Commerce Dept. Proposes Sweeping Supply Chain Rules to Prevent ICTS Attacks by Foreign Adversaries
The U.S. Department of Commerce today published a proposed rule1 to implement Executive Order 13873, Securing the Information and Communications Technology and Services (ICTS) Supply Chain. The Notice of Proposed Rulemaking (NPRM) sets out procedures that the agency proposes to use to identify, assess and address certain information and communications technology and services (ICTS)2 transactions that pose an undue risk to ICTS in the United States, to the country's critical infrastructure or digital economy, or an unacceptable risk to U.S. national security or the safety of U.S. persons.
The proposed rule would create a process for evaluating the effect that any acquisition, importation, transfer, installation, dealing in, or use of ICTS that has been designed, developed, manufactured or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, foreign adversaries3 may have on the national security, foreign policy and economy of the United States, and for potential blocking of any such transaction.
The public has a period of 30 days, until December 27, 2019, in which to submit comments.
Background
The NPRM, and the Executive Order it implements, state that the ICTS supply chain is critical to nearly every aspect of U.S. national security – the economy, critical infrastructure and emergency services, and the ability to store, process and transmit vast amounts of data, including sensitive information, that is used for personal, commercial, government and national security purposes. The NPRM posits that the ICTS supply chain has become increasingly exposed to exploitation and is a target for espionage, sabotage and foreign interference activity through both "back-door" and "front-door" vulnerabilities.
In particular, it notes that ICTS that are designed, developed, manufactured or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary augment those adversaries' ability to create or exploit vulnerabilities in ICTS, and that foreign adversaries increasingly are exploiting ICTS to commit cyber actions, including economic and industrial espionage, against the United States.
Finding that the unrestricted acquisition or use of such ICTS poses an extraordinary threat to the national security, foreign policy and economy of the United States, the NPRM proposes a potentially sweeping review process by which the Secretary would determine whether ICTS transactions selected for review (1) must be prohibited, (2) can be mitigated, (3) require unwinding, or (4) may proceed.
Evaluating Transactions
Review of a transaction may be triggered at the Secretary's discretion, upon the request of another federal agency or department, or based upon information submitted by a private party.
The NPRM states that any acquisition, importation, transfer, installation, dealing in or use of any information and communications technology or service (a "transaction") may be subject to review, and potentially to either prohibition or mitigation, if the transaction:
- Is conducted by a person or involves property subject to the jurisdiction of the United States;4
- Involves property in which a foreign country or a national thereof has an interest (including through an interest in a contract for the provision of the technology or service);
- Was initiated, pending or completed after May 15, 2019, regardless of when any contract applicable to the transaction was entered into, dated or signed, or when any license, permit or authorization applicable to the transaction was granted;5
- Involves any ICTS "designed, developed, manufactured, or supplied" by entities "owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary;" and
- Poses an undue risk of sabotage or subversion of ICTS in the United States, an undue risk of catastrophic effects on the security and resiliency of critical infrastructure or the digital economy in the United States, or an unacceptable risk to national security or to the security and safety of U.S. persons.
The Department's review of transactions will be based, in part, on an initial threat assessment and a vulnerability assessment prepared by the Office of the Director of National Intelligence (ODNI) and the Department of Homeland Security (DHS), respectively.
Notice to Transaction Parties
Although Executive Order 13873 empowers the Secretary to immediately prohibit or mitigate ICTS transactions that pose the risks identified in the Executive Order, the proposed rule sets forth procedures to be followed generally, except in instances where the risk of public harm or national security interests require deviation from such procedures.
Under these procedures, if the Department of Commerce makes a preliminary determination to prohibit, mitigate or unwind a transaction, the agency will provide notice to the transaction parties. Notified parties will have an opportunity to submit their position, which may include proposed measures for mitigation, prior to issuance of the agency's final determination. The agency will provide an unclassified, written final determination to the parties that, "to the extent possible, explains how the decision is consistent with the terms of the Executive Order, and, as appropriate, a summary of the final determination will also be made publicly available."
Public access to information submitted will be governed by the Freedom of Information Act, 5 U.S.C. § 552.
If it is determined that a transaction presents an unacceptable risk, the transaction may be prohibited, or the parties may be required to implement measures to mitigate the identified risks, including by requiring the parties to immediately cease the use of the ICTS that poses the risk, even if such ICTS has been installed or was in operation prior to the determination.
Persons who violate a determination, or mitigation requirements, imposed under the rule may be subject to a civil penalty of up to $302,584 for each violation. The NPRM states that the agency will not issue advisory opinions or declaratory rulings with respect to any particular transactions.
Exemptions and Class Determinations
The Department of Commerce has adopted what it refers to as a "case-by-case, fact-specific approach" to determine what transactions will be prohibited and either must not proceed, must be unwound, or be made subject to mitigation. The proposed rule does not identify particular technologies or participants in the market for ICTS, or classes of technologies, participants or transactions, as either categorically included or excluded from the prohibition.
The NPRM states that this approach is intended to target and prohibit transactions that meet the Executive Order criteria without unintentionally prohibiting other transactions involving similar ICTS that may not present an undue or unacceptable risk. This approach also is said to be intended to avoid inadvertently precluding innovation or access to technology in the United States.
