‘Foreign Adversaries’ In Tech Supply Chain May Be Under the Microscope
What to Know
- ICTS companies should be prepared to closely review their transactions to identify the equipment, software, and technology that may fall under the scope of this rule.
- Transactions that fall under the ICTS Rule would be subject to a US Government interagency review under this new set of regulations, which has a mechanism for holding up and even stopping such ICTS transactions.
- The Biden Administration has reportedly paused the implementation of the rule to allow for a review, but we anticipate a revised version resurfacing for additional public comment.
- Interested companies should consider submitting comments on the ICTS Rule now to highlight to the Biden Administration the ways in which the rule might be unduly burdensome as written.
What prompted the ICTS rule
What ICTS transactions are covered by the ICTS rule
Who is a “foreign adversary”
What factors are evaluated in the ICTS transaction review analysis
What are the review procedures
What technology sectors are covered by the ICTS rule
Are any ICTS transactions exempt or excluded
Is there a licensing process for potential transactions
Ahat are next steps
How does the ICTS rule affect companies
On January 14, 2021, as one of the last official actions of the Trump Administration, the US Department of Commerce (Commerce) issued the “Securing the Information and Communications Technology and Services [(ICTS)] Supply Chain” interim final rule (ICTS Rule), which would establish a structured process by which Commerce can assess certain ICTS transactions between US and foreign persons that pose an undue or unacceptable risk and “involve information and communications technology or services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary[.]”
Then-Commerce Secretary Wilbur Ross noted in a recent Commerce press release that “[a]ggressively securing the ICTS supply chain will protect American citizens and businesses from vulnerabilities that could undermine the confidentiality, integrity, and availability of their personal information or sensitive data by malicious foreign adversaries and those who wish harm on the United States.”
In effect, the interagency review process that would be created under the new ICTS Rule to screen inbound foreign technology transactions would loosely parallel the one used by the Committee on Foreign Investment in the United States (CFIUS) to screen inbound foreign investments. The provisions of the ICTS Rule itself, as issued, would ensure there is minimal or no overlap between the two screening systems, and the contentious question of where exactly to draw this boundary between the two reportedly led to a bureaucratic turf battle within the Trump Administration between Commerce and the Treasury Department that delayed the publication of the ICTS Rule itself.
The ICTS Rule was issued pursuant to President Trump’s May 15, 2019, Executive Order (EO) 13873 (Securing the Information and Communications Technology and Services Supply Chain), in which President Trump declared a national emergency with respect to the threat to the national security, foreign policy, and economy of the United States by foreign adversaries who are “increasingly creating and exploiting vulnerabilities in information and communications technology and services[.]” The ICTS Rule follows the publication of the November 27, 2019, proposed rule, which we reported on in our December 2, 2019 alert. The review process set forth in the ICTS Rule is principally designed to ferret out ICTS transactions that pose a threat to US national security.
From a broader vantage point, the ICTS Rule represents the culmination of a series of actions taken by the US Government under the Trump Administration to decouple the US information and communications technology infrastructure from telecommunications equipment and service providers that the Trump Administration and bipartisan majorities in Congress believed might pose a national security risk to the United States. In 2020, Congress enacted the Secure and Trusted Communications Networks Act of 2019 (the so-called “rip and replace” program), which requires the FCC to identify and publish a list of communications equipment and services that pose a national security risk (e.g., Huawei equipment) and reimburse providers for the removal and replacement of prohibited equipment and services. On January 13, 2020, the FCC published a final rule (Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs) identifying the criteria for types of equipment that will be on the “covered communications equipment and services” list that includes anything Commerce identifies in the course of the ICTS Rule.
The ICTS Rule seeks to prevent, among other things, a similar future scenario where communications equipment or other technology products and services that pose a national security risk to the United States become widely used and require costly replacement.
2) What ICTS Transactions Are Covered by the ICTS Rule?
EO 13873 grants the Secretary of Commerce (the Secretary) broad authority to prohibit “any acquisition, importation, transfer, installation, dealing in, or use of any” ICTS (an ICTS Transaction) by any person, or with respect to any property, subject to US jurisdiction, when such ICTS Transaction “involves any property in which any foreign country or a national thereof has any interest (including through an interest in a contract for the provision of the technology or service),” “was initiated, is pending, or will be completed after the date” of the EO, and the Secretary, in consultation with other agency heads determines that the ICTS Transaction: (1) involves ICTS “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary;” and (2) poses an undue or unacceptable risk.
