Systems

Christopher Timura, Partner, Gibson Dunn & Crutcher LLP

Cloud service providers can help export compliance and IT leaders set up for success—for instance, improving deployment speed and ensuring future flexibility. But how should IT and export-controls compliance teams work together to prepare data to be outsourced? Where do export controls and IT intersect? This workshop will examine best practices from a variety of industry perspectives.

• Materiality assessments prior to any outsourcing decision (which activities should be considered as material, and in what areas)

• Security of export-controlled data and systems: Obligations for the provider to protect the confidentiality of the outsourced information and key checks to be performed by the institution prior to outsourcing that should be included in outsourcing agreements

» Encrypting controlled data prior to sending it to the cloud and requiring the cloud vendor to use encryption technology

• Location of data and data transfers between controllers and processors

» Retaining visibility of any data subcontracting arrangements

• Supply chain outsourcing: Ensuring that service levels and oversight are not affected

• Negotiating robust contractual provisions, including access and audit rights in outsourcing agreements

• Contingency plans: Exiting cloud outsourcing without affecting export-controlled data

DAY ONE

WEDNESDAY, MAY 15, 2024

7:30 Registration and Continental Breakfast

8:45

Co-Chairs’ Opening Remarks

Microphone-alt Michelle Aragon, Senior Manager, Trade Compliance, Leonardo DRS

Roszel C. Thomsen II, Partner, Thomsen and Burke LLP

9:00 FIRESIDE CHAT

The Bulk Sensitive Data EO and the Global Encryption, Cloud and Cyber Controls Nexus

Lee Licata

Deputy Section Chief for National Security Data Risk

U.S. Department of Justice

9:45

The Future of U.S. Cloud Computing, AI and its Potential China Intersection: The AI EO and Potential Ways Forward for Managing U.S. Technology Security and Export Risks

Microphone-alt Jacob Feldgoise, Data Research Analyst, Center for Security and Emerging Technology (CSET)

Lillian Norwood, Senior Manager, Global Trade Compliance, Amazon

Alan Martin Hayes, Senior Counsel, OpenAI

Shiva Aminian, Partner, Akin Gump Strauss Hauer & Feld LLP

• The AI EO: Cloud-specific details, including cloud” Infrastructure as a Service” provisions

» Impact of Chinese Generative AI Rules on U.S. AI regulatory efforts

• When Chinese users can still access controlled chips (ECCN 3A090) through clouds services and how to address this

• Anticipating U.S. government restrictions on sale of cloud services to China

10:45 Extended Networking Break

11:15 CASE STUDY

A Behind the Scenes Look at Implementing the Advanced Semiconductor Rule and Strengthening Compliance

Microphone-alt Bob Bowen, Export and Trade Compliance Counsel, Service Now

Melissa Duffy, Partner, Fenwick & West

Per Sundstrom, Head of Trade Compliance Technology, Ericsson (Sweden)

• Implementing licensing requirements

• Updating licensing policies and Temporary General Licenses

• Gap analysis: Strengthening compliance programs to make sure legal, engineering, and trade compliance are all in the loop with new controls

11:45 HYPOTHETCIAL SCENARIOS

Putting Your Encryption Compliance Roadmap into Practice: How to Resolve the Most Complex Advanced Semiconductor Classification and October 2023 Rule Challenges

Microphone-alt Hector Rivera, Director, Export and Sanctions Compliance, Qualcomm Technologies Inc.

Brian Falbo, Senior Counsel, Dell Technologies LLC

• Applying licensing requirements for items controlled under ECCNs 5A002 or 5D002 that meet or exceed the performance parameters of the new ECCNs 3A090 or 4A090

• Applying licensing requirements for mass market encryption hardware and software items controlled under ECCNs 5A992 or 5D992

• Restrictions on US persons activities: US persons (citizens, permanent residents, asylees, and refugees) that support the development or production of integrated circuits (IC’s) in China now requires a license

» What kind of ICs are involved?

» What ECCNs are relevant?

» Are any license exceptions available?

• New foreign direct product rules focused on otherwise uncontrolled foreign-origin content for advanced computing and supercomputer-related applications in China

» Expanded “Entity List FDP Rule” (§ 734.9(e)(2)

» New “Supercomputer FDP Rule” (§ 734.9(i)

» New “Advanced Computing FDP Rule” (§ 734.9(h)

12:45 Networking Luncheon

2:00

The Multi-Jurisdictional AI and Cloud Computing Controls Landscape: Contrasting EU, Canadian, and German Cloud Computing Regulatory Efforts and the Key Differences with U.S. Requirements

Microphone-alt John W. Boscariol, Partner, McCarthy Tétrault LLP (Canada)

Stephan Mueller, Partner, Oppenhoff (Germany)

Lothar Determann, Partner, Baker & McKenzie LLP

Alison Stafford Powell, Partner, Baker & Mckenzie LLP

• The EU AI Act:

» The changes it will require from AI companies: How soon will they take effect?

» How the Act divides its rules on the level of risk an AI systema

» Will the Act stifle technological innovation?

