LANGUAGES

The Importance of Corporate Responsibility: The Case of Shell

Global Sourcing Strategies

Introduction to global sourcing,production, and export strategies

 

As the Sunset Flowers case demonstrates, there is more to export profitability than a good idea. Once an entrepreneur has identified a product, he needs to determine if there is a market somewhere, a process that involves a significant amount of market research, which may or may not be supported by the home country government. Then the entrepreneur needs to develop a production strategy, prepare the goods for market, determine the best strategy for getting the goods transported to market, sell the product, and receive payment.

 

Introduction to global sourcing,production, and export strategies

 

As the Sunset Flowers case demonstrates, there is more to export profitability than a good idea. Once an entrepreneur has identified a product, he needs to determine if there is a market somewhere, a process that involves a significant amount of market research, which may or may not be supported by the home country government. Then the entrepreneur needs to develop a production strategy, prepare the goods for market, determine the best strategy for getting the goods transported to market, sell the product, and receive payment.
All of these steps require careful planning and preparation. The production strategy for Sunset Flowers was relatively easy, because all production took place in New Zealand. In the case of industrial products, the strategy can be very complex as different countries are evaluated, using labor costs and so on, as possible production sites.
Sunset Flowers also demonstrates that a firm has limits of ability. Freight forwarders are used to move goods from one country to another, and banks are needed to collect payment. Thus export, as well as import, strategies require the utilization of experts to move ideas to finished products to final sales.
In a study of European and Japanese MNEs, for example, it was found that the MNEs use a mix of sourcing strategies simultaneously when market-
ing the product in the United States. Fifty-nine percent of the firms reported using a single sourcing strategy. All of the product was either exported from the home country or manufactured in the United States for the U.S. market. Japanese firms were more likely to export to the United States, whereas European firms were more likely to manufacture in the United States. Some of the European firms used production facilities in other European countries— and in some cases, Japan and Canada—to service the U.S. market. In this study, firms did not service the U.S. market from production facilities in developing countries.
Global Sourcing and Production Strategies
Most firms have the option of where they want to source (locate) production for worldwide sales. As is the case in industries such as automobiles, for any given market the MNE can manufacture the product itself, or it can buy the product from someone else. If it decides to manufacture the product itself, it can either manufacture it in the local market or manufacture it in another country and import it into the market.
Obviously, the true MNE is involved in fairly sophisticated forms of production sharing, in which it may produce and/or assemble components in one or several countries for markets all over the world. In its simplest form, the MNE might manufacture goods in the home country and export them to final markets. Or the MNE could establish production in different countries to service those particular markets. However, the past decade has shown an increase in intermediate goods, such as components, being produced in many countries and shipped to other countries for assembly and sale. The production and exporting functions are much more complex than they used to be under the simpler forms.
Global Sourcing and Production Alternatives
For each particular market being serviced by an MNE, the idea of global sourcing implies that firms need to determine where parts and components will be manufactured and where the final products will be assembled.
Historically, firms tended to operate on a country-by-country basis. However, as firms have become more global in orientation, they have found that they can develop a definite competitive advantage by coordinating and integrating their operations across national borders.
From an international standpoint, this global production and sourcing strategy can be better understood by looking at Fig. 14.1, which illustrates the basic options available by country (the home country or any foreign country) and by stage in the production process (sourcing of components and sale of products).
For example, one of Ford Motor Company’s strategies is to assemble cars in Hermosillo, Mexico, and ship them into the United States. The cars are
designed by the Japanese company Toyo Kogyo Co. (Mazda) and use some Japanese parts. Ford can purchase components manufactured in Japan and ship them to the United States for final assembly and sale in the U.S. market, or it can have the Japanese- and U.S.-made components shipped to Mexico for final assembly and sale in the United States and Mexico. In the case of Mexican assembly, some of the components would come from the United States, some from Japan, and a small percentage from Mexico. If the components are manufactured in Japan, many of the raw materials were probably imported.
An expansion of Fig. 14.1 would show 64 different combinations for manufacturing components and assembling them into final products for different markets. This expanded model would account for the facts that components can be manufactured internally to the firm or purchased from external (unrelated) manufacturers and that final assembly can also be done internal to the firm or by external firms. Manufacture of components and final assembly may take place in the home country of the firm, the country where the firm is trying to sell the product, a developed third country, or a developing third country.
The study of Japanese and European MNEs mentioned in the introduction revealed different sourcing strategies. First, major components were generally sourced from the same location as the final assembly. Second, in the case of manufacturing in the United States, Japanese firms are more likely to source components from their home country than European firms. Third, components can be sourced from various locations. In the case of one Japanese firm in the study, 17 percent of the components came from Japan, 7 percent from European countries, 8 percent from developing countries, and the rest from the United States. Obviously, this multiple sourcing requires a high level of coordination between the parent company and related companies around the world.

History of International Trade

Traditional Societies. Until the late 19th century, most people virtually everywhere were peasants who produced food and also knew how to fashion many tools and other necessities. What they could not make for themselves, they bought in neighboring towns in exchange for their (usually small) agricultural surplus and a few handicrafts. Long¬distance trading was rare, because output of all products was low and because transportation was expensive, slow, and dangerous. Whatever international trade did occur was usually monopolized by government-licensed private orga¬nizations like the British East India Company. Only goods with a high value in relation to their weight, like precious stones, metals, spices, special fabrics (particularly wool and silk cloth), furs, and wine, could be taken to faraway places and sold profitably. Grain, too, was sometimes traded abroad but, it would seem, in small quantities.

   

History of International Trade

HISTORY OF INTERNATIONAL TRADE

   

international-trade

Traditional Societies. Until the late 19th century, most people virtually everywhere were peasants who produced food and also knew how to fashion many tools and other necessities. What they could not make for themselves, they bought in neighboring towns in exchange for their (usually small) agricultural surplus and a few handicrafts. Long¬distance trading was rare, because output of all products was low and because transportation was expensive, slow, and dangerous. Whatever international trade did occur was usually monopolized by government-licensed private orga¬nizations like the British East India Company. Only goods with a high value in relation to their weight, like precious stones, metals, spices, special fabrics (particularly wool and silk cloth), furs, and wine, could be taken to faraway places and sold profitably. Grain, too, was sometimes traded abroad but, it would seem, in small quantities.

   

For centuries, trade was concentrated along the shores of the Mediterranean and Baltic seas and around the Asian caravan routes to which they were linked. The focal points of international exchange were the Italian cities of Venice, Genoa, and Florence, the German cities of Augsburg and Niirnberg, the towns of Flanders (in present-day Belgium), and the Hanseatic ports along the southern and eastern shores of the Baltic. Trade hardly touched the lives of ordinary people, however. Neither were their lives much altered by the discovery of the Americas and the circumnavi¬gation of Africa and South America. But those feats of courage and skill did divert trade from the inland seas of Europe to the Atlantic and Indian oceans.

   

The Industrial Revolution. In the 17th and 18th cen¬turies, technological innovations in Britain opened the way to higher productivity, first in agriculture, then in manufac¬turing. New machinery enabled larger units to manufacture cheap textiles and, a bit later, iron. These first steps toward mass-production led to the mass movement of goods from country to country, for they were accompanied by improve¬ments in transportation and communications. British in¬dustry was soon imitated in France and Belgium.

   

Despite the remarkable progress of the previous hundred years, international exchanges of goods and services at the beginning of the 19th century represented only about 3 percent of the value of world output. But then the indus¬trial revolution spread to such countries as Germany, the United States, and (a bit later) Japan. In the second half of the 19th century, new industries emerged to produce machine tools, electricity, and chemicals. These industries soon accounted for a substantial proportion of world trade. Railroads and steamships transported bulk loads over long distances; the telegraph facilitated the worldwide circulation of information. As a result of these developments, foreign trade so increased that by 1913 about one-third of everything produced in the world was exchanged over national borders.

