Welcome to The Iron Triangle, the Cipher Brief column serving Procurement Officers tasked with buying the future, Investors funding the next generation of defense technology, and the Policy Wonks analyzing its impact on the global order.
A little over a year ago I watched a good company die. They built technology that worked. It was not a slide or a concept, but a thing that did what it was designed to do. They had European clients interested, checkbook open, at exactly the moment Europeans started opening checkbooks for real. They did not close the deal. They could not figure out how to export their product without tripping over the International Traffic in Arms Regulations (ITAR), they could not afford the lawyer who could tell them, and they ran out of runway waiting on a U.S. contract that was still three review cycles from signatures. The technology did not fail. The paperwork won.
Around the same time, I sat with a foreign team with excellent tech who wanted to build in the United States. They decided against it. Their reason was not taxes or visas. It was that the moment their intellectual property became American, it might become ITAR-controlled, and they were terrified that a regulation written in Washington would strand the hardware they were shipping to Ukraine to kill Russians. Restated, our export-control regime is so feared that talented people keep their best work out of the American ecosystem. That is not security. That is self-harm.
The $3,000 Toll to Export Nothing
Start with the cost of admission. To legally export a defense article, you first register with the State Department's Directorate of Defense Trade Controls (DDTC). As of January 2025 the base registration fee rose to $3,000 a year, and you pay it whether or not you ever ship a single item. That fee is the insult, not the injury. It’s the trivial part that buys you the right to then apply, per transaction, for a DSP-5 license, a process that consumes months, specialized counsel, and a full-time compliance officer that a nine-person startup does not have and cannot afford to hire.
For Lockheed Martin, this is a rounding error and a competitive moat all at once. The primes have entire floors of export-control lawyers; the regulation that annoys them is the regulation that buries smaller companies. The same $250,000-a-year compliance function is a nuisance on a $61 billion contract base and a death sentence on a Series A. ITAR does not have to be designed as a moat to function as one.
The See-Through Rule and the Birth of "ITAR-Free"
Here is the part that turns a domestic annoyance into a strategic own-goal. ITAR does not stop at the first sale. Every onward move, a re-export to a third country, a retransfer to a different end user, needs its own license. Control follows the item forever. Two features make this uniquely radioactive. The first is the "see-through rule": American law looks straight through a foreign-built system to control the U.S. part buried inside it. The second is that ITAR, unlike Commerce's export rules, has no de minimis threshold; there is no amount of American content small enough to escape. One controlled datalink in a drone taints the entire aircraft, permanently, and Europe cannot freely sell it onward, or keep sending it to Kyiv, without asking for permission.
So Europe did the rational thing. It started designing us out. "ITAR-free" is now a selling point, a feature you advertise the way you'd advertise waterproofing. The control regime we built to protect technology has taught our allies to build parallel supply chains that don't need us at all. We are not catching diversion. We are losing the room, one clean-sheet component at a time.
We Are Guarding a Henhouse the Fox Already Breeds
Now the objection every serious reader is forming: won't loosening the rules help China? It is the right question, and it deserves an honest answer. Post-sales diversion to Beijing is a threat, and the wall against it should stay standing.
But look at what the small companies I'm talking about actually build; let’s be precise about it. The airframe of an attritable FPV drone is commodity hardware, every component sourceable on Alibaba, and China manufactures the world's drones at a scale and price we cannot approach. Nobody in Beijing is combing American startups for quadcopter know-how. What can be genuinely sensitive is the layer you can't buy on Alibaba: the autonomy stack, the radio's waveform library, the ISR payload's processing. Control that. But applying munitions-grade export control to benign parts isn't guarding the crown jewels. It's standing armed guard over a henhouse the fox already owns, breeds, and exports. Control the narrow band that matters; stop strangling everything downstream of it with rules written for an age when a weapons system took a decade to build and stayed secret for two.
