Export Controls and Dual-Use Technology

Lead Summary

Export controls are legal mechanisms through which governments restrict the transfer of goods, technology, software, and technical knowledge to foreign persons, entities, or nations—most prominently when those items have both civilian and military ("dual-use") applications. The two foundational US instruments are the International Traffic in Arms Regulations (ITAR), administered by the State Department's Directorate of Defense Trade Controls (DDTC), and the Export Administration Regulations (EAR), administered by the Commerce Department's Bureau of Industry and Security (BIS). ITAR and EAR are mutually exclusive: any controlled item falls under one or the other, never both. The multilateral scaffolding for these domestic regimes is provided by four informal, non-binding political arrangements—most prominently the Wassenaar Arrangement—that coordinate national controls across allied states.

Export controls sit at the intersection of national security, foreign policy, and commercial trade. They have evolved dramatically since the Cold War, moving from blanket technology embargoes to sophisticated chokepoint strategies targeting specific process nodes in semiconductor supply chains, and most recently extending to control AI model weights and quantum computing components. The record is uneven: there are documented nonproliferation successes, but also persistent enforcement gaps, evasion through transshipment, diplomatic friction with allies, and growing Global South critiques that these regimes constitute a new form of techno-colonialism.

Historical Development

COCOM: The Original Multilateral Embargo

The modern era of multilateral export controls began in 1949, when the United States established the Coordinating Committee on Multilateral Export Controls (COCOM) with 15 initial member states drawn largely from NATO: Belgium, Canada, Denmark, France, West Germany, Greece, Italy, Japan, Luxembourg, the Netherlands, Norway, Portugal, Turkey, the United Kingdom, and the United States. COCOM operated as the "economic arm of NATO," coordinating embargo policies on technology exports to the Soviet Union and the communist bloc.

The regime's enforcement limitations became starkly visible in the mid-1980s, when the Toshiba-Kongsberg case exposed how allied states could undermine shared commitments through institutional weakness or commercial incentive. Toshiba Machinery (Japan) and Kongsberg Vappenfabrik (Norway) illicitly diverted controlled dual-use submarine-detection technology to the Soviet Union, prompting both nations to substantially strengthen domestic export control laws with criminal penalties and stricter licensing.

COCOM was formally dissolved in 1994 following the collapse of the Soviet Union, its primary rationale having disappeared.

Wassenaar and the Post–Cold War Regime

On July 12, 1996, the Wassenaar Arrangement was established as COCOM's formal successor, with 42 participating states. The new framework was deliberately less restrictive than COCOM: it prioritized transparency and information-sharing over hard prohibitions and operated as a voluntary, non-binding, consensus-based coordination mechanism—a deliberate policy shift toward enabling commercial trade while maintaining multilateral awareness of sensitive transfers.

The four principal multilateral regimes that exist today cover different technology domains:

• Wassenaar Arrangement (1996, 42 members): conventional arms and dual-use goods
• Australia Group (1985, 42 members): chemical and biological equipment and precursors
• Nuclear Suppliers Group (1992, 48 members): nuclear material and equipment
• Missile Technology Control Regime (1987, 35 partner states): missile delivery systems

None is a legally binding treaty. All operate as informal political understandings.

Core Concepts

ITAR vs. EAR: The Two-Track Architecture

The US domestic framework divides jurisdiction cleanly. ITAR covers defense articles listed on the United States Munitions List (USML), classified across 21 categories using designations like "Category # (#)." EAR covers dual-use items and commercial goods listed on the Commerce Control List (CCL), using five-character alphanumeric Export Control Classification Numbers (ECCNs). Any given item falls under exactly one regime.

The boundary is drawn by the concept of "specially designed": items specifically designed or modified for military use belong on the USML under ITAR; dual-use items with incidental military applications typically fall under EAR. When an exporter cannot make a clean determination, they may request a formal Commodity Jurisdiction (CJ) determination from DDTC, which must provide a preliminary response within 10 working days and a final determination within 45 days.