   

 

The spread of industrialization boosted the demand for raw materials, initially cotton and timber, later metals and fuels. About half of these primary products originated in European countries; the other half came in part from plantations, mines, and similar enterprises established in the colonies to supply goods to Europe. Enclaves emerged in many colonial economies more closely connected with cus¬tomers abroad than with the societies in which they were physically located, societies where peasants continued to farm in the traditional manner. Some countries (not all former colonies) have yet to overcome this division.

   

 

Despite the importance of primary products in the inter¬national exchanges of the 19th century, trade was dominated by Europe. Before World War I, less than 25 percent of world trade was transacted among non-European countries, about 40 percent represented the trade of European coun¬tries with each other, and 35 percent, European trade with the rest of the world. Britain remained the chief trading nation, but its share in international exchange diminished, inevitably in view of the rapid development of continental Western Europe, North America, and Japan.

   

 

The Era of Free Trade. The foundations of free trade— the removal of restrictions on the movement of goods and services from country to country—were laid by the (mostly British) classical economists. In Britain, protection was very gradually discarded, starting in the 18th century, and by the early 1840′$ was mainly (though not exclusively) confined to tariffs on imported grains. In 1846 even agricultural protection was in principle abandoned.

Contrary to expectations, grain prices did not immediately fall because no countries were capable of exporting sub¬stantial amounts of grain to Britain. The 1850′s and 1860′s, in fact, were a period of sustained prosperity, and, rightly or wrongly, free trade was credited with the responsibility for it. Other liberalizing measures taken in Britain and elsewhere made the years between 1850 and 1880 the era of minimal barriers to trade.

   

 

By 1870, however, the development of ocean-going steam¬ships had exposed British agriculture to real competition. Europe (though not, at first, Britain) began turning away from free trade in the late 1870′s, after a prolonged eco¬nomic crisis. Simultaneously, a new and more volatile kind of nationalism forced governments to collect more revenue to pay for armaments. Nationalism also promoted fears in such powers as the United States and Germany that it would be difficult to industrialize if competition from Britain, the leader in this field, were not checked. This increased the popularity of the infant-industry argument for protection.

   

The 20 th Century. The movement toward protection continued to grow stronger after the beginning of the 20th century. Nonetheless, when World War I broke out, in 1914, protectionism had made relatively few advances, though the world economy was no longer so free from trade controls as it had been 50 years earlier. International trade was, however, still regulated by the gold standard, under which currencies had a fixed gold value and payments imbalances among nations were settled through the transfer of a limited supply of gold reserves. A country could not keep its goods competitive by simply devaluing its currency, nor could it indefinitely sustain a payments deficit. Instead, each trading country had to keep its goods competitive by keeping an edge in production costs.

The Depression. The gold standard was undermined during World War I and replaced during the 1920′s by the gold-exchange standard, under which international settle¬ments were made mainly in British pounds and U.S. dollars. This system, however, allowed the United States and Britain and any countries able to borrow recurrently from them to sustain recurrent payments deficits. Eventually this system collapsed, helping to bring about the Great Depression of the 1930′s. Many governments reacted to the Depression by subjecting foreign trade to new controls. One after another, they formally went off the gold standard, abolishing fixed exchange rates, and sought, by devaluing their currencies and by imposing tariffs and quotas, to improve the com¬petitiveness of their products while protecting them against international competition. This was to be achieved at the expense of other countries—the so-called “beggar-my-neighbor” policy. Since many countries could and did play the same game, the result was international disintegration and stagnating, even decreasing, world trade. Manufacturing output in most countries languished and so, consequently, did trade in primary products needed for industry.

   

The policy of national self-sufficiency was carried to an extreme in the Soviet Union and in Nazi Germany and Fascist Italy, which sought to achieve autarchy, or national economic independence. Foreign trade in the Soviet Union was taken over by the government and centrally planned. Fascist Italy and Nazi Germany projected a similar program of autarchy, but in those countries government control was less complete and curtailment of external trade less thorough.

   

The Postwar Years. The disruption of international ex¬change in the 1930′s, combined with the dislocation of World War II, was so great that the absolute volume of trade in the 1940′s may have been lower than it had been in 1913. Undoubtedly, it was not much higher. Mindful of the harm caused by stagnating trade, the Allied countries began planning to improve conditions during the hostilities. They agreed to establish the International Monetary Fund (IMF) to watch over the exchange of currencies. The plans for the liberalization of trade itself were implemented less smoothly. But in the 1940′s a General Agreement on Tariffs and Trade (GATT) standardized the policies of almost all non-Communist countries. GATT was negotiated in the hope of eliminating as many obstacles to trade as possible, espe¬cially quotas and subsidies, by means of the so-called “most favored nation clause,” which ensures that any trade conces¬sion between countries is automatically extended to all members. Under the aegis of GATT, various cycles of trade negotiations have taken place: several in the 1950′s, the Dillon round in 1961, the Kennedy round in the 1960′s, and, in the late 1970′s, the Tokyo round. By the end of the Kennedy round, the industrial countries’ average tariff on manufactures was down to about 10 percent. The Tokyo round set itself the aim of reducing tariffs on manufactures by a further 40 percent.

U.S. Export Initiative: Easing U.S. Export Controls

The Obama Administration recently announced the National Export Initiative(NEI), which is the Administration’s plan to reform the U.S. export controlsystem. The plan includes four key proposed changes. First, the Administration plans to create a single export control list, rather than the two-track (StateDepartment’s USML and the CCL) approach that is currently employed. Second,the Administration hopes to establish a single licensing agency, which would have jurisdiction over all exports, in an effort to streamline the license review processand ensure consistent licensing decisions. Third, the Administration hopes to coordinate enforcement with all of the current agencies enforcing export controls,as well as with the intelligence community. Fourth, the Administration hopes to implement a single unified information technology (IT) infrastructure to increase efficiency.These reforms are in their infant stages. If they come to fruition, however, they will undoubtedly have a significant impact on all exporters.

U.S. Export Controls: All-in-One Tutorial

This tutorial covers U.S. Export Controls for both commercial/dual use goods (EAR) and military/defense (ITAR). This tutorial is helpful to businesses and professionals that export goods that are subject to U.S. Export Controls I consider this ‘all-in-one’ because it covers the basics of both regulatory agencies. The presentation goes a bit fast, to keep it in the 15 minute frame, so please feel free to pause it as you like. If you have a question or have comments please post it below or email me. Enjoy!

   

http://youtu.be/b1noOMAUXMA

The Difference between US and UK/EU Export Controls

As an International Trade Consultant I deal with various export control regulations from different countries, so my clients can export in compliance. Lately, I have been working with a significant amount of UK based clients that have US export control parts incorporated in their products which means you must be knowledgeable of both countries export controls. This inspired me to write an article in World Export Control Review about the differences I have found while advising my clients. I have attached the article for your information and review and look forward to any feedback!

   

As an International Trade Consultant I deal with various export control regulations from different countries, so my clients can export in compliance. Lately, I have been working with a significant amount of UK based clients that have US export control parts incorporated in their products which means you must be knowledgeable of both countries export controls. This inspired me to write an article in World Export Control Review about the differences I have found while advising my clients. I have attached the article for your information and review and look forward to any feedback!

Nancy Wood World Export Controls Review Reprint[1].pdf

Outsource Trade Group Export Controls: Export Compliance Consultancy

Export controls are an increasingly complex and changing arena, which can pose significant risk and costs to businesses. These risks and costs are more likely to arise during the course of normal business than directly from a government investigation but are no less effective at disrupting your business.