However, the NPRM states that if, in the future, the Secretary determines that it is appropriate to designate classes of transactions for categorical inclusion (e.g., because such class of transactions poses an unacceptable risk) or exclusion (e.g., because transactions do not present an unacceptable risk or are outside the scope of the Executive Order), further guidance will be issued at that time.
Request for Comment:
The Department has invited comment on almost all aspects of the proposed rule, but explicitly noted that the determination of a "foreign adversary" for purposes of implementing the Executive Order is a matter of Executive Branch discretion that will be made by the Secretary in consultation with the heads of other executive departments and agencies.
The following are among the issues on which comment has been requested:
- Although adopting a case-by-case review process, are there instances where the Secretary should consider categorical exclusions for classes of persons whose use of ICTS can never violate the Executive Order?
- Are there transactions involving types or classes of ICTS where the acquisition or use in the United States or by U.S. parties would fall within the terms of the Executive Order's prohibited transactions because the transaction could present an unacceptable risk, but that risk could be adequately mitigated to prevent the unacceptable risk? What form could such mitigation take?
- Where mitigation measures are adopted, how should the Secretary ensure that parties to such a transaction comply with the agreed-upon mitigation measures?
Small Entities
The NPRM acknowledges that the proposed rule may affect small entities or groups that are not easily categorized at present. It identifies three broad groups of such entities that utilize ICTS that could be directly affected, including:
- Telecommunications and information technology equipment and service providers (including LECs, IXCs, CAPs, resellers, and wired, wireless and satellite carriers);
- Internet and digital service providers (including ISPs, cloud providers, managed security providers and software providers); and
- Network infrastructure vendors and equipment manufacturers.
The NPRM states, however, that these groups do not necessarily encompass all of the small entities or groups that utilize ICTS that potentially could be impacted by the proposed rule.
Relationship to Other Laws
The NPRM states that the proposed rule should not be construed as altering or affecting any other authority, process, regulation, investigation, enforcement measure, or review provided under any other Federal law, including the National Defense Authorization Act of 2019, the Federal Acquisition Regulations, or the International Emergency Economic Powers Act (IEEPA) (50 U.S.C. 1701 et seq.), or any other authority of the President or the Congress.
Although not mentioned by the NPRM, it is abundantly clear that the proposed rule will establish a CFIUS-like, and Team Telecom-like, review process, not for foreign investments in U.S. companies, but for foreign technology transactions with U.S. customers, adding layers of review, delay and expense to such dealings.
Takeaway
Industry heavily lobbied the Department of Commerce not to adopt broad class and categorical prohibitions on ICTS transactions involving foreign equipment and service vendors, or particular types of foreign-supplied equipment or services. That effort seems to have succeeded, as the Commerce Department appears inclined, at least for the present time, to proceed on a narrower case-by-case, fact-specific basis.
But the NPRM and the Executive Order reserve to the Department considerable discretion, both in picking targets for review and fashioning remedial measures, and potentially in expanding the review process beyond case-by-case determinations.
Also, although the NPRM does not identify any foreign adversaries, it is clear where the agency's focus will be, at least initially. Any transaction involving equipment or services from Huawei, ZTE and other Chinese vendors, or any other company on the Entity List, will be fair game.
What is less clear is how sweeping the Department's review of ICTS transactions ultimately will turn out to be, and whether other considerations – e.g., the imperative to get a trade deal done – will weaken the initiative.
Finally, the proposed rule would give Commerce the power to prohibit the continued operation of existing facilities and provision of services, and to require unwinding of transactions, even under contracts that pre-dated May 15, 2019.
But unlike the rule adopted on November 22, 2019 by the Federal Communications Commission, which both forbids use of Universal Service Fund subsidies for the purchase of equipment from Huawei and ZTE, and other companies that may be designated, and also provides for reimbursements to small and rural carriers who, as a result of the FCC order, may be required to rip-and-replace such equipment, the NPRM makes no provision for any such reimbursement.
This issue is sure to be the subject of considerable discussion at the agency, in Congress and, in all likelihood, in courts that must decide challenges to orders that require removal, or forbid the use, maintenance or improvement, of targeted vendors' equipment.
Parties concerned about these and other aspects of the proposed rule are encouraged to submit comments within the 30-day period. Please let us know if you need information or assistance regarding the submission of comments.
1 Of note, Section 2(b) of Executive Order 13783 provided that "Within 150 days of the date of this order [i.e., by October 14, 2019], the Secretary ... shall publish rules or regulations implementing ... this order." Not only was issuance of the NPRM six weeks late, but it also disregarded the EO's direction that the Secretary "shall publish rules" – not proposed rules.
2 "Information and Communications Telecommunications and Services" is defined as "any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including through transmission, storage, or display."
3 "Foreign adversary" means "any foreign government or foreign non-government person determined by the Secretary to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons."
4 "United States person" means any United States citizen, permanent resident alien, entity organized under the laws of the United States or any jurisdiction within the United States (including foreign branches), or any person in the United States.
5 Transactions involving certain ongoing activities, including, e.g., managed services, software updates or repairs, would constitute transactions that were completed on or after May 15, 2019, even if a contract was entered into prior to that date.