In today's world, technology is everywhere, from our smartphones to our cars. In 2021, the Department of Commerce began a regulatory process to establish technology importing restrictions and address national security concerns from technology system exploits that could permit unauthorized access to sensitive data, disrupt critical infrastructure, or even manipulate technology. The goal of this new regulatory effort is to safeguard U.S. national security, critical infrastructure, and the digital economy from these threats.
The Office of Information and Communications Technology and Services (ICTS) sets up a framework for reviewing and regulating ICTS transactions, or the types of general commercial and business supply chain relationships that are outside of the scope of foreign investment reviews conducted by the Committee for Foreign Investment in the United States (CFIUS). The ICTS process may undergo review and expansion under the #AmericaFirst trade policies, but here is an outline of the program so far:
- Scope and Application: The rule applies to transactions that could pose risks to U.S. national security. This includes buying, importing, transferring, installing, or using ICTS from foreign adversaries. Certain transactions involving ICTS from foreign adversaries will be banned unless authorized by the Secretary of Commerce.
- Regulatory Review: The process starts with an initial review to see if the transaction involves a foreign adversary and poses a risk. If risks are found, a detailed assessment is done. Based on this, the Secretary of Commerce decides whether to prohibit, mitigate, or allow the transaction.
There are a number of scenarios where the ICTS rule comes into play:
- Connected Vehicles: If a car manufacturer wants to import vehicles with software and hardware from China, they would need prior authorization from the Secretary of Commerce to import the software as soon as model year 2027. This includes components like Wi-Fi, Bluetooth, and navigation systems as soon as model year 2029.
- Cybersecurity Software: A U.S. company using cybersecurity software from a Russian developer would need to go through a review process. If the software is deemed a threat, the transaction could be blocked.
- Data Hosting Services: A U.S. firm looking to partner with a Chinese data hosting service would need to assess the risks. If the service compromises sensitive data, the partnership could be prohibited.
The rule focuses on any hardware or software that could be exploited to compromise the security or integrity of communications, infrastructure, or sensitive personal data, but not on handsets or other personal devices that lack sophisticated technology capacities. This scope considers ongoing business transactions and routine software updates. While the review process is currently voluntary, it may become mandatory for certain critical infrastructure sectors.
As currently written, ICTS rule establishes up a framework for reviewing and regulating transactions to protect national security, critical infrastructure, and the digital economy. Businesses importing foreign hardware and partnering with foreign software vendors need to adapt to this new landscape by enhancing supply chain transparency, conducting thorough risk assessments, and planning for compliance with the regulations.
Originally published on LinkedIn
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
