Wilson Sonsini Goodrich & Rosati

On January 19, 2021, we saw the publication of both an interim final rule from the Department of Commerce (Commerce) to address the security of the U.S. supply chain for information technology (the Rule)1 and a new cyber-security executive order (the Order),2 both issued under the authority of the International Emergency Economic Powers Act (IEEPA). These issuances represent the final regulatory efforts by the outgoing Trump administration to exercise enhanced national security oversight over U.S. information technology (IT) companies' interactions with foreign actors.

Both the Rule and the Order grant the U.S. government new oversight powers over private commercial agreements related to IT between U.S. businesses and foreign entities. The Rule, in particular, creates a regulatory regime that permits Commerce to review many U.S. companies' commercial agreements with foreign parties from certain nations—most notably, Chinese and Russian parties—in a manner similar to that in which the Committee on Foreign Investment in the United States (CFIUS) reviews investments by foreign parties. U.S. companies would have the option to seek a license for covered IT transactions in advance from the Department of Commerce. Those who do not would run the risk of having the government interfere in their procurement of IT products and services from selected foreign parties. If the Biden administration decides to exercise the new powers granted under the Rule—and it may or may not, as discussed below—it would be a startling expansion of U.S. government national security oversight in the technology sector.

Top-Line Summaries of the Rule and the Order

The Rule, which takes effect on March 22, 2021, empowers the Secretary of Commerce (the Secretary) to place limitations on or block ICTS3 transactions where a "foreign adversary" or certain related entities have designed, developed, manufactured, or supplied the goods or services at issue. The Rule applies to any transaction with a qualifying party initiated, pending, completed, or updated on or after January 19, 2021. In addition, the Rule indicates that further rules detailing a pre-approval licensing process for IT transactions with foreign adversaries will be issued in the next 60 days.

The Order, meanwhile, expands an Obama administration-era executive order sanctioning parties engaged in malicious cyber-enabled activities. The Order would require providers of Infrastructure as a Service (IaaS) to verify and maintain records regarding the identities of foreign persons that use their services. The stated intention is to help address, for example, the use by a malicious party of an IaaS service to launch a cyberattack while concealing that party's identity. The Order will not take effect, at the earliest, until implementing regulations are issued, which is supposed to occur within 180 days of its publication (i.e., no later than July 18, 2021).

The Rule – Details and Deadlines

The Rule implements an earlier 2019 executive order authorizing Commerce to restrict, and even prohibit, certain transactions in the U.S. related to Information and Communications Technology and Services (ICTS) that involve "foreign adversaries." Citing a number of risks to certain data and networks by foreign adversaries, it is the last in a string of recent actions that, according to the Trump administration, were intended to help secure various U.S. supply chains and systems from foreign adversaries. For more on the 2019 executive order and examples of related issuances under that order, please see our previous alerts here and here.

Under the Rule, Commerce may review4 and then prohibit or restrict any transaction initiated, pending, or completed on or after January 19, 2021, that is:

  • an ICTS transaction ("any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download.");
  • conducted by any person subject to the jurisdiction of the United States or involves property subject to the jurisdiction of the United States;
  • involving any of six categories of ICTS that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a "foreign adversary" (identified in the Rule initially as China (including Hong Kong), Cuba, Iran, North Korea, Russia and Venezuela politician Nicolas Maduro—a list subject to expansion by the Secretary); and
  • an "undue or unacceptable risk" to the national security of the United States.

The six categories of technologies covered by the Rule include any ICTS that:

  • will be used by a party to a transaction in a sector designated as "critical infrastructure" by Presidential Policy Directive 21 – Critical Infrastructure Security and Resilience;
  • are integral to wireless local area networks, mobile networks, satellite payloads, satellite operations and control, cable access points, wireline access points, core networking systems, or long- and short-haul networks;
  • are integral to data hosting or computing services that use, process, or retain or are expected to retain "sensitive personal data"5 on greater than one million U.S. persons at any point over the 12 months preceding an ICTS transaction;
  • include surveillance or monitoring devices (e.g., webcams), home networking devices (e.g., routers), or unmanned aerial systems (e.g., drones), if one million units have been sold to U.S. persons over the preceding 12 months;
  • include software designed primarily for connecting with and communicating via the internet that is in use by greater than one million U.S. persons at any point over the 12 months preceding the ICTS transaction (e.g., mobile apps and gaming applications); and
  • are integral to artificial intelligence and machine learning, quantum key distribution, quantum computing, drones, autonomous systems, or advanced robotics.

