An investigation conducted since Russia launched its invasion of Ukraine nearly three years ago identified 450 components of Russian weapon systems that were made by foreign manufacturers. An alarmingly large number of these—318, according to the Royal United Services Institute researchers who conducted the examination—were made by US companies. Even more striking is that 18 percent of these items are subject to export controls.
One objective of export controls is to ensure that US-made components are not used in Russian weapons. Of course, some may have been purchased before export controls were put in place. But Russia very likely managed to procure others by circumventing measures specifically designed to stop it from doing so. How? And more importantly, what can be done to resolve this and issues like it?
The contribution made by the private sector to the defense mission is widely recognized, with initiatives such as the Defense Innovation Unit focused on the adoption of commercial technology to tap into private sector innovation. And that innovation comes not only from large and well-established defense companies, known as primes, but from start-ups and small businesses. These nontraditional defense businesses comprise 73 percent of the US industrial base and, as the US National Defense Industrial Strategy acknowledges, “improve DoD’s technology edge and capabilities.” They offer new thinking, agility, and diversification of the industrial base. Their important role, however, also sheds light on the challenges of implementing export controls.
Western Innovation: A Target for Adversaries
In the same way as the United States and its allies see the advantages of innovation, so do their adversaries. Western technology is highly sought after for its quality and reliability. The number of US-made parts in the weapon systems Russia is using in Ukraine offers a case in point.
The United States’ Disruptive Technology Strike Force was established by the Justice and Commerce Departments in early 2023 to respond to this threat and prevent advanced technology from being acquired by adversaries. It pursues action on export control violations and related offenses with the objective of protecting military and dual-use items from misuse by our adversaries.
Military items are simple to define, for the most part. Classifying items as dual-use, by contrast, can be more complicated. These items can have both military and civilian applications, and they include software and technology as well as physical goods. An example of a dual-use item is a triggered spark gap, which is a key component in medical devices used to break up kidney stones—but can also be used in the firing sequence of a nuclear weapon.
Verifying whether an export is permitted requires consideration of the end user, end use, destination, and other factors. These requirements are particularly complex to apply to dual-use items because illicit procurement networks may misrepresent acquisitions as being for a legitimate civilian purpose to obscure that the item will be diverted for a prohibited use.
Navigating the Regulatory Labyrinth: Parallels between Defense and Banks
While start-ups and smaller businesses are critical to innovation and a key component of the defense industrial base, they also face unique challenges. They have less reliable cash flows and limited financial reserves, and are described by the National Defense Industrial Strategy as more “fragile” than larger, established companies. This characterization not only applies to their financial positions but may also apply to the resources available to meet stringent Department of Defense standards and regulatory requirements including export controls. Smaller and specialist companies are also often targeted by adversaries who perceive them as being more vulnerable, according to the Royal United Services Institute report.
The defense sector—both its military and government stakeholders as well as those from industry—must work together to gain the innovation advantages that start-ups and smaller businesses can provide, while also ensuring they do not provide a chink in the amor of our collective defense. The way that large financial institutions work closely with financial startups, called fintechs, provides one model for success.
Export controls are complex and require significant resources to apply effectively. While a defense prime may understand its obligations and have the resources to implement an effective export control compliance program, this may not always apply to smaller or newer companies. These businesses may be product led, without an embedded understanding of regulatory requirements from the start. They may not have the same resources or experience to identify the potential misuse of their products or technology. For example, a manufacturer of a small unmanned aircraft system may intend it to be used to deliver medical supplies for disaster relief—a worthy humanitarian purpose—but it could also be easily used to deliver other payloads.
The adversaries of these export controls are sophisticated illicit procurement networks that adopt many of the techniques and methodologies honed by transnational criminal groups. These include use of front companies and shell companies to obscure the real buyer; transshipments through countries less likely to raise alarm to obscure the ultimate destination; and knowledge of how to misrepresent the end-user or intended use to avoid prompting concerns.