Using an export control consultant to provide regular, consistent support to your business may be more cost effective than utilising in-house personnel diverted from other primary tasks. Using an export control consultant to provide additional resource to your existing compliance function for specific projects or other activity peaks, such as M&A activity, can also be a very cost effective way to manage these complex issues.

We have practical, first-hand experience, both as in-house Head of Compliance and in consultancy, of establishing and maintaining workable, pragmatic compliance systems in companies of all sizes. This extends across the full spectrum of the military and dual-use control lists, having clients operating in every category.

Advice on the impact of the current and ongoing changes to US export controls, arising from the Export Control Reform Initiative, is also available.

Improving ITAR compliance: Data loss, encryption

I’ve worked with quite a few customers over the past few years around International Traffic in Arms Regulation (ITAR) compliance and other similar foreign national compliance law here in the US. We’ve had customers implement Oracle IRM solutions primarily to address their concerns over ITAR regulation and IRM is a great way to really address some of the challenges around controlling who has access to what (preventative controls) and also being able to show that you are able to control this access and provide reports (monitoring controls). ITAR can be quite confusing and the areas of information it covers quite vast.

   

What is ITAR?

Wikipedia is always a good start…
“International Traffic in Arms Regulations (ITAR) is a set of United States government regulations that control the export and import of defense-related articles and services on the United States Munitions List (USML). These regulations implement the provisions of the Arms Export Control Act (AECA), and are described in Title 22 (Foreign Relations), Chapter I (Department of State), Subchapter M of the Code of Federal Regulations. The Department of State interprets and enforces ITAR. Its goal is to safeguard US national security and further US foreign policy objectives.”

   

Basically if your company creates any product or intellectual property that can be used to build a weapon then you need to ensure that information about your product is controlled and can only be accessed by “approved” persons. Essentially, the US government doesn’t want advanced weapons ending up in Iran, Syria and other embargoed countries.

Identifying and Resolving US Export Control Issues in Outsourcing Deals

Compliance with US export control laws poses crucial challenges in outsourcing deals. Failure to comply with the US export control laws can have serious consequences for companies, including substantial monetary fines, loss of export privileges, disruption of business operations and reputational damage.

   

To minimize liability, US companies should determine at the outset whether their outsourcing deals involve any items, such as certain dual-use prod­ucts, software or technology, or defense articles or services that the United States controls for export to foreign destinations or foreign nationals. If export restrictions apply, the company may need to obtain a license before exporting any items as part of the outsourcing transaction. License applications can take several weeks to complete and, in certain instances, may significantly delay an outsourcing deal if compliance issues are not adequately addressed at the outset.

   

Although it is critical for a US company to resolve issues arising under US export control laws before exporting or providing access to controlled items, it is often difficult to identify such issues in complex outsourcing deals. For example, export issues may arise in the outsourcing of (i) litigation support functions, in which foreign nationals are provided access to documents containing technical data, drawings and blueprints related to the manufac­ture of a product at issue; (ii) back-office support functions requiring the transfer of hardware and encryp­tion software overseas; (iii) software application support and maintenance, where foreign nationals will have access to applications; (iv) research and development to a joint venture located abroad, involving the transfer of US origin technology; (v) the preparation of patent applications when the US company provides technical data relating to its innovations to foreign nationals overseas; or (vi) the management of a data room by a non-US company for purposes of merger and acquisition due diligence, when a US company electronically transmits technical data to a server located outside the United States.

   

This article describes an approach companies can use to identify and resolve US export control issues in their outsourcing deals. Under this approach, the US company should first identify US export control issues during the early stages of an outsourcing deal. It should then negotiate and draft appropriate provi­sions in the outsourcing agreement to ensure compliance with applicable US export control laws and appropriate allocation of risk and responsibility with respect to such compliance. The article concludes with a summary of specific steps that a company can follow to help determine whether its outsourcing project raises export compliance issues and, if so, what it must do to address those issues.

   

Identifying US Export Control Issues in Outsourcing Deals
Is There an Export?

The first step in identifying US export control issues in an outsourcing deal is determining whether any US-origin items (which include products, software, technology and, in some cases, services) will be exported and/or re-exported within the meaning of US export control laws. The primary regulations governing the exportation of US-origin items are the International Traffic in Arms Regulations (ITAR) and the US Export Administration Regulations (EAR).

   

Although most people think of an export as the physical shipment of a product to a foreign destina­tion, “export” within the meaning of the ITAR and the EAR covers a far broader range of activities and items, including:

   

  • Hand-carrying controlled products abroad, travel­ing abroad with laptops loaded with controlled software and/or technology, or traveling to assist foreign customers with testing and/or repairs using controlled products.
  • Shipping US-origin items from one foreign country to another (called a “re-export”).
  • Sending, transmitting or disclosing software or technology via mail, email, Internet, server access, facsimile, telex, video conference, webinars and/or telephone conversations.
  • Disclosing to foreign nationals located in the United States certain technology through visual inspection or verbal exchange.
  • Instructing or training foreign nationals in the design, production, operation or use of controlled products.
  • Transferring registration, control or ownership to a foreign person of any ITAR-controlled aircraft, vessel or satellite, whether in the United States or abroad.
  • Performing a “defense service” on behalf of, or for the benefit of, a foreign person whether in the United States or abroad.

   

            It is particularly important in the outsourcing context to determine whether any “technology” or software will be exported. As illustrated by the examples above, an export can occur even within the borders of the United States when certain controlled technology or source code is provided to a foreign national located in the United States. US export control laws provide specific definitions of “technology.” For example, under the EAR, “technology” is limited to specific information necessary for the development, produc­tion or use of a controlled product, software or technology, such as technical data (e.g., engineering designs and specifications, blueprints, plans, dia­grams, models, manuals and written or recorded instructions) or technical assistance, including instruction, skills training, working knowledge and consulting services.

   

The release of such technology is “deemed” to be an export to the home country of the foreign national, even if such foreign national is located in the United States. In this context, a “foreign national” is an individual who is not a US citizen, lawful permanent resident, political asylee, refugee or other type of protected individual. A company “releases” technology when it (i) makes such technology available to foreign nationals for visual inspection (such as reading technical specifications, plans or blueprints); (ii) orally exchanges such technology with a foreign national; or (iii) makes such technology available to a foreign national by practice or application under the guidance of persons with knowledge of the technology.

   

            A “deemed” export, therefore, may occur in a wide range of scenarios, including where a company allows a foreign national to access technology or gives a foreign national the capability to develop or replicate an encryption item that is subject to export restric­tions. Depending upon the nationality of the person receiving the technology and the type of technology involved, the outsourcing company may need to obtain an export license before releasing such technol­ogy to a foreign national.
Are the Items to Be Exported Subject to Control?

   

Once a US company determines that its outsourcing project involves an export, the company should consider whether the items are controlled for export under the ITAR or the EAR. The ITAR, administered by the US Department of State, Directorate of Defense Trade Controls (DDTC), applies to “defense articles” and “defense services.”

   


Defense articles are items listed on the US Munitions List (USML), which is subject to change depending on US national security concerns and revisions to technical parameters. They may also include items that are specifically designed, developed, adapted or modified for military use. Any manufacturer or exporter of defense articles or services listed in the USML must register with DDTC.

   

Defense services include assisting foreign persons in the US or abroad in the design, manufacture or use of defense articles, furnishing technical data to foreign persons in the US or abroad and military training of foreign forces. Items controlled under the ITAR are described in various categories of the USML, and include firearms, weapons, satellites, military vehi­cles, toxicological agents, and military electronics.

   

The EAR, administered by the US Department of Commerce, Bureau of Industry and Security (BIS), applies to products, software and technology with both commercial and military use (commonly referred to as “dual-use” goods). Items controlled under the EAR are listed on the Commerce Control List (CCL).