One important terminological divergence: the term "deemed export" appears explicitly only in the EAR. ITAR folds the same concept into its general definition of "export"—both regulate disclosure to foreign nationals, but they use different terminology and different tests for determining nationality.

What Counts as "Technology"

Export control regulations define "technology" and "technical data" broadly: blueprints, drawings, photographs, plans, formulae, engineering specifications, lab notes, software code, and any other information necessary for the development, production, or use of a controlled item—regardless of form. This includes oral briefings, demonstrations, site visits, and visual inspection of equipment. The substance of information determines control status, not its medium.

Under EAR, exporters bear primary responsibility for self-classifying their products and must document the reasoning. BIS may issue official classifications on request, but the initial burden of correct determination rests with the exporter.

Dual-Use: A Contested Boundary

The category of "dual-use" technology is fundamentally contested: there is no precise technical threshold at which a technology transitions from civilian to dual-use status. The MIT Dual-Use Readiness Model explicitly notes that the concept "lacks a clear, useful definition." In practice, Wassenaar control lists are political negotiation outputs, not technical facts—the same capability (encryption in the 1990s, AI in the 2020s) can move between categories across enforcement eras.

Deemed Exports and the Fundamental Research Exclusion

Deemed Exports: Technology Need Never Cross a Border

A deemed export occurs when controlled technology is disclosed to a foreign national within the United States. No physical shipment or border crossing is required. This principle extends export control jurisdiction to purely domestic disclosures: showing a foreign graduate student a controlled process diagram constitutes an export to that student's country of nationality.

EAR and ITAR apply different tests for nationality. The EAR looks at a person's most recent citizenship or permanent residence; ITAR looks at country of birth and all current citizenships. A dual citizen assessed under ITAR could trigger controls toward multiple nations simultaneously, while under EAR only their most recent permanent residence determines the export destination.

A deemed export can occur entirely within US territory. The regulatory fiction is that disclosing controlled technology to a foreign national is equivalent to shipping it to their home country.

The Fundamental Research Exclusion

National Security Decision Directive 189 (NSDD-189), issued by President Reagan on September 21, 1985, established the foundational policy: results of fundamental research—"basic and applied research in science and engineering where the results ordinarily are published and shared broadly within the scientific community"—remain unrestricted to the maximum extent possible. This directive has been reaffirmed multiple times: by National Security Advisor Condoleezza Rice in 2001 (post-9/11) and by Undersecretary of Defense Ashton Carter in 2010.

The exclusion has a sharp boundary. Any acceptance of publication restrictions, dissemination controls, or sponsor limitations removes the exemption entirely—converting domestic academic collaboration into potential export control violations requiring licenses before foreign nationals can participate. The boundary between "fundamental research" (shareable) and "technical assistance on development, production, or use" (controlled) is administratively defined and applied inconsistently across institutions and technology domains.

Even when research qualifies as fundamental, the equipment, materials, and technology used to conduct that research may independently fall under export controls—creating a separation between publication freedom and physical access to controlled enabling technologies.

Mechanism & Process: Extraterritoriality and the FDPR

The Foreign Direct Product Rule

The Foreign Direct Product Rule (FDPR) is the primary instrument through which the US asserts export control jurisdiction over goods manufactured entirely outside its borders. The logic: if a foreign-produced item was made using US-controlled technology, equipment, or software, the US retains jurisdiction over where that item can go. Under the FDPR for AI model weights, US jurisdiction reaches any AI model trained, fine-tuned, quantized, or modified using US-controlled integrated circuits or computing equipment—wherever in the world that training occurred.

This extraterritoriality has generated persistent diplomatic friction with allied nations, particularly regarding US unilateral assertion of control over trade between non-US parties using US-origin technology. European trade associations have cited regulatory burden and asymmetric compliance costs. The tension between alliance maintenance and national security objectives is structural and ongoing.

