Exporting Risk


export regulatory compliance

The red flags around Peter Zuccarelli were plain to see: Two failed businesses and another in dire financial trouble. Multiple lawsuits against him and his companies. A tax lien on his home. Zuccarelli was the perfect mark for foreign intelligence operatives looking to procure advanced technology that their own local companies could not produce. By the time authorities caught up with him, he had successfully purchased and shipped radiation-hardened integrated circuits to China and Russia. These highly sensitive microchips are manufactured to withstand extreme environmental conditions, making them essential hardware for military systems like satellites and missiles. As such, their sale and distribution are tightly controlled. Only U.S. companies or foreign buyers that are approved by the U.S. government can purchase them. In August 2017, Zuccarelli pled guilty to facilitating illegal exports.

In addition to the Zuccarelli case, Alexander Posobilov was sentenced to 135 months in prison in February 2017 for illegally exporting an estimated $50 million worth of sensitive microelectronics and other military technologies to Russia between 2008 and 2012. Last June, Imran Khan pled guilty to illegally exporting a high-tech radiation detection device called an alpha duo spectrometer to Pakistani government agencies, allegedly intended for use in their nuclear program.

Indeed, last year was a busy one for the Justice Department’s Counterintelligence and Export Control Section and the Department of Commerce’s Bureau of Industry and Security. The two units are integral parts of the government’s efforts to safeguard America’s technological and military advantages. In 2017, the Justice Department announced criminal charges, enforcement actions or convictions in 15 cases involving foreign organizations (or their proxies in the United States) attempting to procure export-controlled items in violation of U.S. regulations and sanctions.

Perhaps most notably, in March 2017, China’s ZTE Corporation pled guilty to charges that it illegally shipped telecommunications equipment to Iran and North Korea. The company was fined a record $1.19 billion by the Department of Commerce and the Treasury Department and later banned from buying American components and services after additional violations. (President Trump has since indicated he may reverse the sanctions, however.)

Companies in the United States, particularly any that produce “dual-use” items—those with both commercial and military applications—have to be careful when vetting potential customers. For companies that sell directly to a known front company or barred entity, there can be major repercussions. Businesses are expected to check the Specially Designated Persons/Entities List maintained by the Department of Commerce, and if one sells to an individual or company on this list, it will be hit with civil charges and penalties.

For example, in 2014, Intersil Inc. sold radiation-hardened integrated circuits to a Hong Kong-based company on the SDE list. It was hit with $10 million in export control violations on a transaction that only netted them around $17,000. Potential fines and jail time are not the only risks companies face from such transactions—they are also jeopardizing their intellectual property. Most of these firms specialize in intricately designed and manufactured products, and a goal of Chinese, Russian and other intelligence entities is to be able to reverse-engineer these products before giving them to a local firm to recreate. Companies that lose control of their intellectual property could eventually find themselves competing against what is essentially their own product.

Identifying Red Flags

The cases of Zuccarelli, Posobilov and Khan are instructive because they have a number of factors in common. In each case, U.S.-based businessmen were caught purchasing technology for illegal export. Zuccarelli, Posobilov and Khan were all owners or officers of smaller companies that could access just about anything in the U.S. market, but were still small enough to limit detection. More importantly, sensitive, military-grade technology was sold in circumstances where “red flag” information would have been discovered with just a few minutes of internet searching or a follow-up phone call.

For example, Zuccarelli somehow managed to convince an unnamed U.S. firm to sell him radiation-hardened integrated circuits by saying he was planning to use the devices for his company, American Coating Technologies. As the company supposedly developed protective coatings for eyeglasses, it is hard to imagine why he would need such technology in his line of business.

Red flags surrounded Posobilov and Khan as well. Posobilov asked his sellers to ship advanced tech products to a post office box in South Carolina, where his firm, ARC Electronics, was domiciled. The company claimed to be a manufacturer of traffic lights, despite having no physical manufacturing plant. In addition, the ARC Electronics website was very rudimentary and featured an outdated banner at the top of the home page reading “All of our products are Y2K compliant!” This lack of attention to detail also should have called into question his firm’s ability to carefully handle export-controlled items.