   

The CCL contains five-digit alphanumeric Export Control Classification Numbers (ECCNs) for identifi­cation of specifically described items and their reasons for control. An EAR99 basket number is used for any items not specifically described.

   

The CCL includes ten product categories covering such items as materials, chemicals, electronics, computers, telecommunications, information security, navigation and avionics. Encryption items, including encryption technology and hardware and software with encryption functionality, are an important category of items on the CCL because most business software contains encryption capabilities and, therefore, outsourcing projects often involve the export of encryption items. The export controls related to encryption items are particularly complex and must be analyzed on a product-by-product basis.

   

What is the Destination andEnd-Use of the Items to Be Exported?

   

The third step a US company should take to deter­mine whether its outsourcing project raises US export control issues is to identify the destination and end-use of controlled items outside of the United States. In addition, the company should identify any foreign nationals, including employees, consultants, contractors, guest researchers and visitors, to whom the items may be released in the United States.

   

Whether the export of an item controlled under the EAR requires an export license depends upon the ultimate destination and end-use of that item. If an item is controlled for export under the ITAR, it will need a license for all destinations and end-uses, unless a license exception applies. In addition, US sanctions laws prohibit US companies from any business dealings with certain countries, individuals and entities. US laws also prohibit the export of US-origin items to certain prohibited countries and parties.

   

Addressing Issues Relating to US Export Control Laws While Negotiating and Drafting an Outsourcing Agreement

   

If an outsourcing project raises US export control issues, there are generally three steps the US company should take to ensure compliance with applicable export laws. First, if the classification, destination, end-use or end-user of items that the US company will export as part of its outsourcing transaction requires an export license, and if no license exception is available, then the company must apply to the BIS or the DDTC for a license. Such a license must be obtained in advance of any exportation. License applications may take between four and twelve weeks for approval. Typically, any license that is granted will have a duration of about two years.

   

Second, the US company needs to create an export control policy, including a technology control plan for personnel working on the project, to ensure appropri­ate access to controlled items. Finally, and once work under an outsourcing agreement commences, the US company must continue to ensure compliance with all US export license obligations. It must also maintain all classification and export documentation for record­keeping purposes, confirm the export license expiration date, and prepare necessary renewal applications.

   

When negotiating an outsourcing agreement that raises US export control issues, the US company should consider whether it will maintain the above obligations related to ensuring compliance with US export control laws, or if it will delegate such responsibilities to the supplier. As a general matter, the “exporter of record” is ultimately responsible for compliance with US export control laws. The exporter of record is the person in the United States who has the authority of a principal person in interest to determine and control the sending of items out of the United States. Often, each party to an outsourcing agreement assumes the export compliance obligations for any items it supplies to the project that will be exported.

   

Alternatively, the US company may consider delegat­ing to the supplier the responsibility to comply with applicable export restrictions, but that will not completely relieve the US company of its legal obliga­tions under the EAR or the ITAR. The advantages of this approach include short-term cost savings for the US company, such as elimination of the need to classify items, to determine whether an export license is needed, or to apply for a license prior to commence­ment of work under an outsourcing agreement. Another reason to require the supplier to handle this responsibility is that it will be easier for the supplier to maintain the technology control plan mentioned above, as the supplier is in control of supplier person­nel who access and use the technology.

   

However, the US company will face significant risks in the event that the supplier fails to fulfill its obligations with respect to ensuring compliance with US export control laws. The company may be able to recover from the supplier the amount of monetary fines imposed by the US government. But adequate rem­edies for the company’s potential loss of export privileges, disruption of business operations and reputational damage stemming from its failure to comply with export control laws are difficult to ascertain and recover from the supplier.

   

In the event that, after weighing these considerations, the US company prefers to impose on the supplier the burden of ensuring compliance with US export control laws, the relevant contract provision should reflect certain key understandings. These include:

   

  • Certain items or transactions under the outsourcing agreement may be subject to US export controls and/or sanctions.
  • Neither party to an outsourcing transaction will directly or indirectly export or re-export any items in violation of applicable US export control laws.
  • The supplier will identify the specific export control status of, and will be responsible for obtaining all necessary export authorizations for, the export or re-export of any items under the outsourcing agreement.
  • The supplier will ensure that its subcontractors obtain all necessary export authorizations and maintain the necessary internal compliance controls.
  • The supplier will agree not to subcontract any portion of the outsourcing services to prohibited countries or entities and will not employ nationals of such prohibited countries to provide services to the US company.
  • The supplier will be responsible for implementing all necessary internal compliance controls, including the technology control plan.
  • The supplier will provide the US company, at the company’s request and at least annually, a certifi­cation of compliance with US export control laws.

   

If the US company decides, either at the outset of negotiations or as a result of a compromise with the supplier, to maintain primary responsibility for ensuring compliance with US export control laws, the company should nevertheless draft the relevant provisions of the outsourcing agreement with care. For example, it is crucial for the US company to secure a commitment from the supplier to provide all information necessary for the company to achieve and maintain compliance with US export control laws. This information should include the countries of citizenship for all supplier personnel who may be performing services under an outsourcing agreement, whether in the United State or from abroad.

   

Steps to Determine Whether Your Outsourcing Project Raises Export Concerns

   

The checklist below will help US companies to identify and resolve US export control issues in an outsourcing deal:

   

  1. Determine whether the outsourcing project involves an export of products, source code, software, technology, defense articles or defense services.
  2. Classify each item with the appropriate ECCN or USML Category.
  3. Determine the item’s export destination and end-use.
  4. Determine whether any controlled technology, source code, defense articles or defense services will be released to foreign nationals in the United States.
  5. Screen all parties to the transaction against the list of prohibited persons maintained by the US government.
  6. Determine whether an export license is required. If so, confirm whether a license exception applies.
  7. Ensure that contractual language adequately covers  the responsibilities of the parties, given applicable export controls and licensing requirements.
  8. Obtain an export license when necessary.
  9. Create, design and implement a US export control policy with procedures specific to technology, security, record-keeping, training and reporting.
  10. Create a technology control plan for personnel working on the project to ensure appropriate access to controlled items, including separate work areas with restricted access control and separately con­trolled technology within the server network, password protection for individual documents, protected databases and other computer security measures.
  11. Train all relevant persons in compliance with US export control laws.
  12. Comply with all export license conditions.
  13. Ensure that the exporter or its agent adequately completes and submits all required shipping documentation and Automated Export Sytem (AES) records.
  14. Maintain all classification and export documenta­14. tion for record-keeping purposes.
  15. Confirm the export license expiration date and 15. prepare necessary export license renewal applications.

   

Conclusion

   

The specific nature of export restrictions arising in a complex outsourcing project drives the overall strategy and the time necessary for the resolution of such issues. Issues can arise with any company employing or interacting with foreign nationals wherever located, or engaging in business activities outside the United States. Early identification of challenges arising from US export control laws and effective allocation of responsibility for resolving compliance-related con­cerns will help the company select the most appropriate supplier for a particular outsourcing need. Proactive consideration of the laws will also help the company reach early internal alignment on this important issue, set up necessary internal controls to ensure compliance with US export control laws, and avoid delays in the negotiation of an outsourcing agreement and com­mencement of work under the agreement.

   

Offshore Outsourcing: Export Controls ITAR/EAR

Raytheon Aircraft is no different than most companies today.

   

The $2.1 billion subsidiary of the national defense contractor is exploiting outsourcing, both onshore and off, to cut costs, access skilled workers and operate more efficiently.

   

Best practices for protecting sensitive business information while making people productive from
But unlike some companies, one false move on an outsourcing deal could cost the airplane manufacturer tens of millions of dollars, jeopardize its ability to sell to the U.S. government or even land its executives in jail. That’s because Raytheon and its subsidiaries are subject to export regulations that restrict what information can be viewed by foreign IT workers. Data that could enable another country to build a missile or military aircraft — or even a seemingly innocuous radio — is restricted.

   

Raytheon Aircraft ran into just that issue last summer, when it inked an outsourcing deal with IBM. The company gave IBM control over support and further development of its SAP system. IBM, for cost reasons, declared its intent to use subcontractors in India on the application, which contains such sensitive information as how to build the skin of a commercial jet. And that’s when Raytheon Aircraft CIO Doug Debrecht knew he had a problem on his hands. Executives at his parent company soon confirmed his intuition. They insisted that IBM not use foreign contractors until Debrecht came up with a surefire way to keep them out of Raytheon’s network.

   

Raytheon is not the only company dealing with this dilemma. Many in the military-industrial complex are keen to figure out a way to move IT work offshore. The federal government itself, one of the largest outsourcers in the country, must consider where the work it is sending to EDS or Lockheed Martin will ultimately wind up. And even nondefense-related companies must sort out how similar data-access situations apply to regulations like the Health Insurance Portability and Accountability and Gramm-Leach-Bliley acts. Consider the case of the clerical worker in Pakistan who threatened to post a U.S. hospital’s patient data online if she wasn’t paid more money. Any sensitive data can be dangerous in the wrong hands.

   

This is a new minefield for defense IT. While other parts of the business have incurred major penalties for export violations, military defense contractors have, up until now, largely dismissed the idea of using offshore talent on their systems. “If you look at my counterparts at Boeing, Raytheon and Lockheed Martin and compare us to the rest of our peers in the Fortune 500, we’re the rare breed that still does very little offshoring, and that’s all because of [International Traffic in Arms Regulations] and export regulations,” says Tom Shelman, CIO for Northrop Grumman.

   

But as the cost pressures to exploit offshore outsourcing mount, CIOs now face a complicated conundrum: how to protect their sensitive information while enabling the global collaboration necessary to compete in today’s business environment.

   

“It’s a huge concern not just for government contractors but for any CIO who’s dealing with material that’s regulated, whether it’s defense or financial services or pharmaceutical companies,” says Akiba Stern, partner in the New York City office of global law and consulting firm Shaw Pittman. “The companies themselves know a lot about the regulations in their industry, but the people who are doing the outsourcing don’t. And there are no actual rules for how to work the outsourcing.”

   

The Export Police

Since World War II, the United States has been placing restrictions on the export of certain arms and related data. Today, the State Department’s Office of Defense Trade Controls administers the International Traffic in Arms Regulations, or ITAR, which require specific licenses for exporting items on the U.S. munitions list, from aircraft and ships to firearms and chemical weapons, as well as any technical data needed to make them.

The Commerce Department’s Bureau of Export Administration (BXA) ministers the Export Administration Regulations (EAR), which control the export of commercial items that could have military applications (computers, civilian aircraft, viruses for scientific research, even radios). Both ITAR and EAR prohibit the release of related data to foreign nationals (anyone not a U.S. citizen or permanent resident alien), which is why CIOs at companies like Raytheon find themselves in a fix.

   

The potential for trouble has only increased with the pervasiveness of offshore outsourcing, especially since companies such as India’s Tata Consultancy Services and Wipro are subcontractors to some of the largest U.S. outsourcers including CSC, EDS and IBM. Amplified sensitivity to issues of national security and terrorism have further fueled concerns, making this a hot-button issue for CIOs in regulated industries. “We’re living in a different sort of world,” says Michael Daly, corporate director of IT security for Raytheon. “What was just a topic of conversation a few years ago is now top of mind.”

   

As a result, the enforcers of export regulations are getting tough on violators. “They’ve stepped up their regulatory activity and fines, many of them in excess of $10 million,” says Larry Christensen, vice president of international trade content for Vastera, a global trade technology provider, and former director of the BXA’s regulatory policy division.

   

Just last year, Raytheon agreed to pay $25 million in civil fines to settle charges from the Department of Justice that it tried to evade export laws in the attempted sale of sensitive radio technology to Pakistan via a Canadian subsidiary. Similarly, Lockheed Martin settled a federal lawsuit for $13 million in 2000 for providing technical advice to a Hong Kong company working on China’s commercial satellite program. Two years earlier, Boeing Satellite Systems paid $10 million for sharing rocket data with Russian and Ukrainian partners.

   

The escalation in fines has not been lost on the industry. And now that companies such as Raytheon and Northrop Grumman are exploring the possibility of letting foreign workers handle their systems, their CIOs are well aware of the perils if their companies’ technical data is exposed through outsourcing arrangements. “It’s a big, complicated problem,” says Ron Remy, director of IT operations for Lockheed Martin Space Systems. “We deal with lots of secure information, not just our proprietary information and ITAR-regulated information, but even classified Department of Defense information.”

   

Among the systems currently off-limits to offshore outsourcing at Lockheed Martin: ERP systems, which contain the material requirements for developing and defining the company’s products, and the engineering systems used to design its products including space-based telecommunications and missile systems.
Testing the Offshore Waters

   

Generally, IT service providers such as IBM disclose to their clients what subcontractors, if any, they plan to use on an outsourced project. But CIOs are ultimately responsible for making sure the arrangements for systems access are fail-safe. If a company violates export regulations as a result of its outsourcer subcontracting to a supplier in China or India, you can bet it won’t be the outsourcer that pays. “If there’s a regulation that you’re responsible for and your outsourcer doesn’t comply, you have to deal with the damage,” Shaw Pittman’s Stern says.

   

Multimillion-dollar fines, experts say, would be just the beginning. “In government contracting, the damage to reputation is almost always worse because you’re dealing with something that’s perceived to be a national security issue,” says Ed Hansen, another Shaw Pittman partner. “When that hits the newspapers, it looks really bad.” Violators can lose their ability to sell to the U.S. government, and ultimately, to export at all.

   

And it doesn’t stop there. “We’ve even seen a willingness to seek criminal indictments,” Christensen says. “And corporations don’t go to jail; people go to jail.” In 2001, criminal charges were brought (and eventually dropped) against a McDonnell Douglas executive for conspiring to sell machine tools used to make jetliners to China. Though it hasn’t yet happened to a CIO, the possibility of up to 10 years in prison for an export violation is not one that any IT executive wants to consider.

   

Even so, Northrop Grumman, which in response to ITAR and EAR worries took back in-house work that was previously being done in India for TRW (which it acquired in 2002), is now testing the offshore waters. “What if our shareholders look at the enormous cost of IT at our corporation and benchmark us against other Fortune 100 companies not bound by ITAR? We can’t afford to be the ones that don’t do it,” says Northrop Grumman’s Shelman. He is currently conducting two pilots in India — one for an ongoing project involving PeopleSoft support and another for a one-time project involving Web development — to determine if offshoring is doable.

   

“There are two different issues you have to address depending on your level of paranoia,” says Rapheal Holder, who is overseeing the pilots as vice president of shared services for Northrop Grumman. “There’s how you’re going to review code prior to introducing it back into your production environment, and how you address the need to give foreign nationals access to the production environment and live, potentially sensitive data.”

   

Holder says it’s been a painstaking process; the company has had to methodically go through each system to identify what data controls need to be put in place, how to provide the offshore workers with access to the live production environment, and ultimately how to inspect code created by the foreign workers. “It’s a slow process of peeling the onion,” says Holder.

   

Shelman says Northrop Grumman will complete the pilot projects in India and will be able to give a yea or nay to offshore outsourcing in the 2005 IT budget. The company may enter an offshore engagement, but only if it has pinpointed all the controls required to meet export requirements, identified the infrastructure required and can still foresee significant cost savings.

