The Bureau of Industry and Security (BIS) manages the US’s dual-use export controls, including controls on AI chips. BIS’s ability to enforce export controls on AI chips is directly relevant to US national security, because it affects China’s ability to acquire AI compute for uses like cyberattacks. It is also relevant to AI risk, because it affects BIS’s ability to monitor where compute is going and prepare for a future where compute might be restricted more aggressively.

In my last Substrate post, on BIS funding, I covered what BIS asked for this year—a $112 million increase to spend almost entirely on enforcement staff—and what BIS actually received, which is a $44 million increase that BIS must now decide how to spend. In that piece, I argued that the highest BIS priority should be something not in the budget request at all—specifically, better software and data infrastructure. In this piece I’ll outline the current state of BIS enforcement software and data systems, what BIS is already doing to upgrade them, and the potential benefits compared to other investments.

BIS should upgrade its decades-old enforcement software

The Investigative Management System-Redesign (IMS-R) tracks export enforcement investigations, including storing digital case files, witness testimony, documents related to investigations, and records of arrests and other enforcement actions.1 It also targets and logs end-use checks, which are when a BIS agent, an Export Control Officer, or a Commercial Service officer visits a company overseas that is receiving, or applying for a license to receive, US-origin items.2 Basically, it’s Google Drive for export control enforcement—the central source of truth on enforcement actions. If you want to understand what another agent or analyst is working on or what BIS did last year, you have a better tool than “send someone an email and ask”.

Unfortunately, IMS-R is profoundly outdated—the tool was developed either in 2006 or 2008, depending on which source you believe.3 In other words, IMS-R predates Windows Vista, Halo 3, and the end of George W. Bush’s presidency, and it has about the performance you would expect.

For example, per the Senate Investigations Committee’s excellent report on BIS, IMS-R’s search function cannot find text within documents. If you want to find cases associated with a certain witness, and you don’t know the exact unique IDs of those cases already, have fun clicking through every single case, downloading every Word document attachment and using Ctrl-F. Luckily, you won’t have to search through any PDFs or Excel sheets—because according to page 20 of the report, you can’t even upload those file types. If you want to find out how long an end-use check has been open (the time between a BIS analyst flagging a transaction and a BIS agent visiting the company), you’d better just call your analyst friend, because according to the Government Accountability Office IMS-R can’t handle that information either.

This creates two problems for export enforcement: process drag and knowledge drag. Every time IMS-R crashes when an analyst is logging in, or an agent has to copy all the text from a PDF and put it in a Word document, or a supervisor has to call an agent to find out what’s going on with an end-use check, that’s process drag. Time is being sucked away from productive enforcement activities to fight a software system old enough to vote in this year’s midterms.

That’s bad, but knowledge drag might be worse. Because finding information is so hard, sometimes people just won’t find it, or even take the time to seek it. An agent working a case won’t realize the company they’re investigating is also applying for licenses. An analyst putting together an Entity List package—the bundle of evidence and analysis supporting a proposal to restrict exports to specific companies—won’t know about the three open end-use checks on that company. Improving IMS-R would reduce administrative workload for BIS agents and analysts and increase knowledge sharing in hard-to-quantify but important ways.

BIS should spend even more on trade data

Beyond the information about cases and BIS actions stored in IMS-R, BIS enforcement has access to three types of data:

• BIS-owned data tools, like CUESS.

• Data tools owned by other government agencies but used by BIS, like the Automated Export System and the Automated Targeting System.

• Commercial data tools purchased by BIS, including teardown intelligence, corporate registry and trade data, and data fusion platforms.

The primary BIS-owned data tool (besides IMS-R) is the Commerce USXPORTS Exporter Support System (CUESS). CUESS is both the software system used to process export licenses and the repository of all the data about those licenses at BIS (companies apply for licenses through the applicant-facing side of the system, called SNAP-R). Although newer than IMS-R, CUESS shares many of its pathologies and was designed for processing licensing applications rather than viewing license data.

The primary non-BIS, government-owned data tools are the Automated Export System and the Automated Targeting System, both managed by Customs and Border Protection.

• The Automated Export System (AES) electronically logs all exports from the United States. (Seriously, all of them! Millions every day. It’s a fascinating dataset.)

• The Automated Targeting System (ATS) automatically compares AES data to existing law enforcement databases to flag if a shipment, say, is going to a company on the Entity List.