Commerce is granted the authority under the Rule to require the production of documentation related to the transaction under oath, as well as conduct investigations, hold hearings, take depositions, and issue subpoenas, among other powers. Unlike information submitted through the CFIUS process, information submitted to Commerce is not automatically exempt from FOIA. Each investigation is supposed to conclude within 180 days, but the Secretary is permitted to extend that timeline.

The Rule sets forth a three-stage review process for Commerce to follow where it becomes aware of and wishes to review a covered transaction. During the "Initial Review," the ICTS transaction is reviewed to determine whether it poses an undue or unacceptable risk by applying 10 criteria set forth in the Rule. After the Initial Review, Commerce makes the "Initial Determination" as to whether the transaction meets the criteria for review. If it meets the criteria, then Commerce will notify the parties to the transaction of the determination, including whether Commerce proposes to prohibit the transaction or to impose mitigation measures as a condition of permitting the transaction.

Upon receipt of Commerce's determination, the parties have 30 days to respond in writing, to argue that there is no undue or unacceptable risk posed by the transaction or to propose (or counter-propose) mitigation measures. After the response is received (or if 30 days have passed without any response), Commerce can proceed to the "Final Determination" stage, during which it will consult with other U.S. government agencies to reach consensus on whether to prohibit or permit (with mitigation as appropriate) the transaction. In the absence of consensus, the matter will be sent to the President for a final decision. Final Determinations will be published in the Federal Register.

Within 60 days of the publication of the Rule, Commerce will publish procedures for the parties to an ICTS transaction to seek a license for the transaction. The notice specifies that the license reviews will be conducted on a timeline not to exceed 120 days, and that failure to issue a decision on the license will constitute approval of the license. This is reminiscent of the way in which CFIUS historically has operated—i.e., parties may submit transactions for approval in order to obtain safe harbor from later intervention. Where they decide to not file for approval, there is continuing risk of a later review of the transaction.

Key Rule Dates
Rule published; earliest date of transaction to which the Rule applies when it takes effect Jan. 19, 2021
Latest date for publication of process to seek a license for a transaction (60 days after publication of the Rule) Mar. 20, 2021
Rule takes effect; comments on the Rule are due Mar. 22, 2021
Latest date for implementation of Commerce procedures for licensing process (120 days after publication of the Rule) May 19, 2021

The Order – Details and Deadlines

The Order, published January 19, 2021, on the White House website and January 25, 2021, in the Federal Register, observed that "[f]oreign actors use United States IaaS products for a variety of tasks in carrying out malicious cyber-enabled activities, which makes it extremely difficult for United States officials to track and obtain information through legal process before these foreign actors transition to replacement infrastructure and destroy evidence of their prior activities." This Order amends Executive Order 13694 of April 1, 2015, "Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities," to address the use of United States Infrastructure as a Service (IaaS) products by foreign malicious cyber actors. It directs Commerce to promulgate regulations that would require IaaS providers to verify the identities of foreign persons using their services and maintain records concerning those foreign persons' identity, payment information, and usage of the IaaS. This is similar in many ways to the requirements of anti-money laundering laws and the associated "know your customer" rules.

The Order also directs Commerce to promulgate regulations to place limitations on IaaS providers' ability to provide accounts to yet-to-be identified persons or to persons located in yet-to-be identified jurisdictions found to be the source of malicious cyber-enabled activities using IaaS. "Special measures" may be required for certain jurisdictions or persons that meet the criteria of the Order, Section 2(a). This may include prohibitions or conditions on accounts within certain foreign jurisdictions or on certain foreign persons, including resellers. While countries are not named by the Order (unlike the Rule, discussed above), the "special measures" would apply to foreign jurisdictions that have a significant number of persons offering or obtaining a U.S. IaaS product to be used for malicious cyber-enabled activity, and to foreign persons that have an established pattern of offering or obtaining such products for use in malicious cyber-enabled activities, taking into account other factors in Section 2(a).

It also directs the Attorney General and Secretary of Homeland Security to engage with industry to obtain recommendations to increase information sharing and collaboration among IaaS providers and between IaaS providers and the agencies. These recommendations could include even more regulations from Commerce.