• Defining DIGITALEUROPE EU export control guidelines vs. U.S. requirements:

» The definition of “export” when encrypted technology is sent outside of the EU

» The definition of software “exports” when the software is provided as a service (SaaS)

» Should an “export” occur when administrators (e.g., at a telecom, cloud service, or SaaS provider) have access to user data for purposes of providing, supporting, or maintaining the service?

• Government of Canada cloud controls:

» Performing security categorization: Attributing “High Watermark” risk profiles of cloud security

» Cloud security control profile selections

» Determining scope of security responsibility for various cloud service models

» Performing security assessments

• Germany:

» Pushback towards EU AI Act around “foundation models”

» The BAFA guidance

» Bitkom’s position

» BAFA guidance vs. EU Dual Use regulation

» Suggestions concerning potential coordination between ANS and Bitkom

3:00 Networking Break

3:15

Managing the Business Impacts of the October 2023 U.S. Advanced Computing and Semiconductor Rule: Practical Insights on Encryption Compliance and Your Supply Chain

Microphone-alt Winnie Luk, Director, Global Export Classification, Oracle

Ajay Kuntamukkala, Partner, Hogan Lovells

What are the short and long-term computing supply chain impacts of BIS’ October 2023 rule covering semiconductors and supercomputing technology? How do the 2023 updates raise the compliance bar? How do they impact encryption compliance? As with any complex and novel export control rule involving innovative technologies and supply chains, many anticipate that the new rules will likely have unintended consequences.

This panel of experts will address the future of the U.S. microelectronics sector and supply chain amid unprecedented regulatory change.

4:00

Compliance Due Diligence: Updating Your Program in Accordance with Your Organization’s Risk Profile

Microphone-alt Joseph Stone, Senior Export Controls Manager, IT & Digital, Rolls-Royce

(UK)

Matt Silverman, Global Trade Director and Senior Counsel, VIAVI

Michael Miller, Trade Manager, Global Trade Compliance, Empowered Official, Flex

Cristina Brayton-Lewis, Partner, White & Case LLP

• Gap analysis: Changes in DDTC/BIS insights into compliance monitoring

» Working in silos versus working as a whole

» Road map for a written compliance plan to cultivate a culture of compliance

• Touchpoint inventories: A holistic review of operations and where third-party data is stored and how it is screened

• Working with verified entities – How much due diligence is enough?

• Delve into certain components that companies have integrated within their current processes

• Industry specific challenges – Semiconductor companies, telecommunication companies, aerospace companies, O&G, etc.

• How to manage your compliance program with remote employees

5:00

Close of Day One

DAY TWO THURSDAY, MAY 16, 2024

8:45

Co-Chairs’ Opening Remarks

Microphone-alt Michelle Aragon, Senior Manager, Trade Compliance, Leonardo DRS

Roszel C. Thomsen II, Partner, Thomsen and Burke LLP

9:00

Implementation of the Latest Wassenaar Arrangement Decisions: Global Efforts in Streamlining the Information Security Control List

Microphone-alt Dr. Torbjörn Gustafsson, Crypto Mathematician, FRA - Försvarets radioanstalt (Sweden)

• Ancillary encryption and the removal of a grey exception

• Challenges with mixing exceptions for items and functions

• Possible key limits on post quantum algorithms?

• The past and the future of OAM encryption

9:45

Cloud Computing, End-Use Controls and Technology Transfers: Navigating the Grey Areas of 734.20/734.18 Exemptions and Beyond

Microphone-alt Tansie Taylor Iwafuchi, Senior Manager, Export Controls, Global Trade Compliance, Microsoft

Thoth V. Weeda, Compliance Counsel, Bentley Systems

The definition of “export” in the EAR and ITAR both include the concept of releasing technical data or technology to a foreign person in the U.S. as part of the definition of a “deemed export”, or the transfer of ownership or control of a technology to a foreign person. Interesting changes are proposed - §734.18 and 734.20 - to the EAR, and - §120.52 - to the ITAR, which would deal with transfers of technology and use of encryption. What’s behind these rules, what are the limitations, and how is industry is managing these exceptions?

10:45 Networking Break

11:15

Unlocking EAR Treatment of Software Releases and Access Information Transfers: Navigating 734.15 / 734.19 and the Encryption Nexus

Microphone-alt Bob Bowen, Export and Trade Compliance Counsel, Service Now

Michelle Aragon, Senior Manager, Trade Compliance, Leonardo DRS

In September 2023, BIS amended EAR provisions on the release of software and access to information related to software. These amendments have changed the EAR landscape related to the concept of release as that term applies to software and related access information. This panel will examine these changes and the impact that they have on software-related activities subject to the EAR.

12:15 Networking Luncheon

1:30

Quantum Safe Cryptography — Protecting Export-Controlled Data in the Era of Quantum Computing

Microphone-alt Jai Singh Arun, Head of IBM Quantum Safe Product Management & Strategy, IBM

Yvonne Brye-Vela, Data Security and Privacy, Google; Adjunct Professor, San Francisco State University

With quantum computers advancing rapidly, traditional security protocols face a significant threat as they can be easily compromised. In this session, we will explore the importance of quantum-safe cryptography to safeguard sensitive, export-controlled data in the age of quantum computing.

