TLJ News from July 1-5, 2006

GAO Reports that BIS Has Failed to Justify Its High Performance Computer Control Threshold

7/5. The Government Accountability Office (GAO) wrote a letter [21 pages in PDF] to Congressional committees titled "President's Justification of the High Performance Computer Control Threshold Does Not Fully Address National Defense Authorization Act of 1998 Requirements".

The Department of Commerce's (DOC) Bureau of Industry and Security (BIS) regulates and licenses the export of high performance computers, and related products and activities, pursuant to the Export Administration Act of 1979 (EAA). The EAA expired in 2001, and is no longer a statute in effect. Nevertheless, the BIS continues to promulgate and enforce regulations that implement the EAA.

The GAO report notes that the National Defense Authorization Act of 1998 (Public Law No. 105-85) "requires that the President provide a justification to Congress for changing the control threshold for exports of high performance computers to certain sensitive countries."

President Bush revised the control thresholds in February of 2006. He wrote a letter to Congressional leaders on February 6, 2006, in which he stated that "In accordance with the provisions of section 1211(d) of the National Defense Authorization Act for Fiscal Year 1998 (Public Law 105 85), I hereby notify you of my decision to establish a new level for the notification procedure for digital computers set forth in section 1211(a) of Public Law 105 85. The new level will be 0.75 WT (Weighted TeraFLOPS)."

Also, the BIS published its updated high performance computer (HPC) rules on April 24, 2006. See, notice in the Federal Register, April 24, 2006, Vol. 71, No. 78, at Pages 20876-20894.

Neither the BIS nor the Executive Office of the President has published the text of the President's February 2006 report in their web sites. A BIS representative declined to provide a copy to TLJ.

The GAO report states that "The President's February 2006 report did not fully address the three requirements of the National Defense Authorization Act of 1998. Therefore, the report did not present the full implications of the threshold change to Congress."

It elaborates that "Although the Presidentís report indicated that foreign computing capacity below the new control level is currently widely available, agency officials (1) did not adequately document how they established the new export control threshold at 0.75 WT on the basis of their assessment of worldwide availability and (2) could not document that they verified key information used in their decision."

The GAO report also finds that the President's report "did not adequately assess the potential military uses of computers with performance capabilities at the new threshold (0.75 WT)." For example, it states that the "report could have disclosed, but did not, that U.S. government officials had identified 15 high performance computing platforms15 that would no longer need to be reviewed for a license at the new control threshold."

The GAO report also finds that "Since the Presidentís report did not adequately assess the potential military uses of computers at the proposed new threshold of 0.75 WT, it did not assess the impact that militarily significant uses of those computers would have on U.S. national security."

More News

7/3. The National Institute of Standards and Technology's (NIST) Computer Security Division released its Draft Special Publication 800-78-1 [22 pages in PDF], titled "Cryptographic Standards and Key Sizes for Personal Identity Verification". The deadline to submit comments is 5:00 PM on October 2, 2006.

Go to News from June 26-30, 2006.