The ICTS Rule defines “information and communications technology or services” or “ICTS” as “any hardware, software, or other product or service, including cloud-computing services, primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic, and photonic), including through transmission, storage, or display.” This broad definition leaves open a wide swath of transactions involving computing, cloud computing, data storage and retrieval, and telecommunications infrastructure open to review.
Under the new screening process that would be established, the interagency review would evaluate – to potentially block or require measures to mitigate – transactions that involve the acquisition, importation, transfer, installation, dealing in, or use of ICTS by any person, where the transaction:
- “Is conducted by any person subject to US jurisdiction or that involves property subject to US jurisdiction;”
- “Involves any property in which any foreign country or foreign national has an interest (including through an interest in a contract for the provision of the technology or service);”
- Was initiated, is pending, or will be completed on or after January 19, 2021, “regardless of when any contract applicable to the transaction is entered into, dated, or signed or when any license, permit, or authorization applicable to such transaction was granted.” Any act or service related to an ICTS Transaction, that occurs after January 19, 2021, but is related to a contract that was initially entered into, or the activity commenced prior to January 19, 2021, may also be deemed an ICTS Transaction. The regulations do not specify how the Commerce Department would determine which acts or services performed for pre-January 19 contracts could be deemed not to be an ICTS Transaction.
- Involves an ICTS specified in the regulation, which includes, among others, certain software, hardware, or other product or service integral to wireless local area networks and mobile networks; internet hosting services; cloud-based or distributed computing and data storage; managed services; and content delivery services.
3) Who Is a “Foreign Adversary”?
As noted above, an ICTS Transaction can be blocked after review if it: (1) involves ICTS “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary;” and (2) poses an undue or unacceptable risk.
The ICTS Rule retains the definition of “foreign adversary” in the proposed rule and the EO, namely “any foreign government or foreign non-government person determined by the Secretary [of Commerce] to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons.”
The ICTS Rule identifies six specific foreign governments and non-government persons as “foreign adversaries:”
- the People’s Republic of China, including the Hong Kong Special Administrative Region (China);
- the Republic of Cuba (Cuba);
- the Islamic Republic of Iran (Iran);
- the Democratic People’s Republic of Korea (North Korea);
- the Russian Federation (Russia); and
- Venezuelan politician Nicolás Maduro (Maduro Regime).
This list of foreign adversaries can be revised by the Secretary, and updates would be effective immediately upon publication in the Federal Register without prior notice or opportunity for public comment.
A “person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary” includes:
- “any person, wherever located, who acts as an agent, representative, or employee;”
- “any person who acts in any other capacity at the order, request, or under the direction or control, of a foreign adversary or of a person whose activities are directly or indirectly supervised, directed, controlled, financed, or subsidized in whole or in majority part by a foreign adversary;”
- “any person, wherever located, who is a citizen or resident of a nation-state controlled by a foreign adversary;”
- “any corporation, partnership, association, or other organization organized under the laws of a nation-state controlled by a foreign adversary;” and
- “any corporation, partnership, association, or other organization, wherever organized or doing business, that is owned or controlled by a foreign adversary.”
This means that any ICTS designed, developed, manufactured, or supplied by a Chinese, Cuban, Iranian, North Korean, or Russian corporation (or other legal entities), or a third country corporation owned or controlled by Chinese, Cuban, Iranian, North Korean, or Russian corporations, or citizens or residents of those countries, is at risk for review under the ICTS Rule. Between the vast breadth of the ICTS equipment whose transactions could be reviewed and the huge number of predominantly Chinese companies – and subsidiaries of Chinese companies that make ICTS equipment of this kind – the ICTS Rule allows Commerce to review and potentially order the removal of Chinese ICTS equipment from US ICTS systems.
4) What Factors Are Evaluated in the ICTS Transaction Review Analysis?
