Export Controls: National Security Risks and Revisions to Controls on
Computer Systems (Testimony, 03/23/2000, GAO/T-NSIAD-00-139).

Pursuant to a congressional request, GAO discussed its recent reports
concerning the export controls for high performance computers, focusing
on how the executive branch: (1) assesses the national security risks
associated with the export of high performance computers going to
countries of concern; and (2) determines when the exports of computers
at existing performance levels can no longer be controlled.

GAO noted that: (1) the executive branch has not yet clearly articulated
the specific national security interests to be protected in controlling
the export of computers at various performance levels, nor has it stated
how countries of military concern could benefit from using such
computers; (2) without a clear statement of these interests, it is
unclear how the executive branch determines what are militarily critical
applications that may affect U.S. national security; (3) in addition,
the executive branch has revised export controls on computers because it
believes that these machines, at the previously approved levels, had
become so widely available in the market that their export is
uncontrollable; and (4) however, GAO could not assess the justification
for the July 1999 export control levels because the terms "widely
available" and "uncontrollable" used to explain the policy change are
not clearly defined and are not found in law or regulation.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-NSIAD-00-139
     TITLE:  Export Controls: National Security Risks and Revisions to
	     Controls on Computer Systems
      DATE:  03/23/2000
   SUBJECT:  Export regulation
	     Technology transfer
	     Supercomputers
	     Dual-use technologies
	     Foreign trade policies
	     Nuclear proliferation
	     International trade restriction
	     Internal controls
	     Reporting requirements
IDENTIFIER:  China
	     Russia
	     India
	     Israel
	     Joint Strike Fighter

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************

Testimony

Before the Committee on Armed Services, U.S. Senate

For Release on Delivery

at 9:30 a.m.

Thursday, March 23, 2000

EXPORT CONTROLS

National Security Risks and Revisions to

Controls on Computer Systems

Statement of Harold J. Johnson, Associate Director, International Relations
and Trade Issues, National Security and International Affairs Division

GAO/T-NSIAD-00-139

Mr. Chairman and Members of the Committee:

I am pleased to be here today to discuss export controls for high
performance computers. My testimony is based on work that we have conducted
over the past 3 years, particularly the reports we issued in 1998 and 1999.

U.S. policy with respect to the export of sensitive technology, including
computers, is to seek a balance between the U.S. economic interest in
promoting exports with its national security interests in both maintaining a
military advantage over potential adversaries and denying the spread of
technologies used in developing weapons of mass destruction. The United
States has long controlled the export of high performance computers to
sensitive destinations, such as Russia and China. These computers have both
civilian (dual use) and military applications and technological advancements
in computing power have been rapid. The Department of Commerce has primary
responsibility for managing the licensing of these dual-use items and
weighing the promotion of commercial interests in exporting items against
the protection of national security interests. For the past several years,
there has been continuing congressional concern about and debate over
whether our national security is being harmed by relaxing export controls on
high performance computers and over the rationale for subsequent revised
controls.

Today, I will discuss our observations about how the executive branch (1)
assesses the national security risks associated with the export of high
performance computers going to countries of concern and (2) determines when
the exports of computers at existing performance levels can no longer be
controlled.

RESULTS IN BRIEF

The executive branch has not yet clearly articulated the specific national
security interests to be protected in controlling the export of computers at
various performance levels, nor has it stated how countries of military
concern could benefit from using such computers. Without a clear statement
of these interests, it is unclear how the executive branch determines what
are militarily critical applications that may affect U.S. national security.
In addition, the executive branch has revised export controls on computers
because it believes that these machines, at the previously approved levels,
had become so widely available in the market that their export is
uncontrollable. However, we could not assess the justification for the July
1999 export control levels because the terms "widely available" and
"uncontrollable" used to explain the policy change are not clearly defined
and are not found in law or regulation.

Background

The U.S. export control system is about managing risk; exports to some
countries involve less risk than to other countries and exports of some
items involve less risk than do other items.

Under U.S. law, the President has the authority to control and require
licenses for the export of items that may pose a national security risk or
foreign policy concern. The President also has the authority to remove or
revise those controls as U.S. concerns and interests change. The U.S. export
control system is administered by two agencies. The Commerce Department,
through its Bureau of Export Administration, licenses sensitive dual-use
items (items with both civil and military uses) under the Export
Administration Act of 1979, as amended (P.L. 96-72). The State Department,
through its Office of Defense Trade Controls, licenses munitions items under
the Arms Export Control Act (P.L. 90-629). Since the end of the Cold War,
the number of items subject to export controls has been significantly
reduced. For example, while 10 years ago, the Commerce Department reviewed
about 100,000 license applications annually, today that figure is down to
about 12,000 applications per year.

The U.S. government controls the export of high performance computers to
certain countries based on foreign policy and/or national security concerns.
High performance computers and related components (such as, processors) are
controlled under the Export Administration Act, as continued by executive
order, and the Export Administration Regulations. Executive Order 12981
authorizes the Departments of State, Energy, and Defense to review export
applications and to consider export control policy.

Since 1993, the President has revised U.S. export control requirements for
high performance computers four times, including a revision announced in
February 2000. A revised export control policy implemented in January 1996
removed license requirements for most exports of computers with performance
levels up to 2,000 millions of theoretical operations per second (MTOPS) (an
increase from 1,500 MTOPS). The policy also organized countries into four
computer "tiers," with each tier after tier 1 representing a successively
higher level of concern related to U.S. national security interests. A
dual-control system was established for the 50 tier 3 countries, including
China, Russia, India, and Israel: a license for potential military end-users
is required at a lower MTOPS threshold than the threshold for civilian
end-users. High performance computer exports to countries in tier 4 (for
example, Iran, Iraq, and Libya) were essentially prohibited because of
national security and foreign policy concerns about these countries.

The Fiscal Year 1998 National Defense Authorization Act (P.L. 105-85)
modified the policy for determining whether an individual export license is
needed and required exporters to notify the Commerce Department of any
planned sales of computers with performance levels greater than 2,000 MTOPS
to tier 3 countries. This level subsequently was increased to 6,500 MTOPS
effective January 2000. If the Department of Commerce, Defense, State, or
Energy, each of which reviews these notifications, objects to the export
within 10 days, the exporter must then submit a license application.

In addition, the act required the President to submit a report to Congress
justifying any changes to the control levels for the notification process
for the export of high performance computers to tier 3 countries. The act
requires the report, at a minimum, to (1) address the extent to which high
performance computers with capabilities between the established level and
the new proposed level of performance are available from other countries,
(2) address all potential uses of military significance to which high
performance computers at the new levels could be applied, and (3) assess the
impact of potential military uses on U.S. national security interests. We
reviewed the report submitted by the President on July 27, 1999, proposing
changes to the current export control levels for high performance computers.
We reported in November 1999 that the report did not fully satisfy the
reporting requirements of the act. In particular, it did not assess the
impact of the military uses of high performance computers on U.S. national
security concerns.

On February 1, 2000, the President announced changes to the current export
control levels for high performance computers. These changes included
raising the performance threshold for computer exports that require a
license for (1) tier 2 countries from 20,000 MTOPS to 33,000 MTOPS and (2)
tier 3 countries from 6,500 MTOPS to 12,500 MTOPS for military end-users and
from 12,300 MTOPS to 20,000 MTOPS for civilian end-users. The announcement
indicated that the changes for tier 3 military end-users are to become
effective in 6 months, while the changes for tier 3 civilian end-users
become effectively immediately. The changes also raised the performance
threshold for computer exports that require a notification to Commerce for
tier 3 countries from 6,500 MTOPS to 12,500 MTOPS. By law, Congress has 6
months to review this decision, after which the change in notification
levels will go into effect.

