On 26 November 2019 the U.S. Department of Commerce issued a long-awaited proposed rule (or draft regulations) to implement Executive Order 13873, "Securing the Information and Communications Technology and Services Supply Chain," which was signed on 15 May 2019. The proposed rule gives the secretary of commerce broad authority to review, mitigate, or prohibit many transactions that involve information and communications technology and services (ICTS) once there is designation of a "foreign adversary" under the executive order. The proposed rule also establishes a process for the review, mitigation, and prohibition of relevant transactions and gives the secretary of commerce extremely broad authority to determine which foreign states, entities, or persons are "foreign adversaries." The Commerce Department is seeking public comment until Friday, 27 December 2019.
The proposed rule is also significant for what it does not directly address. Despite speculation that it would identify particular foreign states or entities, the proposed rule – on its face – takes a more neutral approach. The rule does not identify any specific foreign states, entities, or persons as a "foreign adversary." In terms of timing, the executive order gave the Commerce Department 150 days from 15 May 2019 to release an implementing rule. The Commerce Department did not meet the 12 October 2019 deadline, perhaps out of deference to the ongoing U.S.-China trade negotiations. During the intervening time, there had been speculation that Chinese telecommunications companies, in particular, could be identified by the rule.
Finally, the proposed rule comes at a time when U.S. government agencies are increasingly concerned about the national security risks posed by foreign interference with information and communications technology and services in the United States. For instance, the Federal Communications Commission (FCC) voted unanimously on 22 November 2019 to prospectively block U.S. telecommunications companies from using federal funds to purchase equipment from two named Chinese companies. The agency grounded its decisions in national security concerns.
Executive Order 13873: Securing the Information and Communications Technology and Services Supply Chain
As set forth in the executive order, the Trump administration's objective is to reinforce and secure U.S. national security, foreign policy, and the economy against threats from vulnerabilities in the ICTS supply chains. To do so, the executive order gave broad authority to the secretary of commerce. Specifically, the secretary of commerce has the authority to review, mitigate, and prohibit transactions that represent an "undue" or "unacceptable" national security risk and involve "information and communications technology or services" that are associated with a "foreign adversary."
Certain key terms are defined in the executive order and copied in the draft regulations. "Foreign adversary" is defined as "any foreign government or foreign non-government person engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons." However, the executive order did not designate any foreign adversaries.
In order to assist the secretary of commerce with determining threats to the United States posed by foreign adversary interference in the ICTS supply chains, the executive order requires the director of national intelligence and the secretary of homeland security to provide written threat assessments. The secretary of commerce will use these assessments to guide his evaluation of transactions.
"Information and communications technology or services" is defined as "any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including transmission, storage, and display."
In other words, the terms of the executive order are meant to capture nearly all ICTS transactions involving any foreign states, entities, or persons that the secretary of commerce deems to be a threat to U.S. interests when the transaction involves a U.S. person or property within the U.S. jurisdiction.
The proposed rule
The proposed rule implements "the process and procedures that the secretary of commerce will use to identify, assess, and address certain information and communications technology transactions that pose an undue risk to critical infrastructure or the digital economy in the United States, or an unacceptable risk to U.S. national security or the safety of United States persons." The terms, "undue risk" and "unacceptable risk," are left undefined.
The proposed rule primarily does two things: first, it gives broad authority to the secretary of commerce to determine which foreign states, entities, or persons are "foreign adversaries." Second, it provides a process for the secretary's review and prohibition of transactions falling within the scope of the executive order.
The secretary of commerce, in consultation with other heads of executive departments (including the chairman of the FCC), has the authority to determine which foreign states, entities, or persons are "foreign adversaries." The definition of "foreign adversary" mirrors that in the executive order. Notably, the proposed rule does not specify any such "foreign adversaries." Additionally, the draft regulations do not provide additional clarity on the factors the secretary of commerce will use to determine who is a "foreign adversary"; in fact, it notes that it "is a matter of executive branch discretion."
The draft regulations would effectively codify the secretary of commerce's sweeping authority to prohibit a wide swath of covered transactions. As a practical matter, the secretary will use "a caseby-case, fact-specific approach to determine" which transactions fall within the scope of the executive order and the proposed rule. Further, the proposed rule adopts the executive order's criteria for which transactions are subject to review and possible mitigation or prohibition. It also provides for the process by which the secretary will commence and conduct an evaluation. Finally, it requires a written determination from the secretary of commerce.