To determine whether an ICTS Transaction involves ICTS designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, Commerce would consider:
- whether the party or its component suppliers “have headquarters, research, development, manufacturing, test, distribution, or service facilities or other operations in a foreign country, including one controlled by a foreign adversary;”
- personal and professional ties between the party—including its officers, directors or similar officials, employees, consultants, or contractors—and any foreign adversary;
- laws and regulations of the foreign adversary in which the party is “headquartered or conducts operations, including research and development, manufacturing, packaging, and distribution;” and
- “any other criteria that the Secretary deems appropriate.”
These criteria allow for an even greater expansion of the scope of ICTS Transactions that could be reviewed. US companies that source components from China or other foreign adversary countries or from US companies that are owned by Chinese companies could have their transactions reviewed and blocked.
To determine whether an ICTS Transaction poses an undue or unacceptable risk, Commerce would consider:
- “threat assessments and reports prepared by the Director of National Intelligence;”
- “removal or exclusion orders issued by Department of Homeland Security, the Defense Department, or the Director of National Intelligence;”
- relevant provisions of the Defense Federal Acquisition Regulation and the Federal Acquisition Regulation;
- “entities, hardware, software, and services that present vulnerabilities in the United States as determined by the Department of Homeland Security;”
- “actual and potential threats to [the] execution of a ‘National Critical Function’ identified by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency;”
- “the nature, degree, and likelihood of consequence to the United States public and private sectors that could occur if ICTS vulnerabilities were to be exploited;” and
- “any other source or information that the Secretary deems appropriate.”
The ICTS Rule does not, however, offer any clear-cut standard as to what risks would trigger the blocking of transactions, instead adopting the standards set forth in the Executive Order, which includes the murky “unacceptable risk to the national security of the United States or the security and safety of United States persons.” Which risks are acceptable and which are unacceptable would be very much in the eye of the beholder.
5) What Are the Review Procedures?
The ICTS Rule, as issued, allows for Federal agencies, including Commerce, to request a review of a transaction to determine whether the transaction is an ICTS Transaction covered by the ICTS Rule. Commerce would have the power to accept the referral and commence an initial review of the transaction. If it found that the ICTS Transaction met the criteria for an undue or unacceptable risk, Commerce would issue an initial written determination and would notify the transactions’ parties through a Federal Register Notice or by serving a copy of the initial determination. The parties to the transaction would have the option of responding to the initial determination within 30 days of being served the initial determination or its publication in the Federal Register. Upon receipt of such a submission, Commerce would consider whether the information provided affects the initial determination. Commerce would issue a final determination on the ICTS Transaction within 180 days of accepting a referral and commencing the initial review unless it determined that additional time was necessary. The final determination would state whether the ICTS Transaction was prohibited, not prohibited, or permitted pursuant to the adoption of negotiated mitigation measures.
The ICTS Rule, as issued, does not indicate which office in the Department of Commerce would handle reviews of the ICTS Transaction.
6) What Technology Sectors Are Covered by the ICTS Rule?
Commerce broke down the types of technologies covered by the ICTS Rule into six main categories:
- “ICTS that will be used by a party to a transaction in a sector designated as critical infrastructure by Presidential Policy Directive 21 – Critical Infrastructure Security and Resilience, including any subsectors or subsequently designated sectors;”
- software, hardware, or any other product or service integral to wireless local area networks, mobile networks, satellite payloads, satellite operations and control, cable access points, wireline access points, core networking systems, or long- and short-haul networks;
- software, hardware, or any other product or service integral to data hosting or computing services that “uses, processes, or retains, or is expected to use, process, or retain, sensitive personal data on greater than one million US persons at any point over the twelve (12) months preceding an ICTS Transaction;”
- certain ICTS products with sales of greater than one million units to US persons over the 12 months prior to an ICTS Transaction;
- “software designed primarily for connecting with and communicating via the internet that is in use by greater than one million US persons at any point over the twelve (12) months preceding an ICTS Transaction;”
- ICTS integral to artificial intelligence and machine learning, quantum key distribution, quantum computing, drones, autonomous systems, or advanced robotics.
The definition of “sensitive personal data” in the ICTS Rule includes many of the same categories of sensitive personal data as the CFIUS regulations. However, the CFIUS regulations exclude data maintained or collected by a US business concerning employees of the US business and data that is a matter of public record, whereas the ICTS Rule does not contain such an exclusion. Therefore, there may be some ICTS Transactions involving sensitive personal data that would be covered by the ICTS Rule but that are not covered by CFIUS.
