On November 26, 2021, the U.S. Department of Commerce (“Commerce”) published a Proposed Rule that expanded on a prior rule implementing provisions of Executive Order 13873 on Securing the Information and Communications Technology and Services (ICTS) Supply Chain. As explained further below, this rule augments prior rules and will force companies that make, develop, or assemble products outside the United States to pay close attention to their global operations and applicable regulatory regimes.

Regulating ICTS

In May 2019, President Trump issued Executive Order 13873, which empowered Commerce to address risks related to “foreign adversaries” creating and exploiting vulnerabilities in information and communications technology and services. In January 2021, Commerce issued an interim final rule implementing Executive Order 13873, which established the procedures through which Commerce will review ICTS transactions within its jurisdiction, set forth the criteria it would consider when making jurisdictional determinations, and formalized its ability to take action against transactions that present an undue or unacceptable risk. Additional information on the ICTS rule can be found in our prior alert.

Following the change in administration, President Biden issued Executive Order 14034, which withdrew some Trump-era directives and refined other measures authorized by Executive Order 13873. Importantly, the order brought within the scope of the ICTS rule the use in the United States of certain “connected software applications” designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, foreign adversaries. Shortly thereafter, Commerce published another Proposed Rule that expanded on Commerce’s January 2021 rule and explicitly added to its scope “connected software applications”—i.e., software, software programs, or groups of software programs, that are designed to be used on an end-point computing device and include as an integral functionality the ability to collect, process, or transmit data via the internet.

In effect, the Biden administration folded some application-specific executive actions from the prior administration into the broader rule (the “ICTS rule”), which could, in turn, apply to a larger portion of the ICTS supply chain. This action expanded the scope of the ICTS rule to include software apps. As a result, it now requires the government to look at “potential indicators of risk” before banning a transaction. This action is likely to impact popular social media, such as TikTok. It may also impact applications that, although not owned or controlled by foreign adversaries, present risks as a result of the applications’ use of technology or software from foreign adversaries.

The Updated ICTS Rule

The original ICTS rule outlined the processes and procedures that Commerce will use to identify, assess, and address transactions between U.S. and foreign persons that involve ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary and pose an undue or unacceptable risk (“ICTS Transactions”).

The November 2021 proposed rule adds references to connected software applications and risk factors relevant to the review of connected software applications, which include:

1. ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities;
2. use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data;
3. ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary;
4. ownership, control, or management of connected software applications by persons involved in malicious cyber activities;
5. a lack of thorough and reliable third-party auditing of connected software applications;
6. the scope and sensitivity of the data collected;
7. the number and sensitivity of the users of the connected software application; and
8. the extent to which identified risks have been or can be addressed by independently verifiable measures.

The ICTS rule still covers previously identified ICTS Transactions, which include any acquisition, importation, transfer, installation, dealing in, or use of any ICTS product that has been designed, developed, manufactured, or supplied by persons owned, controlled, subject to, or at the direction of foreign adversaries, which poses certain undue or unacceptable risks to U.S. national security.

Takeaways

As technology has burrowed itself into our daily lives, the vulnerabilities in the ICTS supply chain have gained the attention of decision-makers in the United States’ national-security apparatus. Personal, commercial, and government use of ICTS has exploded over the last decade and almost all users exchange sensitive material through ICTS. In parallel, multiple administrations have sought to address vulnerabilities in these systems through existing national security-related tools and seek additional powers to address concerns.

CFIUS, for example, has focused on investments and acquisitions in the ICTS space, and there are public reports of CFIUS action related to transactions in these industries as far back as 2014. In December 2017, President Trump moved to ban the use of an IT security provider within the U.S. government over concerns it was vulnerable to foreign influence. And in September 2020, President Trump issued Executive Orders specifically targeting and banning TikTok and WeChat—two Chinese applications.

These collective efforts now also include an industry-wide rule promulgated by the Commerce under a Republican administration and refined under a Democratic one. The Biden administration’s updates to the ICTS rule reflect a consistent focus by the U.S. government to evaluate and address vulnerabilities in this sector. Technology companies that make, develop, or assemble products in multiple countries should pay close attention to the ICTS rule and other regulatory regimes that could affect their operations.

[View source.]