2:15

The Commercial Spyware EO and Finding the Right Balance Between Offensive and Defensive Cyber Security Policy

Microphone-alt David Kovar, Founder and Chief Executive Officer, URSA Inc.

Roszel C. Thomsen II, Partner, Thomsen and Burke LLP

An offensive security strategy aims to preemptively identify and mitigate gaps and weaknesses within an organization’s digital infrastructure. Defensive cybersecurity involves a systematic and comprehensive approach to identifying vulnerabilities and weaknesses before they can be exploited. With the Commercial Spyware EO in place, is the EO too defensive/restrictive, creating negative economic implications? How can the U.S. find the right defensive/offensive cyber-stance?

3:00 Networking Break

3:15

Around the World in Encryption and Cyber Controls: The Latest Developments Coming Out of the EU, Russia, China, Japan and Israel

PART ONE: China and Japan

Microphone-alt Yan Luo, Partner, Covington & Burling LLP (China)

• China’s Commercial Encryption Regulations: Criteria inclusions for obtaining applicable certifications, qualifications, and licenses

• Japan’s The Protection of Personal Information Act No. 57 of 2003 (APPI): Guidelines for specific sectors, including financial, medical and telecommunications

PART TWO: EU and Russia

Microphone-alt Brian J. Egan, Partner, Skadden, Arps, Slate, Meagher & Flom LLP (USA)

• EU proposals to require mass data scanning, compromising end-to-end encryption

• Russia

» Impact of encryption controls on Russia “exit” transactions

» Availability of exemptions and licenses for encryption activities in Russia

PART THREE: Israel

Microphone-alt Doron Hindin, Associate General Counsel, International Trade, McKinsey & Company (Israel)

• The MOD Encryption Control Department's initial licensing processes

• Government-private sector collaboration

4:30 AUDIENCE POLLING

Closing Roundtable Discussion: The Next Phase of Encryption, Cloud and Cyber Export Compliance for 2024 and Beyond

This interactive, brainstorming session will take stock of the greatest compliance risks, emerging issues, and global regulatory dynamics that will impact compliance programs in the short, medium and long term.

5:00 Close of Conference

CONTINUING LEGAL EDUCATION CREDITS

EARN CLE CREDITS

Accreditation will be sought in those jurisdictions requested by the registrants which have continuing education requirements. This course is identified as nontransitional for the purposes of CLE accreditation.

ACI certifies this activity has been approved for CLE credit by the New York State Continuing Legal Education Board.

ACI certifies this activity has been approved for CLE credit by the State Bar of California.

ACI has a dedicated team which processes requests for state approval. Please note that event accreditation varies by state and ACI will make every effort to process your request.

Questions about CLE credits for your state? Visit our online CLE Help Center at www.AmericanConference.com/Accreditation/CLE/

hands-helping BECOME A SPONSOR

With conferences in the United States, Canada, Latin America and Europe, the C5 Group of Companies: American Conference Institute, the Canadian Institute, and C5 Group, provides a diverse portfolio of conferences, events and roundtables devoted to providing business intelligence to senior decision makers responding to challenges around the world.

Don’t miss the opportunity to maximize participation or showcase your organization’s services and talent. For more information please contact us at: SponsorInfo@AmericanConference.com

MEDIA

PARTNERS:

September 25–26, 2024 | Washington, DC

February 28–29, 2024 | Washington, DC Fall 2024 |

April 29–30, 2024 | Washington, DC

C5 celebrates 40 years of excellence! We are thrilled to have provided exceptional conference experiences globally with our outstanding team, speakers, sponsors, partners, and attendees. To mark this milestone, we're launching a new logo which represents our commitment to innovation, growth, and excellence, represented by the five Cs of C5: Current, Connected, Customer-Centric, Conscientious, and Committed.

Looking back on 40 years, we are grateful for our achievements—hosting global conferences, uniting industry leaders, and supporting business growth. However, we are not done yet! We are committed to pushing boundaries and creating impactful experiences and we're excited for the next 40 years of success.

INFORMATION

Canopy by Hilton San Francisco SoMa 250 4th Street, San Francisco, CA 94103

ACCOMMODATIONS

American Conference Institute is pleased to offer our delegates a limited number of hotel rooms at a negotiated rate. To take advantage of these rates, please contact the hotel directly and quote “ACI Global Encryption.”

Please call 1-800-HILTONS to book your guestrooms.

Please note that the guestroom block cut-off date is April 26th. After that date OR when the room block fills, guestroom availability and rate can no longer be guaranteed.

Book with confidence!

Register and pay to lock in your early rate and be eligible for a full refund until May 1, 2024

If you are unable to attend for any reason, you will have the following options:

y A full credit note for you, or a colleague to attend another event.

y A full refund.

All cancellations and changes must be submitted to CustomerService@AmericanConference.com by May 1, 2024