7) Are Any ICTS Transactions Exempt or Excluded?
The ICTS Rule, as issued, clarifies that it would “not apply to an ICTS Transaction that CFIUS is actively reviewing, or has reviewed, as a covered transaction or covered real estate transaction or as part of such a transaction under section 721 of the Defense Production Act of 1950, as amended, and its implementing regulations.” However, transactions separate or subsequent to transactions for which CFIUS has concluded action under section 721 may be subject to review under the ICTS Rule if they are separate from the transaction reviewed by CFIUS.
Additionally, Commerce exempted from ICTS Transactions:
- “the acquisition of ICTS items by a United States person as a party to a transaction authorized under a US government-industrial security program;” and
- ICTS Transactions solely involving personal ICTS hardware devices, such as handsets.
8) Is There a Licensing Process for Potential Transactions?
In the ICTS Rule, as issued, Commerce stated an intention to publish licensing procedures by March 22, 2021, and to implement the licensing process by May 19, 2021. These procedures would provide criteria for seeking a license to enter into a proposed or pending ICTS Transaction or engage in an ongoing ICTS Transaction. Parties to a proposed, pending, or ongoing ICTS Transaction would have the option of seeking such a license. Reviews of license applications would be conducted on a fixed timeline, not to exceed 120 days from acceptance of an application. A license would be deemed granted if Commerce did not issue a license decision within 120 days from acceptance of an application for one. We assume this intention to issue a proposed licensing process, like the ICTS Rule itself, is on ice while it is being studied.
9) What Are Next Steps?
The ICTS Rule had been slated to take effect on March 22, 2021. However, according to Politico, Commerce has decided to delay its implementation for now. Commerce’s final rule would have addressed additional comments that had been due by March 22, 2021, but that will likely be paused as well. Commerce has not yet announced a timeline for its review of the ICTS Rule.
It remains to be seen exactly how the Biden Administration will treat the underlying EO and the ICTS Rule. It is apparent freezing of the ICTS Rule does not come as a major surprise. Incoming administrations commonly freeze pending rules in order to conduct their own assessment and sometimes make adjustments. On January 20, 2021, Ronald Klain, the Assistant to the President and Chief of Staff, sent a memorandum to the heads of executive departments and agencies, asking them to consider a 60-day postponement of the effective date for any rules that have been published in the Federal Register but have not yet taken effect. The stated purpose of this postponement is to review any “questions of fact, law, and policy the rules may raise.” The memorandum also encourages agency heads to consider opening a 30-day comment period for postponed rules to allow for comments on issues of fact, law, and policy raised by those rules and further postponing the effective date if the rules raise substantial questions. Here, a 60-day postponement from January 20, 2021 would result in the same effective date, i.e., March 22, 2021; however, the reported pause on the ICTS Rule could well be lengthier.
We anticipate the Biden Administration continuing a relatively assertive approach to China, albeit with a greater emphasis on working with allied countries. The reported delay of this rule’s effective date may allow for further narrowing of its scope, which may occur due to the significant impact that the ICTS Rule may have on Commerce and industry, as well as the likelihood of substantial additional comments by the public. The Arent Fox team will be monitoring the ICTS Rule closely.
10) How Does the ICTS Rule Affect Companies?
This ICTS Rule, if implemented as written, would significantly impact companies that have an international nexus in a number of different sectors, including telecommunications service providers, internet and digital service providers (including cloud computing service providers), and data hosting or computing equipment manufacturers. Additionally, the ICTS Rule would cover a large swath of ICTS Transactions and give the Secretary great discretion in determining whether a transaction should be prohibited or be permitted subject to mitigation measures. Critically, in addition to a very large number of Chinese and Russian companies already caught within the proposed rule, the Secretary would have the discretion to designate additional “foreign adversaries” without notice and with immediate effect.
ICTS companies should therefore be prepared to closely review their transactions to identify the equipment, software, and technology that may fall under the scope of this ICTS Rule, if it is implemented as issued. The docket for commenting on the ICTS Rule is currently still open, and we therefore recommend that interested companies consider submitting comments on the ICTS Rule now to highlight to the Biden Administration the ways in which the rule might be unduly burdensome as written. Further, companies would also be well-advised to submit further comments if the ICTS Rule is revised by the Biden Administration and an additional comment period is opened, as we expect it will be.