ASSESSING NATIONAL SECURITY RISKS FOR

COMPUTER EXPORTS

Under U.S. export control policy, an analysis of establishing or revising
controls on computers and other sensitive commodities generally is made in
the context of the U.S. desire to limit the spread of technologies useful in
both developing weapons of mass destruction and protecting the military
capabilities of the United States and its allies. In many ways, the threat
posed by an export is a relative one; that is, the threat depends on the
U.S. capability to respond to enhancements the export would bring to the
potential adversary's military capabilities. In order to maintain military
superiority, the United States needs not only to control the spread of
militarily sensitive technologies, but also to invest in leading edge
technologies. However, this investment leads to the leading technologies of
today becoming the "mass market" items in the future. Therefore, the United
States must also quickly incorporate existing technologies into current and
next generation weapon systems and manage the release of technology into the
world market to "stay ahead of the curve."

While there appears to be general consensus that controlling high
performance computers at some level is important to maintaining U.S.
national security, DOD and the executive branch have not clearly articulated
the specific national security interests to be protected in controlling the
export of computers at various performance levels. In addition, they have
not stated how countries of concern could benefit from using such computers.
Without a clear analysis and explanation of the national security interest
in controlling the export of high performance computers, the U.S. government
cannot determine (1) what militarily critical computer applications need to
be controlled or (2) the most effective way of implementing computer export
controls. If such an analysis were made, it might also lead to a conclusion
that the current reliance on MTOPS as the sole measure of a computer's
sensitivity would no longer be appropriate. Indeed, with the rapid changes
in computer architectures and the growth of what is called "distributed"
computing, new approaches may be necessary to protect the national security
interests in limiting potential adversaries' use of such machines in their
research and development programs and their deployed weapon systems.

To illustrate the importance of identifying potential national security
risks of computer exports, let me briefly highlight for you some of the
military applications of high performance computers that have been
identified in some Commerce- and Defense Department-sponsored studies. These
studies were conducted in 1995 and 1998 to support decisions on revising
export controls over these computers.

   * The Joint Strike Fighter has been designed using computers with 4,000
     to 6,000 MTOPS of capability. Computers in this range now can be
     exported to military end-users in Russia or China without a license.
     Licenses for military end-users in these countries are required only
     for computers with performance levels above 6,500 MTOPs.

   * Computers at 8,000 to 9,000 MTOPs are used for algorithm development
     for shipboard infrared search and track systems and modeling of
     submarine bottom designs for shallow water operations. While these
     computers currently require a license for export to military end-users
     in tier 3 countries, they would not be controlled under newly revised
     controls announced by the President on February 1 of this year. Under
     these new controls, only computers with more than 12,500 MTOPs that are
     to be exported to military end-users in countries like Russia and China
     would require a license.

   * Designing submarines involves simulations of transmitting sounds
     through structures and in water, which are conducted at computer
     performance levels that are only slightly greater than the thresholds
     for which tier 3 countries may receive computer exports without a
     license. A Commerce- and Defense Department-sponsored study identified
     the use of a 21,000 MTOPS machine for this purpose. Some other related
     applications, such as acoustic sensor development and associated
     acoustic modeling, are executed on computers with performance only
     slightly greater than 20,000 MTOPS.

More generally, the 1995 Commerce- and Defense-sponsored study stated that
there are research, development, test and evaluation applications at or
above the 20,000 MTOPS level of great national security significance, the
proliferation of which should be strictly controlled. With the executive
branch's February export control change, high performance computers up to
20,000 MTOPS will be available to countries like Russia and China without a
license. The appendix provides additional information on selected military
applications for high performance computers.

DETERMINING WHEN COMPUTER EXPORTS

CAN NO LONGER BE CONTROLLED

The previous examples illustrate the basis of our 1998 report's conclusion
that the executive branch should clearly articulate the specific national
security interests in limiting computer exports to potential adversaries
when revising controls on high performance computers. In this regard, our
September 1998 report recommended that the Secretary of Defense assess and
report on the national security threat and proliferation impact of U.S.
exports of high performance computers to countries of national security and
proliferation concern. We specified that, at a minimum, the assessment
should address (1) how and at what performance levels countries of concern
use these computers for military modernization and proliferation activities,
(2) the threat of such uses to U.S. national security interests, and (3) the
extent to which the export of such machines is controllable. The President's
July 1999 report justifying changes to the control levels for computers did
report that computers at all computing levels are important from the lowest
performance levels to the highest. This conclusion, however, is general and
was not supported by the level of analysis we recommended in our report, and
does not address the serious concerns about the growing availability of high
performance computers raised in the Commerce- and Defense
Department-sponsored study issued in November 1995.

