Commerce proposes to regulate a broad range of transactions involving information and communications technology and services (“ICTS”) that involve a foreign adversary country, including transactions occurring entirely abroad. The rule would give Commerce authority to prohibit, permit, require unwinding, or require mitigation for ICTS activities. The regulations target transactions that pose an undue risk to ICTS in the United States, to the critical infrastructure or the digital economy in the United States, or an unacceptable risk to national security or to the security and safety of U.S. persons. Commerce has not yet determined which countries would qualify as foreign adversaries, thus triggering an ICTS risk under the rule, although general speculation is that China will be designated. Commerce has not delegated administration of this process to any of its sub-agencies, and instead will conduct the reviews at the Secretary level in consultation with other agencies.
Given the broad scope of the proposed process, combined with the open-ended criteria to be used in determining which transactions require action, this rulemaking could impact a wide range of U.S. and foreign companies operating in the ICTS sector. Potentially covered transactions could include, for example, imports of ICTS equipment, foreign ICTS manufacturing and supply arrangements, and foreign ICTS service contracts. Companies with ICTS supply chain activities in China or service contracts with Chinese companies might consider avenues for engagement with the Commerce Department by filing comments.
A summary of the proposed rule and its potential impact follows.
The Commerce Department is proposing a new set of regulations at 15. C.F.R. Part 7, titled “Securing the Information and Communications Technology and Services Supply Chain,” to implement the ICTS transaction portions of EO 13873. The review process broadly would apply to any acquisition, importation, transfer, installation, dealing in, or use of information communications technology or services (a “transaction”) that meets each of the following conditions:
The Secretary of Commerce, in consultation with the heads of any number of other Federal agencies, will evaluate whether a party to the transaction is owned, controlled by, or subject to the jurisdiction or direction of a foreign adversary. In its notice, Commerce stated that the process for identifying foreign adversaries is subject to the sole discretion of the agency (in consultation with other agencies), and that it is not soliciting comment on which countries should be so designated. If the transaction is determined to involve ICTS items designed, developed, manufactured, or supplied by a foreign adversary party, then the Secretary of Commerce will evaluate whether the transaction:
i. Poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States;
ii. Poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States; or
iii. Otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.
A review may be initiated at the Secretary’s discretion, based on a referral from another Federal agency, or based on information submitted by private parties through a website tip portal that the Secretary determines to be credible. The Secretary will take a “case-by-case” and “fact-specific” approach in evaluating transactions. There are no categorical exclusions at this time for less-sensitive products, parties, or types of transactions.
Only after making a preliminary determination that a transaction meets the criteria for action, will the Secretary notify the transaction parties and invite them to submit an opposition along with supporting information. With that notification, the Secretary will provide a basis for the preliminary determination, “to the extent such explanation can be provided consistent with national security” – meaning that the basis may be withheld on grounds that it is classified. The Secretary will issue a final determination within 30 days. While proprietary information submitted by the parties will be protected from disclosure by Commerce’s Freedom of Information Act (“FOIA”) rules, a summary of the Secretary’s final determination will be published.
The Secretary will not issue advisory opinions or declaratory rulings, and there is no opportunity to voluntarily notify, pre-clear, or obtain a license for a covered transactions.
Another procedural point of significance is that the Secretary may dispense with these procedures altogether, and impose an emergency action on the transaction, if the Secretary determines public harm is likely to occur or national security interests require it. In such instances, the Secretary is to provide a final written determination of the basis for the emergency action. However, the written determination is to be presented in a manner “consistent with national security interests” – meaning again that classified information may be withheld.
Penalties for violating a determination by the Secretary or a mitigation condition, or for providing false or misleading information, are severe. The penalties are based on the International Emergency Economic Powers Act (“IEEPA”), 50 U.S.C. 1705, which for example, includes civil fines up to $302,584 per transaction or twice the value of the transaction.
These rules will reach any ICTS transaction with a U.S. nexus and a foreign element. That could include transactions conducted by foreign parties occurring abroad, where there is a U.S. company, citizen or green card holder involved, or where any products, software, or technology subject to U.S. jurisdiction is involved. This jurisdictional scope goes further than the Commerce Department’s typical reach through the Export Administration Regulations, by pulling in U.S. persons wherever located, even if the products are entirely foreign.
The Secretary could review a transaction that has been notified to the Committee on Foreign Investment in the United States (“CFIUS”) chaired by the U.S. Department of the Treasury. If Commerce becomes aware of a transaction with an ICTS component that meets the review criteria, it may initiate a separate proceeding under these new rules. That creates tension with the CFIUS rules, which according to statute, provide for total confidentiality of a notified transaction. In contrast, the Secretary is obligated to publish a final determination under the ICTS process.
Likewise, the Secretary also could review a transaction that Commerce becomes aware of through the export licensing process. Licensing information is kept generally confidential through the FOIA rules as well as the Export Control Reform Act (“ECRA”), which again is in contrast to the publication requirement under this process.
The new process could capture a sweeping range of transactions. The regulatory language conceivably could allow the Commerce Department to block: imports to the United States of ICTS equipment originating in a foreign adversary country; contract manufacturing of ICTS products for U.S. companies in such countries for resale abroad; or ICTS-related procurements, investments, or provision of services by U.S. persons acting abroad involving a foreign adversary party or country.
This regulation goes further than the recent rules relating to exports, foreign investment in the United States, or U.S. defense procurement, and could catch U.S. companies by surprise that do not consider themselves to be network or internet service providers.
Given the broad scope and potentially significant impact of these proposed rules, companies operating in the ICTS sector with a U.S. nexus, which also have dealings with China (or potentially other targeted countries such as Russia), might want to act fast in developing a response strategy. The Commerce Department has issued a short window for public comments, through December 27, 2019. It is specifically soliciting industry feedback on:
Are there any types of transactions that should qualify for categorical exclusion from this process?
Are there any types of transactions that could be reliably and adequately mitigated to prevent undue acceptable risk, and if so, what form could such mitigation measures take? Moreover, how could Commerce be kept informed of circumstances that could render the mitigation obsolete, no longer effective, or newly applicable?
How are the terms “dealing in” and “use of” best interpreted when defining a transaction?
What recordkeeping requirements should apply to qualifying ICTS transactions?
Companies might consider whether to speak up individually or join with a representative industry association. Each approach raises pros and cons in terms of achieving the company’s goals for impact, specificity of comments, and management of publicity and exposure to regulators. In the past, many companies have found avenues for engagement through submitting confidential white papers or requesting private meetings for oral presentations to submit proprietary information. In this case, Commerce has stated that it will require a public summary of any information presented through such channels, and Commerce has not made available any other mechanism for submission of proprietary information.
A carefully planned strategy that includes relevant company stakeholders, and consideration of options for industry coordination and engagement with regulators, will be essential in responding quickly to this proposed rulemaking.