Unfortunately, because BIS doesn’t own these data systems, it must haggle with Customs and Border Protection about both access for BIS analysts and whether some data BIS would like to see are captured at all.

Finally, BIS also has contracts with a scattering of commercial data providers who can be broadly categorized into three sub-buckets: physical teardown intelligence, corporate registry and supply chain data, and data fusion platforms:

• The only physical teardown intelligence provider BIS appears to contract with is Conflict Armaments Research. Conflict Armaments Research’s line of work is flying to battlefields around the world, recovering weapons debris, and identifying the supply chains of those weapons. This has obvious utility to BIS: if you have primary information about what components with what serial numbers are where, you can work backwards through the supply chain.4 BIS awarded Conflict Armaments Research a $120,000 contract in February 2021.

• BIS contracts with a wide variety of companies for corporate registry and supply chain data, including Dun & Bradstreet, Sayari, Bloomberg, IHS Global, Thomson Reuters, Kharon, S&P Global Market Intelligence, and WireScreen. Many of the contracts appear to be through a reseller called Thundercat Technologies. These companies help answer questions like “who owns this Chinese company?” and “what is this chip fab’s legal address?”

• BIS has also awarded $4.6 million to Palantir Technologies for “Platform-as-a-Service.” Palantir famously specializes in helping government clients assemble and understand large datasets, so this would likely be the integrator that helps BIS make sense of all the other data it’s cobbling together.

Right now, human enforcement analysts serve as the interpretive layer between all these data sources. The same analyst might query AES to find a shipment, check ATS to see if the consignee matches any known law enforcement records, then check WireScreen and Sayari to determine who owns the company listed on the AES record. Then they might walk downstairs to the Bloomberg terminal (of which there is only one, which you must reserve in advance) to look at data on that company’s suppliers and customers, and then they might go back upstairs to look at CUESS information about the licenses that company has received, through CUESS’s painfully awkward search function (no searching attachments, barely any advanced search support at all, same as IMS-R). This all assumes the analyst has access to all those resources, which is not given to every BIS analyst. This creates the same knowledge drag as IMS-R: data that could be used isn’t used because it’s too painful to get it.

The dream system would unify US government trade data, commercial trade data, law enforcement investigation databases, corporate registries, and physical teardown information into a single portal. (This is exactly the type of system that Palantir is well suited to build.) Actually building it is not only a financial and technological problem but also a legal, commercial, and political problem—it means addressing data confidentiality rules, negotiating with commercial providers for bulk data transfers instead of far more lucrative per-seat licensing, and badgering agencies like Customs and Border Protection, which owns key data, into giving BIS the keys to the kingdom.

The benefits of this system would be massive—instead of analysts spending days manually correlating different data sources, they could focus on their core work of evaluating qualitative intelligence, targeting enforcement, and tracking large-scale trends. An analyst asking “what did this Chinese fab buy this year, and through which suppliers?” could answer that question in minutes, not days, then apply their own expertise to the real question of what those purchases mean for what the fab is building. A policymaker asking “to which other countries did exports of AI chips surge after we controlled them to China?” could get the answer themselves without tasking an entire team of data scientists, a task that has become much more difficult due to attrition in BIS’s Data Analytics Division.

Software and data would be a force multiplier and are feasible

BIS is probably better placed than I to make an exact evaluation of its own software and data requirements and how those compare to other needs like enforcement staffing. I know as well as anyone the frustration civil servants feel when think tank pundits try to backseat drive a federal agency without an intimate understanding of the constraints on the ground. I also don’t have access to as much information as BIS leadership does about how enforcement is going and what the staff there say they need.

Nevertheless, I think it’s worth investing at least some of BIS’s budget increase in software and data. Investing in technology would increase the productivity of the hundreds of staff BIS already has, which is, I think, worth more than the ten or so additional agents a few extra million in technology spend would mean forgoing. I also think a broad BIS technology modernization project would succeed. This is partly because BIS was demonstrably able to build the CUESS software originally (a major software project to build a single licensing system across the interagency in the 2010s failed due to coordination issues between agencies, not issues within BIS), and partly because most of the required data modernization would involve paying commercial companies to provide data and build fusion tools, not BIS developing anything itself.

Ultimately, it’s up to BIS leadership to decide how to spend their money—but if they’re asking me,5 modern software and a lean, mean data-processing machine would be a valuable and affordable addition to the BIS enforcement toolkit.