Although the examples just provided use MTOPS, this should not be construed
to mean that MTOPS is the benchmark that should be used. Such a measure does
not take into account advances in computer architectures that now allow the
development of a large-scale, massively parallel computing resource from a
cluster of commodity computing and networking components. In essence, by
combining a number of readily available computers and networking components
that would not require an export license, an organization can produce a very
high powered computing resource. The operating system software that is
necessary to utilize this resource is readily available from the Internet.
However, a high performance computer by itself does not convey the ability
to solve complex problems because application software is also necessary to
conduct the proper analyses.

The task I have just described for the executive branch is not an easy one.
It involves addressing difficult issues in an area of rapid technological
change. Questions about the use of technology, the computer market, and
DOD's own acquisition programs must be answered. Some key questions include
the following: Does U.S. national security interest include maintaining a
relative computing power advantage in deployed weapon systems (for example,
air defense radar or command and control systems)? Are different strategies
necessary to respond to the threats posed by the use of high performance
computers in research and development and in deployed weapon systems? Will
the availability of high performance computers help other countries develop
and deploy new weapons or allow them to counter U.S. superiority in certain
military applications? Does the growth of distributed computing make the use
of MTOPS obsolete as an export control measure by which to restrict computer
exports?

Before leaving this topic, I want to point out that a critical analysis of
national security applications of concern may lead to conclusions that are
very different regarding export control levels than are currently in place
or being proposed by the executive branch. Indeed, DOD may conclude that
significant national security concerns involve computer performance levels
that are higher than current control levels.

While the executive branch has not clearly articulated the national security
interests in controlling high performance computers, it has developed a
general explanation for its export decontrol decisions. In short, these
decisions are based on conclusions that these computers are becoming widely
available and, therefore, are uncontrollable.

It is important to note that the President's 1999 report to Congress
concluded that there are militarily significant applications in the new
control range, and, if not for their widespread availability, these
applications would need to be controlled. These applications include
advanced aircraft design, antisubmarine warfare sensor development, and
radar applications. Consequently, the new control levels were not based on
an assessment that these higher computing performance levels do not involve
national security applications but rather that computers in this performance
range are so widely available that they are uncontrollable.

Our November 1999 review of the changes in export control levels indicated
that the administration's conclusions that the capabilities of high
performance computers and related components, from both domestic and foreign
sources, are generally increasing were supported because the United States
does not generally control the export of computer processors and components.
However, most sources of this supply are U.S. companies. Our earlier 1998
review reported that subsidiaries of U.S. computer manufacturers dominate
the overseas high performance computer market and they must comply with U.S.
controls. The 1998 study sponsored by DOD and Commerce similarly found that
the United States dominates the international computer market, at least in
the mid- and high-range performance categories. Under current regulations,
computer processors that perform up to 3,500 MTOPS can be directly exported
to civilian end-users in many tier 3 countries including China and Russia.
Exports of processors to such users in many other tier 3 countries, such as
Israel and Saudi Arabia, are not subject to any MTOPS limit that requires a
license. Exports of other key components for computer systems with four and
eight processors are also not generally controlled; these parts can be
shipped to tier 3 countries for civilian end-users, which could then use
them to support the assembly of computers.

The administration's latest changes in the control levels for high
performance computers were based on a determination that high performance
computing capability is becoming increasingly available. For example, the
1999 changes in control levels were based on the conclusion that these
capabilities are widely available and are therefore uncontrollable. The
President's July 1999 report to Congress explaining these changes stated
that due to the rapid advances in processor speeds and related technologies,
foreign countries can obtain high performance computers directly or
indirectly from a vendor, a reseller, or another third party or assemble
such a computer using U.S. processors and components. According to
administration officials, the specific export control levels announced in
July 1999, and that went into effect in January 2000 for tier 3 military
end-users, were based on the expected performance levels of computers using
four and eight Intel Pentium processors that are projected to be on the
market in July 2000.