The key elements of the proposed rule are as follows:
- Transactions subject to evaluation. A transaction is subject to evaluation if it relates to the "acquisition, importation, transfer, installation, dealing in, or use of any information and communication technology service" and (1) is subject to the jurisdiction of the United States, (2) any foreign state or national has an interest in it, and (3) it "was initiated, is pending, or will be completed after May 15, 2019."
- Transactions related to certain ongoing activities. The draft regulations only reach transactions that were initiated, pending, or will be completed on or after 15 May 2019. There is, however, a significant exception. Transactions relating to "ongoing activities," such as "managed services, software updates, or repairs," are considered transactions that will be completed on or after 15 May 2019, even if a contract was entered into prior to 15 May 2019. Therefore, these "transactions are subject to review by the Secretary and may require mitigation or an unwinding of the transaction if determined to be prohibited." In other words, the secretary of commerce could prohibit these transactions and require "the parties engaged in the transaction immediately cease the use of the ICTS" even if "such ICTS has been installed or was in operation prior to the Secretary's determination." This clarification aligns with the FCC's approach as it considers whether to require eligible telecommunications carriers receiving Universal Service Fund support to "remove and replace" covered equipment from their network operations, as outlined in the FCC's 22 November 2019 Further Notice of Proposed Rulemaking. We expect the secretary will consult the FCC if the secretary were also to consider a "remove and replace" program as part of its determination for a transaction.
- Commencement of an evaluation. The secretary of commerce can commence an evaluation in one of three ways. First, "[a]t the Secretary's discretion." Second, upon the request of another department or agency head, including the chairman of the FCC. Third, "[b]ased on information submitted to the Secretary by private parties."
- Evaluating the effect of a transaction. The factors the secretary of commerce will use in evaluating the effect of a transaction mirror the factors used in determining which transactions are subject to evaluation, as well as other factors laid out in the executive order. The secretary will determine whether the transaction "involves information and communications technology services" associated with a "foreign adversary." The secretary will also determine whether there is an "undue risk" or "unacceptable risk" to ICTS in the United States or the national security of the United States.
- Determining whether information and communications technology services are associated with a foreign adversary. For the technology or service to be subject to evaluation it must be "owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary." The proposed rule identifies factors the secretary of commerce will use in making this determination. The factors include focus on the "laws and practices of the foreign adversary" as well as corporate structures that influence access, control, and decision-making rights.
- Conducting the evaluation. The proposed rule sets forth the type of information the secretary of commerce can use in conducting an evaluation. This includes information the secretary requests from parties to a transaction being evaluated. The secretary "[m]ay use all appropriate tools available to collect information," such as "publicly available, business confidential or proprietary information," as well as "classified information" and "[i]nformation from foreign governments."
- A written determination and option for filing opposition to it. The draft regulations require, "when consistent with national security," the secretary of commerce to provide written notice giving "an explanation of the basis" for a "preliminary determination." A party to the transaction then has 30 days to submit a statement of opposition. After an opposition has been filed, the secretary has 30 days to provide a "final determination." The secretary must provide a final written determination that concludes whether or not the transaction is prohibited or if it requires mitigation. The proposed rule, however, explains that the secretary "may commence an evaluation and make a new determination of any transaction" if the "circumstances, technology, or available information has materially changed." The proposed rule also does not allow for the secretary to issue advisory opinions or declaratory rulings about particular transactions.
The proposed rule provides for a major exception to the review framework. If the secretary of commerce determines that "public harm is likely to occur if the procedures are followed or national security interests require it, then the Secretary may vary or dispense with any or all of the procedures." Nevertheless, the secretary of commerce must still provide a final written determination that describes "the basis for the decision" to take "emergency action."
The secretary of commerce also seeks public comment on the entirety of the proposed rule, including questions relating to categorical exclusions or inclusions, mitigation measures, clarification of terms used in the executive order, and recordkeeping requirements. Written comments are due 30 days after the proposed rule is published in the Federal Register on 27 November, meaning that the comment deadline is Friday, 27 December. Hogan Lovells would be pleased to assist you with submitting comments to the Commerce Department.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.