On November 26, 2021, the U.S. Department of Commerce
(“Commerce”) published a Proposed Rule that expanded on a prior
rule implementing provisions of Executive Order 13873 on
Securing the Information and Communications Technology and Services
(ICTS) Supply Chain. As explained further below, this rule augments
prior rules and will force companies that make, develop, or
assemble products outside the United States to pay close attention
to their global operations and applicable regulatory regimes.
Regulating ICTS
In May 2019, President Trump issued Executive Order 13873, which empowered
Commerce to address risks related to “foreign
adversaries” creating and exploiting vulnerabilities in
information and communications technology and services. In January
2021, Commerce issued an interim final rule implementing Executive
Order 13873, which established the procedures through which
Commerce will review ICTS transactions within its jurisdiction, set
forth the criteria it would consider when making jurisdictional
determinations, and formalized its ability to take action against
transactions that present an undue or unacceptable risk. Additional
information on the ICTS rule can be found in our prior alert.
Following the change in administration, President Biden
issued Executive Order 14034, which withdrew some
Trump-era directives and refined other measures authorized by
Executive Order 13873. Importantly, the order brought within the
scope of the ICTS rule the use in the United States of certain
“connected software applications” designed, developed,
manufactured, or supplied by persons owned or controlled by, or
subject to the jurisdiction or direction of, foreign adversaries.
Shortly thereafter, Commerce published another Proposed Rule that expanded on Commerce’s
January 2021 rule and explicitly added to its scope “connected
software applications”—i.e., software, software
programs, or groups of software programs, that are designed to be
used on an end-point computing device and include as an integral
functionality the ability to collect, process, or transmit data via
the internet.
In effect, the Biden administration folded some
application-specific executive actions from the prior
administration into the broader rule (the “ICTS rule”),
which could, in turn, apply to a larger portion of the ICTS supply
chain. This action expanded the scope of the ICTS rule to include
software apps. As a result, it now requires the government to look
at “potential indicators of risk” before banning a
transaction. This action is likely to impact popular social media,
such as TikTok. It may also impact applications that, although not
owned or controlled by foreign adversaries, present risks as a
result of the applications’ use of technology or software from
foreign adversaries.
The Updated ICTS Rule
The original ICTS rule outlined the processes and procedures
that Commerce will use to identify, assess, and address
transactions between U.S. and foreign persons that involve ICTS
designed, developed, manufactured, or supplied by persons owned by,
controlled by, or subject to the jurisdiction or direction of a
foreign adversary and pose an undue or unacceptable risk
(“ICTS Transactions”).
The November 2021 proposed rule adds references to connected
software applications and risk factors relevant to the review of
connected software applications, which include:
- ownership, control, or management by persons that support a
foreign adversary’s military, intelligence, or proliferation
activities; - use of the connected software application to conduct
surveillance that enables espionage, including through a foreign
adversary’s access to sensitive or confidential government or
business information, or sensitive personal data; - ownership, control, or management of connected software
applications by persons subject to coercion or cooption by a
foreign adversary; - ownership, control, or management of connected software
applications by persons involved in malicious cyber
activities; - a lack of thorough and reliable third-party auditing of
connected software applications; - the scope and sensitivity of the data collected;
- the number and sensitivity of the users of the connected
software application; and - the extent to which identified risks have been or can be
addressed by independently verifiable measures.
The ICTS rule still covers previously identified ICTS
Transactions, which include any acquisition, importation, transfer,
installation, dealing in, or use of any ICTS product that has been
designed, developed, manufactured, or supplied by persons owned,
controlled, subject to, or at the direction of foreign adversaries,
which poses certain undue or unacceptable risks to U.S. national
security.
Takeaways
As technology has burrowed itself into our daily lives, the
vulnerabilities in the ICTS supply chain have gained the attention
of decision-makers in the United States’ national-security
apparatus. Personal, commercial, and government use of ICTS has
exploded over the last decade and almost all users exchange
sensitive material through ICTS. In parallel, multiple
administrations have sought to address vulnerabilities in these
systems through existing national security-related tools and seek
additional powers to address concerns.
CFIUS, for example, has focused on investments and acquisitions
in the ICTS space, and there are public reports of CFIUS action
related to transactions in these industries as far back as 2014. In December 2017, President Trump moved to ban the use of
an IT security provider within the U.S. government over
concerns it was vulnerable to foreign influence. And in
September 2020, President Trump issued Executive Orders
specifically targeting and banning TikTok and WeChat—two
Chinese applications.
These collective efforts now also include an industry-wide rule
promulgated by the Commerce under a Republican administration and
refined under a Democratic one. The Biden administration’s
updates to the ICTS rule reflect a consistent focus by the U.S.
government to evaluate and address vulnerabilities in this sector.
Technology companies that make, develop, or assemble products in
multiple countries should pay close attention to the ICTS rule and
other regulatory regimes that could affect their operations.
Because of the generality of this update, the information
provided herein may not be applicable in all situations and should
not be acted upon without specific legal advice based on particular
situations.
© Morrison & Foerster LLP. All rights reserved
