In May, Buzzfeed grabbed headlines worldwide when it reported that Cisco Systems Inc. had “altered sales records in Russia” to evade US and EU sanctions.  Specifically, Buzzfeed reported that Cisco used straw buyers to conceal exports of sophisticated technology to military end-users, including the FSB, the successor agency to the KGB. The article included links to leaked company documents.

Cisco publicly has denied the allegations, while Senator John McCain has called for an investigation.  Buzzfeed reports that a federal investigation is underway.

This all raises a key question: What are the potential theories of liability here?

The article recounts several examples in which Cisco supposedly altered the names of military end-users to reflect more benign end-users in its internal sales database, including by substituting the Russian Chamber of Commerce for the FSB, “Slavyanka JSC” for the Russian Ministry of Defense, and “Tsenki FGUP” for the Russian Space Agency.  The article suggests, but does not clearly allege, that Cisco presented this supposedly falsified information to licensing authorities in the United States and/or the Netherlands following the imposition of US and EU sanctions that would have restricted the deals.

The linchpin of the article is its statement that “sanctions prohibit Western companies from selling ‘dual-use technology’ — civilian technology that could also have military applications — to ‘military end-users.’”  However, this is not entirely correct.  US export controls restrict the supply of certain listed items for military end-users or end-uses in Russia, set out at Supplement No. 2 to Part 744 of the Export Administration Regulations (EAR), and the Cisco equipment described in the Buzzfeed article does not appear to be covered.  EU sanctions against Russia, in comparison, do restrict the supply of all dual-use items for Russian military end-use or end-users.

The Buzzfeed article notes that Cisco explored setting up a “US supply lane” by which it would export items directly from the United States to Russia, rather than through the Netherlands as it usually did, in order to avoid EU restrictions.  This is not necessarily a violation.  EU sanctions prohibit taking actions to “circumvent” restrictions, but it isn’t clear how this would apply to a US company acting in the United States, or if the anti-circumvention prohibition would reach this type of activity (similar to the US prohibition of “facilitation”).  And while US authorities may cooperate with EU authorities in sanctions and export control enforcement, US authorities do not enforce EU export control laws.

Other aspects of the article appear to be exaggeration by Buzzfeed.  For example, the article suggests that Cisco altered records for certain orders to change the name of the end-user from the Russian Ministry of Defense to “Slavyanka JSC,” pursuant to a nefarious plot to dupe Dutch authorities that an anonymous whistleblower described as “pure fraud.”  But Slavyanksa publicly describes its “principal operations” as providing “specialized housing of military towns of the Ministry of Defence of the Russian Federation, as well as operational maintenance and comprehensive service barracks, housing and water supply networks cantonments Russian Defense Ministry.”  This could not possibly have been lost on the Dutch authorities, which in any event reportedly blocked the transaction.  Similarly, Buzzfeed takes issue with other orders in which Cisco changed the name of the end-user from the Russian Space Agency to “Tsenki FGUP,” which openly describes itself as active in the Russian space industry.

Of course, there could be violations to the extent that Cisco actively misled US and EU regulators on license applications.  US authorities certainly take this quite seriously, most recently evident in the prosecution of Alexander Brazhnikov Jr., who pleaded guilty on June 11 to charges that he conspired to smuggle more than $65 million in export-controlled electronics components to the Russian military by concealing the nature and destination of the shipments.  (Sentencing is scheduled for September 15.)  But in the absence of more specific reporting on Cisco’s activities, it’s important to separate the facts from the hype in this situation.