ITAR and The Cost of Compliance


A version of this article first appeared in the December 2018 edition of our free newsletter, to subscribe click here

I have many friends who run businesses in the US. They offer technical services to the aerospace development just like we do. Because they are US based businesses staffed by US citizens they can (in theory) carryout out defense related work.


As Abbott Aerospace is a Non-US corporation staffed by non-US people we do not even try to chase US defense related work. This is not a bad thing. While my US friends are chasing the ‘Defense Dollar’ we can concentrate on the civil sector.

One of my very good friends has seen the effort required to maintain compliance with the clients security policies balloon over the last couple of years. Being a small supplier to any project that requires ITAR compliance requires such a high level of effort they are finding that they will have to increase their charge rates significantly or drop out of that type of work.

Not only are there the measures that you have to take in terms of data integrity, transfer and security, companies procedures and policies and vetting of the people who work for you, there are also the audits you have to take part in and the reporting on your procedures.

Small businesses who do not have a dedicated ITAR compliance office or person have to bear the significant burden of this effort.

Small business offer a more efficient service because they do not carry the fixed cost overheads of larger corporations. This doesn’t mean that they have a larger margin and often make less money per head than much larger corporations. It does mean that they can operate at a higher commercial risk because of smaller fixed costs and their reaction time in shedding variable costs to match their revenues.

Smaller companies are often less efficient but offer greater value.

If any national defense procurement agency are looking to reduce costs they should be looking to smaller companies who offer greater value.

Current US defense security regulations force small companies to take on additional costs (fixed and variable), reduce their efficiency further and force them to raise their charges to reduce their overall value to the client.

It reduces a small companies competitive advantage and favours larger companies. 

So the question is – is this an effective way to increase the security of the design and development process of the defense industry?

The quick answer is no.

Most small contracting companies do not work on very sensitive aspects of defense projects and the information that they handle is not of great interest to foreign bodies/governments. 

Quite often the security protocols and standards are applied to what are essentially retail items. I have been barred from seeing the product specifications on US projects for the Canadian products that I helped develop in Canada. Anyone can buy them and get hold of the product and the specifications.
When all you have is a giant catch-all piece of badly written legislation everything looks like a nail.

Any foreign power knows where the good stuff is kept – it is kept inside the military and the high level large subcontractors. Going after thousands of small subcontractors, hacking their systems and trying to parse out the almost non existent useful technical information is a flagrant misuse of their espionage resources.

This type of action may be a significant threat if the higher level espionage targets were impossible to crack. This is not the case as the ITAR regulations do not address the corruptibility of the individuals working at the higher level organizations.

It is similar level of effort and result to the kabuki theater of airport security. It looks good, it adds a significant amount of expense, it is applied without thought or any level of discernment and does not address the main security weak points or solutions…….that is a different conversation.

As the implementation of ITAR does not address the actual critical security issues of the US defense development and every new Chinese military product looks eerily like their US counterparts it’s effectiveness in preventing espionage is debatable.

To Summarize:

  • ITAR is applied indiscriminately and illogically
  • ITAR does makes smaller contractors less attractive as they cannot operate at the same level of value that they used to.
  • ITAR therefore favors larger organizations by disproportionately impacting the relative efficiency of smaller competitors.
  • ITAR does create a market need for consultants and compliance experts as the policies and regulations that surround the legislation are complex and the penalty for failure to comply are excessive.
  • ITAR does not seem to have an effect on the amount of and quality of classified information that is available to non-US bodies.

Comparison of F-35 to the Chinese J31

ITAR in action.

So what does ITAR do? What is the benefit? Is it largely invisible and we can never know the critical aspects of US defense technology that are kept secret by ITAR that otherwise would be vulnerable to foreign agents.

The visible effects are to favor large companies over small and to significantly increase the overall cost of development in a way that does not appear to increase security in a meaningful way.

What do you think?