While we found evidence to support the report's conclusion that computers
with greater capabilities and related components are becoming increasingly
available, we could not assess the administration's determination that
computers rated below the new control levels are so widely available that
they are effectively uncontrollable. An assessment of controllability
involves critical evaluations of when and in what quantities an item should
be considered so widely available as to be uncontrollable, and is dependent
upon the resources applied by government and industry to control such
exports. However, "widely available" and "uncontrollable" are terms not
defined in current export control laws or regulations. Defense and Commerce
Department officials stated that the analysis they prepared in support of
the President's report relied on definitions that were developed in 1995 and
1998 studies they jointly sponsored. However, the discussion of the terms in
these studies is general and without measurable criteria. Further, there is
no mention in the President's 1999 report to Congress justifying the
announced computer control revisions that defines how these concepts have
been applied in setting the new export control levels. Thus, except to agree
with the general conclusion in the President's report that the availability
of computing power in the commercial marketplace is increasing, we could not
determine if the executive branch is correct in concluding that export
controls had to be relaxed for high performance computers. Consequently, our
1999 report recommended that the administration develop specific criteria
defining both "widely available" and "controllability."

This discussion brings me to one final point. The Senate bill (S. 1712) to
establish a new Export Administration Act uses the term "mass market status"
as one determinant for relaxing export controls. This term is defined very
similarly to how the administration appears to use the term "widely
available" as it relates to high performance computers. Both terms imply
that an item is so commercially available that it cannot be controlled, but
without providing the quantifiable measures necessary to make such an
analysis. S. 1712 does provide a number of general criteria that might be
helpful in making decisions about controlling the export of high performance
computers. However, in developing the implementing regulations, Commerce may
wish to provide more objective and empirical criteria to use in making these
decisions. If it does not, then when this rather subjective standard is
applied in the future to items controlled under the act, it will be
difficult to assess whether this standard was applied appropriately.

- - - - -

Mr. Chairman, this concludes my prepared testimony. I would be happy to
respond to any questions you or other members may have.

CONTACT AND ACKNOWLEDGEMENT

For future contacts regarding this testimony, please contact Harold J.
Johnson at (202) 512-4128. Individuals making key contributions to this
testimony included, F. James Shafer and Jeffrey D. Phillips.

Appendix Performance Levels of Computers That Support Selected Applications
of Military Significance
 Computer performance
 level (MTOPS)           Applications
                         Joint Attack Strike Aircraft design;
 4,000 to 6,000          nonacoustic antisubmarine warfare sensor
                         development; advanced synthetic aperture
                         radar computation
                         Bottom-contour modeling of shallow water in
 8,000 to 9,000          submarine design; some synthetic aperture
                         radar applications; algorithm development for
                         shipboards' infrared search and track
 10,457 to 21,125        Nuclear blast simulation
                         Computational fluid dynamics applications to
 15,500 to 17,500        model the turbulence around aircraft under
                         extreme conditions
                         Weather forecasting; impact of blasts on
 20,000 to 22,000        underground structures; advanced aircraft
                         design

 21,125+                 Submarine design; shallow water acoustics
                         analysis

 24,000+                 Automatic target recognition template
                         development
 = 120,000               Multi-line towed array signal processing

Sources: Building on the Basics: An Examination of High-Performance
Computing Export Control Policy in the 1990s (1995) and High-Performance
Computing, National Security Applications, and Export Control Policy at the
Close of the 20th Century.

(711514)

ORDERS BY INTERNET

For information on how to access GAO reports on the INTERNET, send an e-mail
message with "info" in the body to

HYPERLINK mailto:[email protected] [email protected]

or visit GAO's World Wide Web Home Page at

HYPERLINK http://www.gao.gov http://www.gao.gov

TO REPORT FRAUD, WASTE, AND ABUSE

IN FEDERAL PROGRAMS

Contact one:

   * website: HYPERLINK http://www.gao.gov/fraudnet/fraudnet.htm
     http://www.gao.gov/fraudnet/fraudnet.htm

   * e-mail: HYPERLINK mailto:[email protected] [email protected]

   * 1-800-424-5454 (automated answering system)

  
*** End of document. ***