On June 9, 2021, the White House issued EO 14034 on “Protecting Americans’ Sensitive Data from Foreign Adversaries.” The White House also issued an accompanying fact sheet, which specifically references China as a country which “seek[s] to leverage digital technologies and Americans’ data in ways that present unacceptable national security risks while advancing authoritarian controls and interests.” This new EO builds upon EO 13873 on “Securing the Information and Communications Technology and Services Supply Chain” (ICTS EO), which was issued in May 2019.
This new EO takes several actions:
First, it revokes earlier EOs from August 2020 that would have effectively made TikTok and WeChat impossible to use in the U.S. (though it does not revoke a separate EO requiring ByteDance to divest certain U.S. assets), as well as an EO from January 2021 targeting a number of additional Chinese apps.
Second, it requires certain Executive branch agencies to prepare reports recommending how to use the ICTS EO to protect U.S. Persons’ sensitive data, address risks posed by connected software applications, and protect against the risks posed by certain ICTS transactions.
We summarize these actions below, as well as the broader policymaking context of which they are a part. In brief, these actions are consistent with the Biden Administration’s prioritization of supply chain security as a top national priority, and its efforts to take a “whole of government” approach that links policies implemented across a number of different executive branch agencies.
Revocation of prior EOs
Effective immediately, the EO revokes the prior EOs targeting WeChat, TikTok, and other Chinese apps. The WeChat and TikTok EOs’ implementing rules were the subject of extensive litigation, and were subject to nationwide injunctions by several different federal courts, which are currently pending appeal. The revocation of these EOs likely means that the litigation will cease, as it is now moot.
While the January 2021 EO was not the subject of litigation, its revocation means rules restricting the apps named in that EO (Alipay, CamScanner, QQ Wallet, SHAREit, Tencent QQ, WeChat Pay, and WPS Office) will not be issued in the near future, though it is possible that the ICTS EO could still be used to target these apps at a later date.
Implementation of EO
In addition to revoking prior actions, the new EO establishes a road map for the Executive branch to take further actions targeting specific risks, as described below.
U.S. Persons’ sensitive data
The EO directs the Department of Commerce to assess how Americans’ personal data is used by the apps. First, within 60 days of the EOs’ issuance, the Director of National Intelligence is required to provide threat assessments, and the Department of Homeland Security is required to provide vulnerability assessments, to the Department of Commerce to support the development of a report and recommendations for action.
This report, which must be prepared within 120 days by the Departments of Commerce, State, Defense, Justice, Health and Human Services, Homeland Security, and the Director of National Intelligence, shall provide recommendations to protect against the following harms posed by persons owned or controlled by, or subject to the jurisdiction or direction of, a “foreign adversary,” including China:
The unrestricted sale of, transfer of, or access to US Persons’ sensitive data, including personally identifiable information, personal health information, and genetic information.
Access to large data repositories.
Connected software applications
Second, within 180 days of the EO’s issuance, the Departments of Commerce, State, Defense, Justice, Homeland Security, and the Director of the Office of Management and Budget, shall provide a report recommending additional executive and legislative actions to address the risks associated with “connected software applications” that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.
The EO defines a “connected software application” to mean: software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the Internet.
Ongoing evaluation of transactions
Finally, the EO directs the Commerce Department, consistent with the requirements of the ICTS EO, to evaluate on an ongoing basis transactions involving connected software applications that may pose an undue risk of sabotage or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of ICT or services in the U.S.; pose an undue risk of catastrophic effect on the security or resiliency of the critical infrastructure or digital economy of the U.S.; or otherwise pose an unacceptable risk to the national security of the U.S. or the security and safety of U.S. Persons.
The EO directs the Commerce Department to take appropriate action under EO 13873.
The preamble of the EO sets forth criteria which should be used in evaluating the risks of a connected software application for purposes of the above. These include:
Ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities.
Use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data.
Ownership, control, or management of connected software applications by persons involved in malicious cyber activities.
A lack of thorough and reliable third-party auditing of connected software applications.
The scope and sensitivity of the data collected.
The number and sensitivity of the users of the connected software application.
The extent to which identified risks have been or can be addressed by independently verifiable measures.
The EO also notes that persons who own, control, or manage connected software applications can be targeted via other authorities if they engage in serious human rights abuses or otherwise facilitate such abuse.
In addition to providing greater clarity as to how the ICTS rule will likely be implemented, these criteria are also likely aimed at bolstering the evidentiary record and policy rationale behind any future actions taken under the EO, in order to help them withstand legal challenges (which ultimately prevented the WeChat and TikTok EOs from ever being implemented).
This was also likely part of the rationale for the recent issuance of an EO regarding U.S. Person investment in certain companies linked to the Chinese military industrial complex or surveillance technology sector, an earlier version of which was subjected to repeated legal challenges, resulting in rare losses in court for the Department of Defense.
This EO is not being issued in a vacuum – rather, it is part of a broader series of efforts by the Biden Administration taking a “whole of government” approach to cybersecurity, infrastructure security, and supply chain security.
On June 8, the White House released a report on U.S. supply chains that was the result of a recently-completed 100-day interagency review required under an earlier EO. That report addressed, among other things, semiconductors, advanced batteries, and critical materials and minerals. In May, the White House issued an EO addressing cybersecurity, pursuant to which the National Telecommunications and Information Administration (NTIA) released a request for comment regarding minimum requirements for a Software Bill of Materials (SBOM), in order to improve the transparency of the software supply chain.
Likewise, the Department of Energy (DOE) in April released a request for information on Ensuring the Continued Security of United States Critical Electric Infrastructure, which was focused on “preventing exploitation and attacks by foreign threats to the U.S. supply chain,” and expressly stated that it was “part of larger coordinated effort” related to the ongoing supply chain review. This RFI shortly preceded the Biden Administration’s decision to let an earlier EO regarding the U.S. Bulk-Power System expire.
Taken together, these actions indicate that the Biden Administration is treating issues of cybersecurity, infrastructure security, and supply chain security holistically and as part of a broader policymaking initiative across different executive branch agencies. The revocation of the WeChat and TikTok EOs and the lapse of the Bulk-Power EO are consistent with this approach, and mark a reversal of the Trump Administration’s approach of taking discrete actions, frequently against individual companies.
While the impact of these policies is likely to be broad in scope, the Administration is signalling that it intends to return to a more traditional policymaking process, both to comprehensively address what it sees as a series of related threats that cross-cut different policy domains, but also to ensure that its actions rest on firmer legal ground that will be capable of withstanding legal challenges.
Businesses should remain alert to additional actions, whether under forthcoming EOs, implementing regulations, or guidance from involved agencies to address the ongoing national security threat against U.S. information and communications technology and services supply chains.