   

Salvaging a Done Deal

When IBM and Raytheon initially discussed their outsourcing deal, IBM executives tried to assure Raytheon CIO Debrecht that subcontracting to foreign workers would not pose a problem. “They said, ’Oh we’ve done this before, and we know how to work through these issues,’” he recalls.

   

That wasn’t good enough for Debrecht, and he knew it certainly would not satisfy executives at Raytheon headquarters. “Raytheon is very sensitive to such issues, just like any defense company is. You read in the paper that this contractor violated this or that export law and was fined millions of dollars,” Debrecht says. “I don’t want to be the one to have to go to the CEO and say, Yeah, that was because of me.”

   

Not surprisingly, the initial reaction of top Raytheon executives to IBM’s plan to offshore some of the SAP deal was negative. “The easy answer for Raytheon was to just say, No, don’t let them into the systems,” Debrecht says.

   

Unfortunately for Raytheon Aircraft, the SAP outsourcing was part of a larger supply chain transformation contract with IBM. The proposed project required a host of changes to the SAP system, and IBM needed control of the application to make them in a timely fashion, says Debrecht. And that meant access to the production servers.

   

Debrecht had gone through similar issues on other projects, but those were relatively simple application development situations. The foreign nationals could do the programming work on development servers, where live data was replaced by dummy data, and they never set foot in the production environment stateside.

   

That’s how Boeing, for example, has been able to outsource some programming to Russian outsourcer Luxoft for the past four years. Boeing has an internal committee that determines what projects can be sent to Russia. It then identifies export-regulated sensitive data (such as diagrams for an airplane wing), eliminates it from the application, inserts dummy data in its place, and ships it off to Moscow where developers don’t need to see the sensitive data to do their work.

   

When it comes to ongoing systems support, like IBM’s work for Raytheon Aircraft, where access to the real data is necessary, things get more complicated. “You have to put limits on what people have access to, create audit trails, know who has what passwords,” Shaw Pittman’s Stern says. “It’s a whole regime that has to be put in place.”

   

Raytheon decided the time and money needed to make the project work was worth it, particularly since Raytheon CIO Rebecca Rhoads would like to see the company take full advantage of offshore outsourcing. So for the time being, IBM has agreed not to use foreign nationals on the SAP account for up to two years, until Raytheon Aircraft solves the problem of making offshoring secure.

   

“The biggest challenge is server access, particularly when you have technical data that is controlled by state or commerce,” says Vastera’s Christensen. “Not every IT department knows how to handle that well. And there are always drawbacks to controlling data access. Separate servers can result in hard feelings on the part of those locked out — encryption which may not be all that good.”

   

It wasn’t that Raytheon lacked a way to control access to its live data before. After all, the company operates in 76 countries and collaborates with partners around the world. The U.S. Navy’s DDX Destroyer, a high-tech $2.9 billion warship Raytheon is developing the electronics and weapons systems for, involves no less than 81 discrete companies worldwide.

   

But up until now, Raytheon has had to build secure collaborative environments from scratch on a case-by-case basis. That meant assessing requirements, figuring out appropriate security standards, determining how to label data and creating an Integrated Digital Environment (IDE) for data sharing specific to the needs of each project.

   

The goal now is to streamline and, as much as possible, automate how federally regulated data is handled, reducing the time and money it takes to set up a new infrastructure every time the company wants to let outsiders into certain areas. “In the past, it was very manual, writing down logs, making sure the appropriate federal licenses were maintained, and installing firewalls to keep non-U.S. Raytheon separate from U.S. Raytheon,” Daly explains. “It’s very frustrating because as a business what we need are canned solutions for this that can just plug and play. We just can’t spend six months to a year to build a collaborative environment each time we need it.”

   

A New Kind of Knowledge Management

Debrecht has tapped several Raytheon officials for help in designing the automated solution to permit IBM’s offshore subcontractors to work on the SAP system, including executives in corporate governance, IT security, HR and the legal department’s import and export division. Daly also sent two of his employees to Raytheon Aircraft’s headquarters in Wichita, Kan., to help Debrecht devise a security plan.

   

“The situation requires that Raytheon have a multilevel program for managing outsourcing and federal export regulations,” Daly explains. “We need a means of labeling the data that everyone understands. We need a program for identifying the status of a [U.S. person or foreign national]. And we need to put in an infrastructure that allows those parties to participate while controlling what they have access to.”

   

In essence, Daly says, Raytheon needs a very intricate form of knowledge management, which does not yet exist commercially.

   

First, Debrecht and his team determined what the Indian workers will be able to look at in the SAP system and what they won’t, in accordance with Raytheon’s internal rules for export compliance. They can view what’s called a “piece part” of an aircraft — anything from a nut or bolt to a tire or piece of sheet metal, for example — as long as they don’t know how it is assembled. If they had access to the materials information and the recipes for putting them together, that would be a problem.

   

That phase complete, “it’s now a matter of figuring out how we can separate out all the non-ITAR, non-EAR data and let them support the things that are OK for them to see,” Debrecht says. This phase two is sticky because the SAP production server is ultimately linked to the larger Raytheon network. “If we let them into our production network, a person with the right skills could hack into other areas within Raytheon,” he says.

   

Debrecht plans to use a secure ID setup with two-factor authentication to automatically determine who can get into the network. SAP will monitor what transactions an Indian professional can run, what tables he can modify and so forth. Raytheon would administer the system, but IBM would use it to enable its offshore subcontractors to work on the SAP system. But in order to protect the rest of the network, Debrecht must go further; Raytheon is working on a next-generation security system in conjunction with Microsoft and Cisco. But in the near term, Debrecht sees a potential solution in what he calls a terminal DMZ server. One step removed from the real network, it duplicates the information the worker needs from the network without providing actual access to the network.

   

Phase three, says Debrecht, will be figuring out a secure way to let foreign nationals onto the actual production equipment, giving them access to only the live data they are permitted to see. “That’s the final end state,” says Debrecht. “At that point there will be a separation of data, a lockdown of sensitive data, security profiles for every worker determining their level of access, and networkwide security that will prevent foreign workers from leaving the production system and getting on to the [Raytheon] network.”

   

Once Debrecht figures out how to make that work, he’ll hire an outside security corporation to come in and try to break the new system. If it fails, Debrecht may succeed in enabling IBM to use its offshore facilities on the project. Of course, IBM must then comply with all the new processes and systems Raytheon Aircraft puts in place. If not, says Debrecht, IBM will have violated the initial contract, and the deal may end prematurely. “But they probably have too much at stake, as do we, to give up,” Debrecht predicts.

   

Debrecht hopes to have a secure method in place within six months that allows IBM to employ Indian subcontractors. If he does, the opportunities for sending information technology work offshore could increase dramatically. “We don’t do a lot of design or development outsourcing. But we’re talking about breaking new ground here,” he says. “This could open up other opportunities within the corporation.”

   

Ultimately, the question for companies such as Raytheon, Lockheed Martin and Northrop Grumman will be where to draw the line. Shelman could see sending HR systems, financial and even manufacturing systems offshore eventually, though he says he’d keep engineering design systems stateside. Business process outsourcing — such as data entry or accounting, whereby the provider manages the network in addition to business functions performed on that network — done by foreign nationals, for example, is also unlikely. “There’s no way to avoid using real data with BPO, and you have to ensure that your outsourcer is as careful about the data as you are,” Stern says.

   

But then again, maybe it’s possible.

   

“Once we’re able to crack the code and we’re able to do this in some kind of repeatable manner,” Debrecht says, “who knows what else we can do.”

   

Raytheon Aircraft is no different than most companies today.

   

The $2.1 billion subsidiary of the national defense contractor is exploiting outsourcing, both onshore and off, to cut costs, access skilled workers and operate more efficiently.