The Unilateral vs. Plurilateral Tradeoff

US strategy faces an intrinsic tradeoff. Unilateral controls via the FDPR are rapid and comprehensive but incur allied relationship costs and are vulnerable to "backfilling" from non-controlling suppliers. Plurilateral coordination through mechanisms like Wassenaar is slower but closes supply-chain loopholes and avoids alienating partners. The US employs both sequentially: unilateral action first, then diplomatic effort to pull allies into coordinated controls.

The fundamental problem of unilateral controls is that "technologies and related know-how are often available from multiple sources." The US "rarely has the clout to act unilaterally and be fully effective." Unilateral overuse "sows the seeds for non-US alternatives"—pushing innovation and production away from the controlling nation rather than achieving security objectives.

The Encryption Export Wars

From the Cold War through the 1990s, the US government classified encryption software as a munition under ITAR, requiring export licenses before anyone could legally publish encryption research or distribute cryptographic software abroad—and requiring registration as an arms dealer. This framing was the regulatory baseline that cryptographers and open-source developers challenged through litigation (notably Bernstein v. United States) and political advocacy throughout the 1990s.

Encryption was eventually transferred to the Commerce Control List, but the deemed-export doctrine remained a distinct strand of the conflict: even after liberalization, EAR provisions classified the release of encryption technology to foreign nationals within US territory as equivalent to exporting it to their country of origin. This effectively restricted foreign national participation in open-source encryption projects and academic research conducted in US institutions—reframing export controls as tools of knowledge containment rather than merely physical goods control.

Emerging Technology Frontier

AI Model Weights

In January 2025, BIS established ECCN 4E091, controlling the export of closed-weight (unpublished) AI model weights trained on 10^26 or more computational operations. The threshold was adopted as a regulatory trigger for frontier models; compliance was required by May 2025.

The regime contains a self-raising floor: open-weight (published) models are excluded from controls under the EAR definition of "published," and closed-weight models are only controlled if they outperform the most capable publicly available open-weight model. As open-weight models improve, the control threshold automatically rises.

This creates a fundamental structural mismatch: frontier AI models can generate technical information that is itself ITAR- or EAR-controlled, but existing frameworks were designed for discrete, point-to-point transfers between identified parties—not for AI systems generating unlimited, dynamic outputs for potentially anonymous users. As of 2026, DDTC and BIS lack authoritative enforcement guidance for AI-generated controlled outputs.

The AI Diffusion Rule partitions the world into three access tiers: 19 allied nations receive unrestricted access to advanced AI chips and cloud services; over 140 developing countries face low-performance licensing caps; a small set of adversary-linked countries face near-total restriction.

Quantum Computing

In 2024–2025, the US and allied nations (UK, Netherlands, France, Spain, Japan, Australia, Canada, and select EU member states) implemented coordinated but formally unilateral quantum computing export controls, bypassing Wassenaar consensus processes. The coalition operates via mutual recognition clauses—states receive exceptions from each other's controls if they maintain equivalent restrictions—establishing an ad hoc regime sometimes called "Wassenaar minus one."

By early 2025, quantum controls expanded from finished quantum computing products to upstream supply chain components: cryogenic equipment manufacturers, laser and photonics suppliers, and scientific instrument distributors were added to the Entity List, targeting the ecosystem supporting military-linked quantum programs.

The USML Expansion

The September 2025 ITAR amendments marked the first instance in years where USML additions outnumbered removals, amending 15 of 21 USML categories. The amendments covered advanced sensors, propulsion systems, unmanned underwater vehicles, and military electronics with performance thresholds tied to emerging capabilities. DDTC has signaled three additional USML revision projects for 2026: space-related controls (Categories IV and XV), an omnibus revision of semiconductor and circuit board controls (Category XI), and a redefinition of "defense services" (Category IX).