Comment On This Post

Your email address will not be published. Required fields are marked *

ITAR and The Cost of Compliance


A version of this article first appeared in the December 2018 edition of our free newsletter, to subscribe click here

I have many friends who run businesses in the US. They offer technical services to the aerospace development just like we do. Because they are US based businesses staffed by US citizens they can (in theory) carryout out defense related work.


As Abbott Aerospace is a Non-US corporation staffed by non-US people we do not even try to chase US defense related work. This is not a bad thing. While my US friends are chasing the ‘Defense Dollar’ we can concentrate on the civil sector.

One of my very good friends has seen the effort required to maintain compliance with the clients security policies balloon over the last couple of years. Being a small supplier to any project that requires ITAR compliance requires such a high level of effort they are finding that they will have to increase their charge rates significantly or drop out of that type of work.

Not only are there the measures that you have to take in terms of data integrity, transfer and security, companies procedures and policies and vetting of the people who work for you, there are also the audits you have to take part in and the reporting on your procedures.

Small businesses who do not have a dedicated ITAR compliance office or person have to bear the significant burden of this effort.

Small business offer a more efficient service because they do not carry the fixed cost overheads of larger corporations. This doesn’t mean that they have a larger margin and often make less money per head than much larger corporations. It does mean that they can operate at a higher commercial risk because of smaller fixed costs and their reaction time in shedding variable costs to match their revenues.

Smaller companies are often less efficient but offer greater value.

If any national defense procurement agency are looking to reduce costs they should be looking to smaller companies who offer greater value.

Current US defense security regulations force small companies to take on additional costs (fixed and variable), reduce their efficiency further and force them to raise their charges to reduce their overall value to the client.

It reduces a small companies competitive advantage and favours larger companies. 

So the question is – is this an effective way to increase the security of the design and development process of the defense industry?

The quick answer is no.

Most small contracting companies do not work on very sensitive aspects of defense projects and the information that they handle is not of great interest to foreign bodies/governments. 

Quite often the security protocols and standards are applied to what are essentially retail items. I have been barred from seeing the product specifications on US projects for the Canadian products that I helped develop in Canada. Anyone can buy them and get hold of the product and the specifications.
When all you have is a giant catch-all piece of badly written legislation everything looks like a nail.

Any foreign power knows where the good stuff is kept – it is kept inside the military and the high level large subcontractors. Going after thousands of small subcontractors, hacking their systems and trying to parse out the almost non existent useful technical information is a flagrant misuse of their espionage resources.

This type of action may be a significant threat if the higher level espionage targets were impossible to crack. This is not the case as the ITAR regulations do not address the corruptibility of the individuals working at the higher level organizations.

It is similar level of effort and result to the kabuki theater of airport security. It looks good, it adds a significant amount of expense, it is applied without thought or any level of discernment and does not address the main security weak points or solutions…….that is a different conversation.

As the implementation of ITAR does not address the actual critical security issues of the US defense development and every new Chinese military product looks eerily like their US counterparts it’s effectiveness in preventing espionage is debatable.

To Summarize:

  • ITAR is applied indiscriminately and illogically
  • ITAR does makes smaller contractors less attractive as they cannot operate at the same level of value that they used to.
  • ITAR therefore favors larger organizations by disproportionately impacting the relative efficiency of smaller competitors.
  • ITAR does create a market need for consultants and compliance experts as the policies and regulations that surround the legislation are complex and the penalty for failure to comply are excessive.
  • ITAR does not seem to have an effect on the amount of and quality of classified information that is available to non-US bodies.

Comparison of F-35 to the Chinese J31

ITAR in action.

So what does ITAR do? What is the benefit? Is it largely invisible and we can never know the critical aspects of US defense technology that are kept secret by ITAR that otherwise would be vulnerable to foreign agents.

The visible effects are to favor large companies over small and to significantly increase the overall cost of development in a way that does not appear to increase security in a meaningful way.

What do you think?

Comment On This Post

Your email address will not be published. Required fields are marked *