The Money Nobody Talks About
Investors should sit with the scale of the mismatch. In 2025, venture capital poured a record $49.1 billion into defense tech, up more than 80 percent over the year before. It sounds like a golden age until you notice most of it stacked into a handful of nine-figure megarounds while the Forgotten Bench, the small firms building the actual arteries of the future force, fought over grants. A typical DoD SBIR Phase I award runs about $256,000; a Phase II might reach a couple of million, if the company survives the wait. Many do not.
Now hold that against one ITAR-specific insult. On an ordinary afternoon, RTX booked $183.7 million for Patriot hardware bound for the United Arab Emirates. The prime exports to the Gulf on a Tuesday while the startup cannot work out how to ship a drone to a NATO ally. That is not a difference in risk. It is a difference in legal firepower. And the Pentagon posts these awards daily, every one above $7.5 million. The primes' budget rounding errors could fund the next generation of warfare. Instead they accrue to the incumbents while the little guys are fenced out of a market currently on fire.
What Each Corner of the Triangle Should Want
For the Procurement Officer, this is about coalition speed. You cannot field an allied force at the pace of a per-transaction license queue. Interoperability that requires a lawyer is not interoperability.
For the Investor, ITAR reform is a total-addressable-market unlock. European defense budgets have gone vertical, and right now your portfolio company is legally walled off from them. The moat you think protects your prime holdings is the same moat drowning your early-stage investments. Your small companies are not competition for the primes; there is plenty of room for both to be successful.
For the Policy Wonk, the pitch is precision. A control regime that treats a drone like an ATACM has no credibility left to spend when it actually needs to stop something dangerous. Overcontrol is how you get evasion; targeted control is how you get compliance.
The Fix Already Exists: We Just Gave It to Two Countries
We do not have to invent anything. In September 2024, the State Department stood up the AUKUS exemption, a license-free environment for defense trade, between pre-approved, vetted users, the United States, the United Kingdom, and Australia, fenced by an "Excluded Technology List" that keeps the genuinely sensitive items behind the wall. In an early three-month sample, only 18 percent of requests fell on the excluded list; the other 82 percent could move without a license. The mechanism works; State approved it six months ago.
So extend it, carefully, because this is the part the cynics should watch. AUKUS worked because State vouched for allies whose export-control systems were judged comparable to our own. Thirty-two NATO members are not thirty-two equal risks, so the honest version of this is tiered: the most-trusted governments first, each on its own comparability finding. Build a NATO Trusted Trade tier on the same architecture: license-free authorization for vetted allies on the commodity tier, a narrow excluded list. Industry's loudest complaint about AUKUS is that the list is already too broad. Then build a small-business fast lane that waives the registration toll for firms below a revenue threshold. Keep the wall. Widen the gate. Stop making a startup spend its entire budget on compliance lawyers to sell drones to Poland.
I have spent a career watching good technology lose to bad processes. This is the purest example I know. The threat is real, the fix is proven, and the only thing missing is the will to admit that a rulebook written in the era of glacial weapons development is actively kneecapping the fast, cheap, disposable systems that are winning wars right now. Europe wants viable technology. Our young innovators are starving for a customer. ITAR is standing between them, collecting a $3,000 toll, and calling it national security.
I am not naive about post-sale diversion to China. The real leak in a trusted-ally tier is not China raiding our startups; it is a vetted ally re-exporting onward. This is why truly sensitive items stay behind the wall. A trusted-ally tier is only as good as the "trusted" part: the whitelist has to be policed, the excluded list has to be honest, and end-use monitoring has to be real. I will not pretend reform fixes everything. For some European governments "ITAR-free" is industrial policy, a way to protect their own primes and their own jobs. No amount of American good behavior erases that motive. But reform removes the legitimate excuse, and keeps our companies in contention where today they are auto-excluded. The answer to a blunt instrument is a sharper one, not no instrument at all.
We wrote the words "ITAR-free" onto our allies' marketing brochures ourselves, one anachronistic rule at a time. The question is whether we notice in time to erase them, or we keep guarding the henhouse until the last American startup gives up and the last European customer stops asking. Who are we protecting, and from what?
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals. Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief

1 hour ago
1