The challenges and opportunities faced by smaller defense businesses, particularly start-ups, relative to larger and well-established companies have parallels with the financial sector. Large financial institutions have many similarities with defense primes. They operate in an environment where regulatory requirements are stringent, and their size and financial resources mean that they have large and experienced compliance teams to ensure their obligations are fulfilled. They have a depth of experience in identifying threats—for banks, examples include money laundering, sanctions evasion, or financing of terrorism—and implementing controls to manage them effectively.
Fintechs—technology-centric start-ups or smaller businesses in financial services—do not share these advantages and have similarities with their equivalents in defense. Firstly, they may be product led, meaning the founders establish a business with a product and the potential market opportunity (rather than compliance) in mind. When compliance requirements are identified subsequently as a business grows, it becomes more complex and costly for them to be retrofitted. Secondly, these smaller fintechs may not have access to the same resources or experience to implement effective programs to prevent, detect, and respond to threats. And thirdly, they may be more actively targeted by adversaries who seek potential vulnerabilities, whether in the financial system to launder money or in the defense sector to acquire controlled items.
Banking: A Potential Blueprint
For smaller defense businesses, it may not be necessary nor realistic to have a large in-house export control compliance team. What is necessary is for all staff to be capable of identifying the red flags of illicit procurement and to understand the actions they must take—which may include sourcing external experts. The value of training is recognized by regulators: the US Bureau of Industry and Security, which administers the US dual-use export control regime, may require staff training by noncompliant organizations as part of its enforcement settlements.
However, proactive training can be more effective than mandating it after a violation. In financial services, all staff within a financial institution are provided with training on financial crime risks as part of their new-joiner process, along with regular refreshers. Staff with critical responsibilities receive in-depth training adapted to their specific roles.
In defense, proactive training could provide staff with the knowledge to prevent items being procured by adversaries—a better outcome than enforcement action for failures. In addition, provision of training demonstrates the company’s intent and commitment to fulfill its regulatory obligations, which may be viewed positively should a breach still occur despite its diligence.
In the financial sector, some global banks, called correspondents, shoulder the responsibility of protecting the integrity of the financial system by building capacity beyond their own institutions. Defense primes could consider a similar approach.
A correspondent bank is a global bank that has other banks as its clients. These client banks may be small, they may operate in countries with weak financial crime regulatory regimes, or they may have less experience taking effective action against sophisticated transnational criminal networks. However, if the client bank has weaknesses in its controls and it processes illicit transactions—such as the proceeds of crime or funds being raised for terrorism—they will be processed through the global bank’s systems. The global bank can be subject to regulatory enforcement action, even if the transactions originated with the client bank.
To mitigate these risks, some global correspondent banks provide capacity-building training to their client banks on how to improve their financial crime controls, such as how to conduct effective due diligence on different types of clients, how to recognize indicators of money laundering, or how to screen transactions for sanctions red flags.
Global correspondent banks have extensive resources and, by the nature of their business, broad experience on these threats and mitigations. By helping develop capacity in their client banks, they strengthen the client banks’ ability to protect themselves and as a result it is less likely that the correspondent will be exposed to illicit financial flows.
There are additional benefits: the global correspondent bank’s commercial relationship with its client banks is strengthened by providing this support—and by removing weak points, the integrity of the financial system overall is better protected.
Adapting this model, larger defense companies could provide training on export controls to their smaller suppliers and partners, or they could establish outreach initiatives to support capacity building in the wider defense sector. By sharing the knowledge and resource advantages that come from scale, defense primes can strengthen relationships between larger and smaller defense businesses, provide a more favorable environment for innovation, and strengthen the defense industrial base. In this way, innovation will be accelerated and our collective perimeter will be strengthened against our adversaries.
Catherine Woods is an experienced global financial services professional who has held senior and specialist positions in financial intelligence, external liaison, and export controls. She also serves in the Royal Air Force Reserves where she is a specialist in military-industry partnerships and coalitions, particularly those focused on innovation and emerging technologies.
The views expressed are those of the author and do not reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense, or that of any organization the author is affiliated with, including the United Kingdom Royal Air Force and Ministry of Defence.
Image credit: US Air Force