By Chuck Gallagher — Defense Ethics Keynote Speaker and Trainer
The email that felt harmless
It started like most modern problems do: with someone trying to be helpful.
A program team was moving fast. Deadlines were tight. The customer wanted updates. Engineering was collaborating across time zones. A subcontractor needed “just one file” to keep the schedule from slipping.
So an employee did what responsible employees do—they tried to solve the problem quickly.
They attached a document to an email.
Not because they were reckless.
Not because they were unethical.
Not because they were trying to break the law.
But because in that moment, the employee believed the file was “normal.”
And in defense contracting, one of the most dangerous beliefs in the workplace is this:
“It’s probably fine.”
Because export control violations don’t usually come from criminals.
They come from good people who don’t realize they’re standing in a legal and ethical minefield.
As a defense ethics keynote speaker and trainer, I’ve seen it over and over:
export control risk lives in everyday habits—not dramatic schemes.
Export controls are not just a compliance issue—they’re a trust issue
When leaders hear “ITAR” or “export controls,” they often think:
- legal department
- compliance department
- contracts department
- “somebody else’s problem”
But export control compliance is ultimately about something far more basic:
Will your organization treat national security obligations as non-negotiable?
This is why export controls are an ethics issue.
Because ITAR isn’t just about rules.
It’s about responsibility.
It’s about what happens when a company is entrusted with sensitive data, defense articles, defense services, and technical information—and whether that company has the discipline to protect it, even when protecting it is inconvenient.
Public examples: export control enforcement is real (and expensive)
This isn’t theoretical.
In August 2024, the U.S. Department of State announced a $200 million administrative settlement with RTX (Raytheon Technologies) resolving 750 alleged violations of the Arms Export Control Act (AECA) and the International Traffic in Arms Regulations (ITAR).
And in another significant example, the U.S. Department of State announced a $51 million settlement with Boeing resolving alleged violations involving AECA and ITAR-related issues.
I’m not highlighting these cases to embarrass anyone.
I’m highlighting them because they teach a lesson every defense contractor should take seriously:
Export controls are not “fine print.”
They are a frontline integrity test.
Why ITAR violations happen even in good organizations
Most export control failures aren’t driven by bad intent.
They’re driven by a mismatch between:
What leadership assumes
“We have an export compliance program.”
…and…
How employees actually work
“Just send it. We need to move.”
Export control breakdowns usually happen in predictable situations:
1) Speed beats caution
The team is behind schedule, and compliance feels like friction.
2) People don’t know what’s controlled
Employees don’t recognize when technical data is export-controlled.
3) Collaboration habits are modern, but controls are outdated
Employees use cloud tools, shared drives, messaging apps, and international meetings as default.
4) Subcontractors and partners create leakage points
Teams assume the other party “must already be approved.”
5) Training is generic
Employees know ITAR is “important,” but don’t know what to do in real-world scenarios.
That’s why I tell leaders:
I don’t deliver ethics training. I build ethical decision-making reflexes under pressure.
Because export control mistakes aren’t made when people are calm.
They’re made when people are trying to be helpful, fast, and responsive.
The ethical danger: “Nobody’s getting hurt”
One of the most common rationalizations I hear is:
“It’s not like we’re giving it to an enemy.”
That’s not how export controls work.
Export controls exist precisely because the risk is not always obvious in the moment.
The harm is often downstream:
- technology leakage
- unauthorized access
- uncontrolled distribution
- loss of control over sensitive data
- weakening U.S. and allied defense advantages
And beyond national security concerns, there’s another cost:
When export control discipline fails, customer trust collapses.
Because defense customers don’t just evaluate capability.
They evaluate maturity.
And maturity includes self-control.
The real ITAR risk is cultural: casual behavior around serious rules
The companies that get in trouble are often not the companies without policies.
They’re the companies where policies exist…
…but daily behavior ignores them.
Export compliance becomes something employees “work around.”
And that’s a culture problem.
If employees view export controls as:
- annoying
- optional
- slow
- “legal’s job”
then eventually they will treat them like obstacles rather than obligations.
And that’s how risk becomes inevitable.
Where export control mistakes happen most often (real-world hot zones)
If you want to protect your organization, focus training on these common danger zones:
Email and file sharing
The fastest way to violate export controls is to casually attach the wrong document to the wrong recipient.
Cloud storage and collaboration tools
Shared folders can become uncontrolled distribution channels if access isn’t managed.
International employees and contractors
Even inside your organization, foreign national access can trigger compliance obligations.
Conferences and presentations
Slides and demos can unintentionally include controlled technical data.
Subcontractor communication
“Just send it to the supplier” becomes the moment control is lost.
Remote work
Home networks, personal devices, and informal communication can weaken safeguards.
The point isn’t paranoia.
The point is awareness.
What effective export control ethics training looks like
Most export control training fails because it’s too abstract.
Employees hear:
- “ITAR is serious.”
- “Don’t share controlled data.”
- “Follow the rules.”
But they don’t learn what to do in real life when:
- a customer asks for something urgently
- a teammate requests a file
- a subcontractor needs access
- the team is behind schedule
- the manager says “make it happen”
So effective training must be:
Scenario-based
Examples like:
- “You’re asked to send CAD files to a vendor. What do you check first?”
- “A foreign national colleague is added to a meeting invite. What changes?”
- “A customer wants a quick technical summary. What can you safely include?”
Role-based
Engineering, program management, IT, contracts, HR, and supply chain all face different export risks.
Culturally reinforced
If leadership rewards speed at all costs, training won’t matter.
But if leadership rewards disciplined compliance—even when inconvenient—behavior changes.
A simple decision framework: “Pause. Verify. Protect.”
When employees are unsure, they need a fast, memorable tool.
Here’s one I teach:
Pause
Don’t send. Don’t share. Don’t assume.
Verify
Ask: Is this controlled? Who is authorized? What approvals are required?
Protect
Use approved systems, proper markings, and correct access controls.
That three-step reflex can prevent the “harmless email” that becomes a major event.
Final thought: ITAR isn’t red tape—it’s a character test
In defense contracting, export control discipline is a reflection of corporate character.
Because ITAR compliance asks a simple question:
Will you do the right thing when it slows you down?
The best defense contractors don’t treat export controls as friction.
They treat them as responsibility.
And responsibility is what separates trusted partners from risky ones.
Call to Action (Conversation Starter + Conversion)
If you’re a defense contractor leader, here’s the question I want you to sit with:
Do your people treat export controls like a policy… or like a mission?
If your teams are moving fast, collaborating globally, and relying on modern digital tools, you need more than a once-a-year compliance reminder.
You need an ongoing ethical awareness program that builds disciplined habits under pressure.
As always, I welcome your comments and I’m happy to respond. Feel free to share your thoughts below.
