On November 26, 2021, the U.S. Department of Commerce (“Commerce”) issued a Proposed rule which expanded an earlier rule implementing the provisions of Executive Order 13873 on Securing the Information and Communications Technology and Services (ICTS) Supply Chain. As explained below, this rule complements previous rules and will require companies that manufacture, develop, or assemble products outside of the United States to pay close attention to their global operations and applicable regulatory regimes.
In May 2019, President Trump released Executive Order 13873, which has enabled Commerce to address the risks associated with “foreign adversaries” creating and exploiting vulnerabilities in information and communications technologies and services. In January 2021, Commerce issued a provisional final rule implementing Executive Order 13873, which established the procedures by which Commerce will review ICTS transactions in its jurisdiction, set out the criteria it would consider when making jurisdictional decisions, and formalized its ability to take action against transactions that present an undue or unacceptable risk. Additional information on the ICTS rule can be found in our previous alert.
Following the change in administration, President Biden released Executive Order 14034, which removed some Trump-era guidelines and refined other measures authorized by Executive Order 13873. Importantly, the order brought into the scope of the ICTS rule the use in states States of certain “connected software applications” designed, developed, manufactured or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of foreign adversaries. Shortly thereafter, the Commerce Department released another proposal To reign which expanded Commerce’s January 2021 rule and explicitly added “connected software applications” to its scope –that is to say., software, software programs, or groups of software programs, which are designed for use on an endpoint computing device and include as an integral feature the ability to collect, process, or transmit data over the Internet.
Indeed, the Biden administration has incorporated certain executive actions specific to the previous administration’s enforcement into the broader rule (the “ICTS Rule”), which could, in turn, apply to a larger portion of the ICTS supply chain. This action expanded the scope of the ICTS rule to include software applications. As a result, it now requires the government to consider “potential indicators of risk” before banning a transaction. This action is likely to impact popular social networks, such as TikTok. It may also impact apps that, while not owned or controlled by foreign adversaries, pose risks due to the apps’ use of foreign adversaries’ technology or software.
The updated ICTS rule
The original ICTS Rule described the processes and procedures that Commerce will use to identify, evaluate, and address transactions between U.S. and foreign persons that involve ICTS designed, developed, manufactured, or supplied by persons owned, controlled by, or subject to the jurisdiction. or direction of a foreign adversary and present an undue or unacceptable risk (“ICTS Transactions”).
The November 2021 proposed rule adds references to connected software applications and risk factors relevant to the review of connected software applications, including:
- ownership, control or management by persons who support the military, intelligence or proliferation activities of a foreign adversary;
- using the Connected Software Application to conduct surveillance that enables espionage, including gaining access by a foreign adversary to sensitive or confidential government or commercial information, or sensitive personal data;
- ownership, control or management of connected software applications by persons subject to coercion or co-optation by a foreign adversary;
- ownership, control or management of connected software applications by persons involved in malicious cyber activities;
- a lack of thorough and reliable third-party auditing of connected software applications;
- the scope and sensitivity of the data collected;
- the number and sensitivity of users of the connected software application; and
- the extent to which the identified risks have been or can be addressed by independently verifiable measures.
The ICTS Rule still covers previously identified ICTS transactions, which include any acquisition, import, transfer, installation, sale, or use of any ICTS product that has been designed, developed, manufactured, or supplied by persons owned, controlled, subject to, or under the direction of foreign adversaries, which poses certain undue or unacceptable risks to the national security of the United States.
Take away food
As technology has buried itself in our daily lives, vulnerabilities in the ICT supply chain have captured the attention of decision makers in the United States’ national security apparatus. Personal, commercial and government use of ICTS has exploded over the past decade and almost all users are exchanging sensitive material through ICTS. At the same time, several administrations have sought to address vulnerabilities in these systems with existing national security tools and seek additional powers to address concerns.
CFIUS, for example, has focused on investments and acquisitions in the ICTS space, and there are public reports of CFIUS actions related to transactions in these industries as early as the 2014. In December 2017, President Trump has decided to ban the use of a computer security vendor in the US government, fearing that it is vulnerable to foreign influence. And in September 2020President Trump issued executive orders specifically targeting and banning TikTok and WeChat, two Chinese apps.
These collective efforts now also include an industry-wide rule enacted by Commerce under a Republican administration and refined under a Democratic administration. Updates to the ICTS rule by the Biden administration reflect an ongoing US government focus on assessing and addressing vulnerabilities in this sector. Technology companies that manufacture, develop or assemble products in multiple countries should pay close attention to the ICTS rule and other regulatory regimes that could affect their operations.
Due to the generality of this update, the information provided here may not be applicable in all situations and should not be applied without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved