Startup CipherCloud claims that by using its software, companies can legally upload sensitive defense-technology data to public online services

June 21, 2013, 6:38 p.m. ET

Startup Pushes Encryption, but Doubts Arise

By JOEL SCHECTMAN

Startup CipherCloud is making an impressive claim. The San Jose, Calif.-based vendor says that by using its software, companies can legally upload sensitive defense-technology data to public online services such as Google Inc.’sGOOG -0.43% cloud-based email servers.

CipherCloud has gained significant traction in the burgeoning market for helping companies keep online data secure, and while its defense-related business is small, it says it has more than 1.2 million corporate end users across 10 industries.But CipherCloud’s claim—that it allows defense contractors to comply with U.S. rules governing their data—is questioned by the State Department and export-law experts interviewed by CIO Journal.

The technical issues have a bearing on how companies in a range of sensitive industries that deal in defense-related technologies can, like most other companies, begin moving their data online to obtain certain operational efficiencies. But here is where U.S. law and regulation intercede.

To prevent other nations from gaining the crown jewels of American defense technology, like fighter-jet stealth electronics, U.S. export law prohibits the international movement of both the equipment and the data that could be used to build it. Companies can store such regulated information with some cloud-technology vendors, such as Amazon.com Inc., AMZN -0.03% which can guarantee that information stays within U.S. borders and that only U.S. citizens have access to servers containing that data. But many other cloud vendors don’t give such assurances.

CipherCloud says its customers are in the clear, however, if the data they store with such cloud vendors is protected using its encryption software, and if they don’t provide the codes for unlocking the data to anyone outside their company.

The U.S. government disagrees, and says the International Traffic in Arms Regulations apply even to encrypted data in the cloud, if those cloud servers are located outside the U.S. A State Department official says that while the agency is reviewing its cloud policy, “currently there is no license exemption for the use of encryption to store data in the cloud.”

Varun Badhwar, a vice president of product strategy at CipherCloud, says the regulation is moot if customers encrypt their data and keep the encryption key to themselves. “With the encryption being in the customers’ control, and not the providers’ control, it’s not ITAR data because it’s inaccessible,” he says.

CipherCloud has used this rationale to sell its technology to Novati Technologies Inc., a defense contractor that makes silicon wafers, according to Mr. Badhwar. Novati told CIO Journal that to save costs, six months ago the company migrated its email system to Google, which maintains a computing infrastructure that spans the globe. Novati uses CipherCloud to encrypt messages sent by its employees. “We are doing encryption so data stored isn’t, [and] would not [by itself] be [a] technology transfer,” says Novati’s CIO, Patrick Meyer.

CipherCloud also cites Novati’s case on its website and states: “Cloud Email Encryption Enables ITAR Compliance and Move to the Cloud.” In another news release, the company says CipherCloud “eliminates ITAR” barriers to using the cloud in the defense community.

A spokeswoman for CipherCloud says that while the government hasn’t issued specific guidance on technology recommendations related to the cloud, the company believes the rules will be changed to include encryption as a standard for compliance with the export rules. “But it takes regulators years to agree on a specific steps,” says Lise Feng, the spokeswoman for CipherCloud.

Export-control experts say ITAR should be interpreted as it is currently written, which prohibits taking sensitive information outside the U.S. for any reason other than travel, without special permission.

“It doesn’t matter if it’s encrypted or not,” says Alexandra Lopez-Casero, of the law firm Nixon Peabody LLP. “If you put a munitions item in a container from New York to Europe, it doesn’t matter if it’s in a safe container. What matters is whether it crosses an international border.”

Eric McClafferty, a Washington, D.C.-based export control attorney at the law firm Kelley Drye & Warren LLP says: “It is still an export. If the data crosses a border, it doesn’t matter whether it’s encrypted or not.”

Mr. Meyer says CipherCloud isn’t the only way Novati ensures it complies with the export regulation. The company also uses an automated keyword search on outbound emails to sift out ones that appear most sensitive, routing those to a more secure message system. Still, Mr. Meyer says, there is “a risk that ITAR data will be erroneously routed” to its Gmail service.

In a later interview, Mr. Meyer emphasized that the CipherCloud encryption is just one step he takes to ensure compliance with this regulation. For example, the company discourages emailing of sensitive data. “I could be compliant without [CipherCloud],” Mr. Meyer said. “It’s a safety net to make sure something doesn’t go out of our other controls.”

An industry advisory body to the State Department, called the Defense Trade Advisory Group, has asked the U.S. to redefine “export” to exclude encrypted data, according to a May presentation reviewed by CIO Journal. “Establishing a level of encryption deemed adequate to protect and secure ITAR controlled data would protect the Cloud user; enable full use of the Cloud for storage purposes; and protect the data from unauthorized access and the potential of an unintended export,” the group said in a May white paper.