   

Best practices for protecting sensitive business information while making people productive from
But unlike some companies, one false move on an outsourcing deal could cost the airplane manufacturer tens of millions of dollars, jeopardize its ability to sell to the U.S. government or even land its executives in jail. That’s because Raytheon and its subsidiaries are subject to export regulations that restrict what information can be viewed by foreign IT workers. Data that could enable another country to build a missile or military aircraft — or even a seemingly innocuous radio — is restricted.

   

Raytheon Aircraft ran into just that issue last summer, when it inked an outsourcing deal with IBM. The company gave IBM control over support and further development of its SAP system. IBM, for cost reasons, declared its intent to use subcontractors in India on the application, which contains such sensitive information as how to build the skin of a commercial jet. And that’s when Raytheon Aircraft CIO Doug Debrecht knew he had a problem on his hands. Executives at his parent company soon confirmed his intuition. They insisted that IBM not use foreign contractors until Debrecht came up with a surefire way to keep them out of Raytheon’s network.

   

Raytheon is not the only company dealing with this dilemma. Many in the military-industrial complex are keen to figure out a way to move IT work offshore. The federal government itself, one of the largest outsourcers in the country, must consider where the work it is sending to EDS or Lockheed Martin will ultimately wind up. And even nondefense-related companies must sort out how similar data-access situations apply to regulations like the Health Insurance Portability and Accountability and Gramm-Leach-Bliley acts. Consider the case of the clerical worker in Pakistan who threatened to post a U.S. hospital’s patient data online if she wasn’t paid more money. Any sensitive data can be dangerous in the wrong hands.

   

This is a new minefield for defense IT. While other parts of the business have incurred major penalties for export violations, military defense contractors have, up until now, largely dismissed the idea of using offshore talent on their systems. “If you look at my counterparts at Boeing, Raytheon and Lockheed Martin and compare us to the rest of our peers in the Fortune 500, we’re the rare breed that still does very little offshoring, and that’s all because of [International Traffic in Arms Regulations] and export regulations,” says Tom Shelman, CIO for Northrop Grumman.

   

But as the cost pressures to exploit offshore outsourcing mount, CIOs now face a complicated conundrum: how to protect their sensitive information while enabling the global collaboration necessary to compete in today’s business environment.

   

“It’s a huge concern not just for government contractors but for any CIO who’s dealing with material that’s regulated, whether it’s defense or financial services or pharmaceutical companies,” says Akiba Stern, partner in the New York City office of global law and consulting firm Shaw Pittman. “The companies themselves know a lot about the regulations in their industry, but the people who are doing the outsourcing don’t. And there are no actual rules for how to work the outsourcing.”

   

The Export Police

Since World War II, the United States has been placing restrictions on the export of certain arms and related data. Today, the State Department’s Office of Defense Trade Controls administers the International Traffic in Arms Regulations, or ITAR, which require specific licenses for exporting items on the U.S. munitions list, from aircraft and ships to firearms and chemical weapons, as well as any technical data needed to make them.

   

The Commerce Department’s Bureau of Export Administration (BXA) ministers the Export Administration Regulations (EAR), which control the export of commercial items that could have military applications (computers, civilian aircraft, viruses for scientific research, even radios). Both ITAR and EAR prohibit the release of related data to foreign nationals (anyone not a U.S. citizen or permanent resident alien), which is why CIOs at companies like Raytheon find themselves in a fix.

   

The potential for trouble has only increased with the pervasiveness of offshore outsourcing, especially since companies such as India’s Tata Consultancy Services and Wipro are subcontractors to some of the largest U.S. outsourcers including CSC, EDS and IBM. Amplified sensitivity to issues of national security and terrorism have further fueled concerns, making this a hot-button issue for CIOs in regulated industries. “We’re living in a different sort of world,” says Michael Daly, corporate director of IT security for Raytheon. “What was just a topic of conversation a few years ago is now top of mind.”

   

As a result, the enforcers of export regulations are getting tough on violators. “They’ve stepped up their regulatory activity and fines, many of them in excess of $10 million,” says Larry Christensen, vice president of international trade content for Vastera, a global trade technology provider, and former director of the BXA’s regulatory policy division.

   

Just last year, Raytheon agreed to pay $25 million in civil fines to settle charges from the Department of Justice that it tried to evade export laws in the attempted sale of sensitive radio technology to Pakistan via a Canadian subsidiary. Similarly, Lockheed Martin settled a federal lawsuit for $13 million in 2000 for providing technical advice to a Hong Kong company working on China’s commercial satellite program. Two years earlier, Boeing Satellite Systems paid $10 million for sharing rocket data with Russian and Ukrainian partners.

   

The escalation in fines has not been lost on the industry. And now that companies such as Raytheon and Northrop Grumman are exploring the possibility of letting foreign workers handle their systems, their CIOs are well aware of the perils if their companies’ technical data is exposed through outsourcing arrangements. “It’s a big, complicated problem,” says Ron Remy, director of IT operations for Lockheed Martin Space Systems. “We deal with lots of secure information, not just our proprietary information and ITAR-regulated information, but even classified Department of Defense information.”

   

Among the systems currently off-limits to offshore outsourcing at Lockheed Martin: ERP systems, which contain the material requirements for developing and defining the company’s products, and the engineering systems used to design its products including space-based telecommunications and missile systems

.

   

Testing the Offshore Waters

Generally, IT service providers such as IBM disclose to their clients what subcontractors, if any, they plan to use on an outsourced project. But CIOs are ultimately responsible for making sure the arrangements for systems access are fail-safe. If a company violates export regulations as a result of its outsourcer subcontracting to a supplier in China or India, you can bet it won’t be the outsourcer that pays. “If there’s a regulation that you’re responsible for and your outsourcer doesn’t comply, you have to deal with the damage,” Shaw Pittman’s Stern says.

   

Multimillion-dollar fines, experts say, would be just the beginning. “In government contracting, the damage to reputation is almost always worse because you’re dealing with something that’s perceived to be a national security issue,” says Ed Hansen, another Shaw Pittman partner. “When that hits the newspapers, it looks really bad.” Violators can lose their ability to sell to the U.S. government, and ultimately, to export at all.

   

And it doesn’t stop there. “We’ve even seen a willingness to seek criminal indictments,” Christensen says. “And corporations don’t go to jail; people go to jail.” In 2001, criminal charges were brought (and eventually dropped) against a McDonnell Douglas executive for conspiring to sell machine tools used to make jetliners to China. Though it hasn’t yet happened to a CIO, the possibility of up to 10 years in prison for an export violation is not one that any IT executive wants to consider.

   

Even so, Northrop Grumman, which in response to ITAR and EAR worries took back in-house work that was previously being done in India for TRW (which it acquired in 2002), is now testing the offshore waters. “What if our shareholders look at the enormous cost of IT at our corporation and benchmark us against other Fortune 100 companies not bound by ITAR? We can’t afford to be the ones that don’t do it,” says Northrop Grumman’s Shelman. He is currently conducting two pilots in India — one for an ongoing project involving PeopleSoft support and another for a one-time project involving Web development — to determine if offshoring is doable.

   

“There are two different issues you have to address depending on your level of paranoia,” says Rapheal Holder, who is overseeing the pilots as vice president of shared services for Northrop Grumman. “There’s how you’re going to review code prior to introducing it back into your production environment, and how you address the need to give foreign nationals access to the production environment and live, potentially sensitive data.”

   

Holder says it’s been a painstaking process; the company has had to methodically go through each system to identify what data controls need to be put in place, how to provide the offshore workers with access to the live production environment, and ultimately how to inspect code created by the foreign workers. “It’s a slow process of peeling the onion,” says Holder.