The firm that sold an alpha duo spectrometer to Imran Khan would not have found much about his companies online, as neither of his two businesses—Brush Locker Tools and Kauser Electronics USA—had a website. The only public information on these firms was that they were both distributors and resellers and that Kauser Electronics had an affiliation with Kauser Electronics of Pakistan. Both facts should have prompted follow-up to obtain more information about who would ultimately receive the goods. Khan’s request to send the spectrometer to his home address also should have prompted pause from the seller, knowing this is not normal practice for such products.

In general, there are key red flags that companies in any industry must consider to avoid the risks of illegal export transactions. Taken individually, none of these red flags portend to nefarious intent, but one or more should draw greater scrutiny:

  • Stated use does not make sense: The customer’s proposed use of the product does not appear to match their line of business.
  • Customer is difficult to contact: From large operations to mom and pop shops, an analyst should be able to contact a buyer within a day or so. Multiple failed attempts to contact the customer should raise substantial suspicion.
  • Customer has little or no internet presence: Given the prevalence of e-commerce, company websites that have not been updated in years, have obvious misspellings, or lack product photos should prompt further investigation.
  • Customer places an unusually large order or wants to use non-traditional payment methods: Look closely at the buyer to better understand how feasible a transaction could be. Is a small operation likely to buy $100,000 worth of microelectronics with no advance notice? Does an established mid-size or large company make a $2 million purchase with cash? Not usually. Especially if a company produces niche hardware or software, transactions are more often planned out with greater care. Most established companies will run a line of credit for such purchases. If a customer wants to make a big purchase or pay in non-traditional ways, there is a greater chance that the funds are coming from a suspicious source.
  • Customer makes unusual ­shipping requests: Most businesses do not have sophisticated supplies or subcomponents shipped to a residential address. If an established mid-size or large manufacturing company only has a post office box, then more questions need to be asked. If a customer does not want to be identified on a shipping label or gives the name of another entity entirely, pick up the phone for an explanation.
Practicing Due Diligence

Perhaps the companies selling their products to these men did, in fact, follow up. Maybe they fell victim to brilliant con artists. But year after year, the list of violations indicates that some U.S. manufacturers of advanced dual-use technology are not taking seriously their obligation to prevent their products from being sold to foreign governments and companies that should not have access to them. Not only does this lack of due diligence undermine the competitive advantage of these companies once their products are successfully reverse-engineered, but it could lead to national security issues if the products in question are used by hostile foreign powers to create weapons.

To properly monitor potentially sensitive transactions and better respond to red flags, organizations need to take the following actions:

  • Establish direct communication with relevant agencies: The Department of Commerce’s Bureau of Industry and Security (BIS) and the State Department’s Directorate of Defense Trade Controls (DDTC) are more than willing to assist in verifying a legitimate sale. Both agencies also have extensive lists of individuals and companies that have been barred from trading in sensitive technologies due to prior bad behavior. Check these lists often to see if they include an individual or firm you might be considering doing business with.
  • Develop an analytical framework: A framework should begin with the identification of company products most likely to be targeted. Then, develop a questionnaire for potential buyers of these sensitive products. How are they going to use the product? Who is the end user? Will your product or a resulting product that includes yours be shipped overseas? If so, where?
  • Establish a dedicated group of due diligence analysts: Depending on the size and scale of your business, this could range from one person on a part-time basis to a team of dozens. Someone should be looking over orders to match the purchaser with the intended use of the company’s products. These analysts need to be able to quickly work through the analytical framework to identify transactions and customers that are worthy of follow-up. While legitimate customers should not have a problem with additional inquiries, illicit operations may push back.
  • Understand customer trends: Most companies build some sort of profile on customers, whether they are repeat buyers or large purchasers. While technology companies can have diverse product lists, trends will emerge over time as many buyers will be similar enough in size, industry segment and use-cases for customer profiles to be developed. This is great for customer service and tracking the market for growth, but it is also vital for quickly identifying anomalous orders that merit additional due diligence.

U.S. firms that build and sell dual-use products must be able to demonstrate a level of inquiry that is consistent with the high level of risk associated with selling to a foreign intelligence entity. The Justice Department has been very demanding of banks to show they did all they could to avoid abetting money laundering that could aid terrorists or drug cartels. Selling advanced technology to foreign organizations is just as dangerous and firms must take every possible step to ensure they are behaving responsibly.


More articles by »

About the Author

Kevin Norton is a risk analyst and auditor at Verizon Communications Inc. and a former counterintelligence analyst for the Department of Defense.


Leave a reply