Key Order Dates
Rule published on White House website Jan. 19, 2021
Rule published in the Federal Register Jan. 25, 2021
Solicitation of feedback from industry regarding cooperative efforts to deter abuse (Section 3a – within 120 days after publication of Order) May 19, 2021
Notice and comment rulemaking regarding verification of identity requirements for foreign person IaaS accountholders (Section 1 – within 180 days after publication of the Order) July 18, 2021
Notice and comment rulemaking regarding "special measures" required of IaaS providers (Section 2a – within 180 days after publication of the Order)
Report due to the President regarding voluntary information sharing (Section 3b – within 240 days of the publication of the Order) Sept. 16, 2021
Earliest enforcement of "special measures" requirements (Section 2e – enforcement not until 180 days after issuance of final rule) Mar. 16, 2022

Observations and Recommendations

Both the Rule and the Order were published the day before the end of the Trump administration, and it will be up to the new Biden administration to determine whether and how to proceed with implementing regulations.

The Rule is expected to become effective shortly. While the Biden administration may narrow and could even rescind it after comments on the interim final version are received, companies in the IT sector and their customers likely will have to begin preparing to comply with it in some form. Nevertheless, there is no staff at Commerce currently dedicated to finding ICTS transactions or reviewing related license applications. While we believe it is unlikely the Biden administration will revoke the Rule entirely, it is less clear that it will prioritize staffing at Commerce to establish and implement the new transaction review and licensing process. Accordingly, whether and how the Rule and licensing regime are modified, implemented, and used is still very much to be determined. However, the impact of the Biden administration choosing to exercise the underlying authorities would be significant:

  • The universe of ICTS transactions subject to the rule is very broad, covering a wide array of hardware, software, and related services that a U.S. company might use (e.g., routers, webcams, cloud services) inside or outside the U.S. if, for example, a Chinese company is providing those items or services.
  • The Rule could impact agreements entered into prior to January 19, 2021, because it applies to actions that take place after that date—for example, software updates—not necessarily just to the underlying agreements.
  • The sensitive personal data trigger for an ICTS transaction may limit data hosting and services in China and other "foreign adversary" jurisdictions, which in turn may pose increased privacy and compliance burdens for companies operating globally.
  • Notwithstanding the broad reach of the Rule, most ICTS transactions are not widely visible to third parties (though the reach of the U.S. Intelligence Community should not be underestimated); as a result, the relative benefit of seeking a license versus merely seeking to avoid government scrutiny is uncertain.
  • Should a company become subject to a Final Determination, violation of that Final Determination, including of any mitigation agreement, may carry both civil and criminal penalties.

The Rule will present challenges to U.S. businesses that procure IT items or services from China, Russia, or other nations listed as foreign adversaries. As we wait to see how the Rule is finally implemented, companies may wish to undertake a review of their current and contemplated vendors and ICTS supply chain for any hardware, software, or services that could fall under the Rule and how they might amplify existing supplier due diligence programs for compliance with the new Rule. Companies may also consider whether they want to submit comments to Commerce, which are due on or before March 22, 2021

The Order offers a longer time horizon before implementation and a number of opportunities for notice and comment. Ultimately, we expect IaaS providers to see heightened due diligence obligations for foreign accounts, accountholders, and resellers. We will be continuing to monitor developments in this space.

[1] “Securing the Information and Communications Technology and Services Supply Chain,” 86 Fed. Reg. 4909 (Jan. 19, 2021), to be codified at 15 C.F.R. 7.

[2] Executive Order 13984 of January 19, 2021, “Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities,” 86 FR 6837 (Jan. 25, 2021).

[3] The Rule defines “ICTS” as any “hardware, software, or other product or service, including cloud-computing services, primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic, and photonic), including through transmission, storage, or display.”

[4] The Rule specifies that an ICTS transaction that has been reviewed or is undergoing review by CFIUS is not subject to separate review under this Rule.

[5] The Rule uses a definition of sensitive personal data similar to that contained in the CFIUS regulations at 31 C.F.R. 800.241. That definition includes genetic testing information; financial data that could be used to indicate an individual's financial distress or hardship; the set of data included in consumer reports; the set of data used for health and certain financial insurance applications; data relating to the physical, mental, or psychological health condition of an individual; non-public electronic communication information; certain geolocation data; biometric data; data stored and processed for generating government identification cards; data concerning U.S. government personnel security clearance status; and data from security clearance or employment applications.