Controversies & Debates

Effectiveness vs. Evasion

Multilateral export control regimes face a fundamental information asymmetry that makes evaluating their effectiveness nearly impossible: it is impossible to know how widely dangerous technologies might have spread had the regimes not existed. There are documented successes—Australia Group controls impeded Libya's chemical weapons development in the 1990s and early 2000s; NSG controls form a core component of UN Security Council nonproliferation resolutions—but these are difficult to disentangle from other causal factors.

Evasion is well-documented and systematic. Transshipment networks using shell companies and third-country intermediaries in Hong Kong, Kazakhstan, Turkey, and the UAE relay controlled technologies to embargoed destinations. After Russia's 2022 invasion of Ukraine, more than €190 million in European components reached Russia via Hong Kong in the first two years; nearly $4 billion in controlled semiconductor chips flowed into Russia from more than 6,000 companies.

Enforcement gaps compound the problem. BIS lacks sufficient technical capacity, civil penalties often amount to the cost of doing business, statutes of limitations are too short to unwind sophisticated diversion networks, and insider reporting incentives are weak. The BIS budget has not increased commensurate with the growing number of controlled items and the sophistication of evasion networks.

Traditional export control definitions also do not treat remote access, API calls, or administrative rights as exports—creating significant regulatory gaps through which capabilities can be transferred digitally without triggering physical control mechanisms.

The Wassenaar Consensus Bottleneck

Wassenaar's consensus-based decision-making cannot keep pace with the rate of technological change in cloud services, AI, and cyber tools. Any member state can block any proposal. Proposals for modification made during 2022–2023 were not accepted. States have increasingly resorted to unilateral legislation rather than seeking harmonization through the Arrangement: Spain for quantum computers, Netherlands for semiconductor manufacturing equipment, the US for AI chips and model weights.

Implementation asymmetry compounds the bottleneck: the US retains more flexibility in its export authority approach than Germany or the Netherlands, enabling license-shopping by unlawful actors who route purchases through weaker enforcement jurisdictions. Major arms exporters including Belarus, China, and Israel are not Wassenaar members, creating structural gaps that domestic implementation by member states cannot close.

Global South Critiques

The most systematic challenge to the export control order comes from developing countries who bear the economic consequences of controls without having meaningful voice in their design. The forums where global rules are established—the G7's Hiroshima Process, OECD committees, and multilateral regimes—systematically exclude developing nations.

The US AI Diffusion Rule exemplifies the complaint. India's placement in the middle tier despite being a major technology economy was attributed explicitly to "existing ties with Moscow and perception of less robust technology regulatory framework"—geopolitical criteria, not technical risk assessments. Countries including Brazil, Indonesia, Malaysia, and Mexico were similarly restricted to low-performance licensing caps, locking them out of frontier AI compute capacity.

Developing countries face a triple bind: they depend on WTO rules guaranteeing non-discriminatory trade access, technological spillovers from advanced economies, and global public goods—and export control regimes threaten all three simultaneously.

The regime consolidates a "friendly shoring" pattern that concentrates critical semiconductor manufacturing capacity within allied nations (US, Taiwan, South Korea, Japan, Netherlands, Germany) while confining developing-country participation to lower-value assembly and test operations. The historical technology catch-up pathways that enabled Taiwan, South Korea, and Japan to build advanced industries are now precisely the mechanisms that export controls restrict.

BRICS nations are constructing alternative technology infrastructure explicitly to reduce dependence on Western-controlled systems: independent fiber-optic networks, satellite systems, shared AI development initiatives, and parallel financial systems (BRICS Pay, SPFS) to bypass SWIFT. China's October 2025 rare earth export controls establish a parallel extraterritorial regime explicitly mirroring US mechanisms—including a foreign direct product rule applied at a 0.1% Chinese-content threshold. This represents the first application of FDPR-style extraterritoriality by a non-US power, reframing export controls as a contested global practice operated by multiple powers rather than a uniquely Western instrument.