   

Shelman says Northrop Grumman will complete the pilot projects in India and will be able to give a yea or nay to offshore outsourcing in the 2005 IT budget. The company may enter an offshore engagement, but only if it has pinpointed all the controls required to meet export requirements, identified the infrastructure required and can still foresee significant cost savings.

   

Salvaging a Done Deal

When IBM and Raytheon initially discussed their outsourcing deal, IBM executives tried to assure Raytheon CIO Debrecht that subcontracting to foreign workers would not pose a problem. “They said, ’Oh we’ve done this before, and we know how to work through these issues,’” he recalls.

   

That wasn’t good enough for Debrecht, and he knew it certainly would not satisfy executives at Raytheon headquarters. “Raytheon is very sensitive to such issues, just like any defense company is. You read in the paper that this contractor violated this or that export law and was fined millions of dollars,” Debrecht says. “I don’t want to be the one to have to go to the CEO and say, Yeah, that was because of me.”

   

Not surprisingly, the initial reaction of top Raytheon executives to IBM’s plan to offshore some of the SAP deal was negative. “The easy answer for Raytheon was to just say, No, don’t let them into the systems,” Debrecht says.

   

Unfortunately for Raytheon Aircraft, the SAP outsourcing was part of a larger supply chain transformation contract with IBM. The proposed project required a host of changes to the SAP system, and IBM needed control of the application to make them in a timely fashion, says Debrecht. And that meant access to the production servers.

   

Debrecht had gone through similar issues on other projects, but those were relatively simple application development situations. The foreign nationals could do the programming work on development servers, where live data was replaced by dummy data, and they never set foot in the production environment stateside.

   

That’s how Boeing, for example, has been able to outsource some programming to Russian outsourcer Luxoft for the past four years. Boeing has an internal committee that determines what projects can be sent to Russia. It then identifies export-regulated sensitive data (such as diagrams for an airplane wing), eliminates it from the application, inserts dummy data in its place, and ships it off to Moscow where developers don’t need to see the sensitive data to do their work.

   

When it comes to ongoing systems support, like IBM’s work for Raytheon Aircraft, where access to the real data is necessary, things get more complicated. “You have to put limits on what people have access to, create audit trails, know who has what passwords,” Shaw Pittman’s Stern says. “It’s a whole regime that has to be put in place.”

   

Raytheon decided the time and money needed to make the project work was worth it, particularly since Raytheon CIO Rebecca Rhoads would like to see the company take full advantage of offshore outsourcing. So for the time being, IBM has agreed not to use foreign nationals on the SAP account for up to two years, until Raytheon Aircraft solves the problem of making offshoring secure.

   

“The biggest challenge is server access, particularly when you have technical data that is controlled by state or commerce,” says Vastera’s Christensen. “Not every IT department knows how to handle that well. And there are always drawbacks to controlling data access. Separate servers can result in hard feelings on the part of those locked out — encryption which may not be all that good.”

   

It wasn’t that Raytheon lacked a way to control access to its live data before. After all, the company operates in 76 countries and collaborates with partners around the world. The U.S. Navy’s DDX Destroyer, a high-tech $2.9 billion warship Raytheon is developing the electronics and weapons systems for, involves no less than 81 discrete companies worldwide.

   

But up until now, Raytheon has had to build secure collaborative environments from scratch on a case-by-case basis. That meant assessing requirements, figuring out appropriate security standards, determining how to label data and creating an Integrated Digital Environment (IDE) for data sharing specific to the needs of each project.

   

The goal now is to streamline and, as much as possible, automate how federally regulated data is handled, reducing the time and money it takes to set up a new infrastructure every time the company wants to let outsiders into certain areas. “In the past, it was very manual, writing down logs, making sure the appropriate federal licenses were maintained, and installing firewalls to keep non-U.S. Raytheon separate from U.S. Raytheon,” Daly explains. “It’s very frustrating because as a business what we need are canned solutions for this that can just plug and play. We just can’t spend six months to a year to build a collaborative environment each time we need it.”

   

A New Kind of Knowledge Management

Debrecht has tapped several Raytheon officials for help in designing the automated solution to permit IBM’s offshore subcontractors to work on the SAP system, including executives in corporate governance, IT security, HR and the legal department’s import and export division. Daly also sent two of his employees to Raytheon Aircraft’s headquarters in Wichita, Kan., to help Debrecht devise a security plan.

   

“The situation requires that Raytheon have a multilevel program for managing outsourcing and federal export regulations,” Daly explains. “We need a means of labeling the data that everyone understands. We need a program for identifying the status of a [U.S. person or foreign national]. And we need to put in an infrastructure that allows those parties to participate while controlling what they have access to.”

   

In essence, Daly says, Raytheon needs a very intricate form of knowledge management, which does not yet exist commercially.

   

First, Debrecht and his team determined what the Indian workers will be able to look at in the SAP system and what they won’t, in accordance with Raytheon’s internal rules for export compliance. They can view what’s called a “piece part” of an aircraft — anything from a nut or bolt to a tire or piece of sheet metal, for example — as long as they don’t know how it is assembled. If they had access to the materials information and the recipes for putting them together, that would be a problem.

   

That phase complete, “it’s now a matter of figuring out how we can separate out all the non-ITAR, non-EAR data and let them support the things that are OK for them to see,” Debrecht says. This phase two is sticky because the SAP production server is ultimately linked to the larger Raytheon network. “If we let them into our production network, a person with the right skills could hack into other areas within Raytheon,” he says.

   

Debrecht plans to use a secure ID setup with two-factor authentication to automatically determine who can get into the network. SAP will monitor what transactions an Indian professional can run, what tables he can modify and so forth. Raytheon would administer the system, but IBM would use it to enable its offshore subcontractors to work on the SAP system. But in order to protect the rest of the network, Debrecht must go further; Raytheon is working on a next-generation security system in conjunction with Microsoft and Cisco. But in the near term, Debrecht sees a potential solution in what he calls a terminal DMZ server. One step removed from the real network, it duplicates the information the worker needs from the network without providing actual access to the network.

   

Phase three, says Debrecht, will be figuring out a secure way to let foreign nationals onto the actual production equipment, giving them access to only the live data they are permitted to see. “That’s the final end state,” says Debrecht. “At that point there will be a separation of data, a lockdown of sensitive data, security profiles for every worker determining their level of access, and networkwide security that will prevent foreign workers from leaving the production system and getting on to the [Raytheon] network.”

   

Once Debrecht figures out how to make that work, he’ll hire an outside security corporation to come in and try to break the new system. If it fails, Debrecht may succeed in enabling IBM to use its offshore facilities on the project. Of course, IBM must then comply with all the new processes and systems Raytheon Aircraft puts in place. If not, says Debrecht, IBM will have violated the initial contract, and the deal may end prematurely. “But they probably have too much at stake, as do we, to give up,” Debrecht predicts.

   

Debrecht hopes to have a secure method in place within six months that allows IBM to employ Indian subcontractors. If he does, the opportunities for sending information technology work offshore could increase dramatically. “We don’t do a lot of design or development outsourcing. But we’re talking about breaking new ground here,” he says. “This could open up other opportunities within the corporation.”

   

Ultimately, the question for companies such as Raytheon, Lockheed Martin and Northrop Grumman will be where to draw the line. Shelman could see sending HR systems, financial and even manufacturing systems offshore eventually, though he says he’d keep engineering design systems stateside. Business process outsourcing — such as data entry or accounting, whereby the provider manages the network in addition to business functions performed on that network — done by foreign nationals, for example, is also unlikely. “There’s no way to avoid using real data with BPO, and you have to ensure that your outsourcer is as careful about the data as you are,” Stern says.

   

But then again, maybe it’s possible.

   

“Once we’re able to crack the code and we’re able to do this in some kind of repeatable manner,” Debrecht says, “who knows what else we can do.”