The U.S. government recognizes that the U.S. information and communications technology and services (ICTS) supply chain faces vulnerability and that the U.S. reliance on ICTS controlled or developed by foreign adversaries presents significant risks to the U.S. economy, national security, and/or public safety. As a result, the U.S. Department of Commerce (Commerce) published proposed regulations to establish the process and procedures that the agency will use to identify, assess, and potentially block certain ICTS transactions if it is determined the transaction poses an undue risk to critical infrastructure or the digital economy of the U.S., or an unacceptable risk to U.S. national security or the safety of U.S. persons. The proposed rules were published on November 27, 2019 and include a request for comments, which are due on or by December 27, 2019.
Prohibited Transactions Background
The regulations establishing this new process for reviewing international ICTS transactions were authorized by a May 15, 2019 Executive Order, "Securing the Information and Communications Technology and Services Supply Chain." (E.O. 13873)
In the proposed rule, Commerce recognizes that the U.S. ICTS supply chain has become increasingly vulnerable to exploitation and is an attractive target for espionage, sabotage, and foreign interference activity. In addition, Commerce notes that "ICTS that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary augment our adversaries' ability to create or exploit vulnerabilities in ICTS to potentially catastrophic effect." The proposed rule further demonstrates the Trump administration's growing concern about the national security threat posed by Chinese telecommunications equipment providers. It was published just before the Federal Communications Commission (FCC) voted on December 5 to prohibit its Universal Service Fund, a $8.5 billion program that assists with building communications infrastructure, from buying equipment from Chinese telecom equipment makers Huawei and ZTE.
Scope of Transactions Subject to Risk Evaluation
The scope of transactions potentially subject to review is very broad. Under the proposed rule's definition of "transaction," Commerce may review any "acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service" whenever a transaction:
- Is conducted by any person subject to the jurisdiction of the United States or involves property subject to the jurisdiction of the United States;
- Involves any property in which any foreign country or a national thereof has an interest (including through an interest in a contract for the provision of the technology or service); and
- Was initiated, pending, or completed after May 15, 2019, even if a contract was entered into prior to May 15, 2019.
"Information and communications technology or services" are defined as "any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including through transmission, storage, or display."
Criteria for Determining Prohibited Transactions
Under the proposed regulations, the Department of Commerce, in consultation with other relevant agencies, will evaluate whether the ICTS transaction:
- Is subject to the jurisdiction of the United States;
- Involves any property in which any foreign country or a national thereof has an interest (including through an interest in a contract for the provision of the technology or service);
- Was initiated, is pending, or will be completed after May 15, 2019, regardless of when any contract applicable to the transaction was entered into, dated, or signed or when any license, permit, or authorization applicable to such transaction was granted;
- Involves information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary; and
- An undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States;
- An undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States; or
- An unacceptable risk to the national security of the United States or the security and safety of United States persons.
For transactions meeting the above criteria, Commerce may either order the transaction to be blocked or unwound or, alternatively, require risk mitigation measures to be adopted by parties to the transaction, even if the ICTS has been installed or was operational prior to Commerce's determination.
Notably, no foreign adversaries are specifically designated in the proposed regulations. Thus, any determination is made in the discretion of the secretary of commerce, in consultation with the secretary of the treasury, the secretary of state, the secretary of defense, the attorney general, the secretary of homeland security, the United States trade representative, the director of national intelligence, the administrator of general services, and the chairman of the FCC.
Additionally, whether the transaction involves ICTS "owned by, controlled, by or subject to the jurisdiction or direction" of a foreign adversary depends on a number of factors or features of the transaction. Those factors include consideration of the laws and practices of the foreign adversary, equity interest, access rights, seats on a board of directors or other governing body, contractual arrangements, voting rights, and control over design plans, operations, hiring decisions, or business plan development.
Initiation of Review and Assessment
Commerce may initiate a review of a transaction based on:
- The discretion of the secretary of commerce;
- Referrals from other agencies; or
- Credible information submitted by private parties via a web portal to be established by Commerce
The proposed regulations adopt a case-by-case, fact-specific approach to determine which transactions are prohibited by the standards set out in E.O. 13873. Thus far, the proposed regulations do not identify classes/categories of prohibited transactions or transactions that are excluded from review.
Features of Department of Commerce's Proposed Process of Analyzing Transactions
No advisory opinions or declaratory rulings will be issued for any covered transactions, distinguishing this review process from other transaction review processes, such as those administered by the Committee on Foreign Investment in the United States. Nevertheless, under the proposed regulations, Commerce will provide, as appropriate, direct notice to the parties of a transaction that an evaluation of a transaction is being conducted and that the Department has reached a preliminary determination regarding a transaction.
Parties notified of an evaluation and preliminary determination will then have 30 days after receipt of notice to submit an opposition and supporting data, which may include proposed measures for mitigation, prior to Commerce's issuance of a final determination. Upon completion of the evaluation and within 30 days of receiving parties' opposition or proposed mitigation measures, Commerce will issue a written final determination summarizing its evaluation and concluding whether the transaction is authorized, blocked, or subject to required mitigation measures.
These processes will be followed except in the event of an emergency, when public harm is likely to occur if the normal procedures are followed or national security interests require it, in which case the secretary of commerce may vary or dispense with any or all of the normal transaction review procedures.
Fines reflecting the greater of $302,584, as adjusted annually for inflation, or twice the amount of the transaction may be assessed per violation for:
- Failing to follow the Department of Commerce's final determination prohibiting the transaction;
- Violating, attempting to violate, or conspiring to violate a material provision of any required mitigation measures;
- Providing false or misleading representations, statements, or certifications, or falsifying or concealing any material fact, either directly to the Department of Commerce, the Bureau of Industry and Security, United States Customs and Border Protection, or an official involved in this review process.
Topics for Comments
While the public may comment on all aspects of the proposed regulations, Commerce is particularly interested in understanding the following:
- Are there instances where the secretary of commerce should consider categorical exclusions?
- Are there classes of persons whose use of ICTS can never violate the executive order?
- Are there certain kinds of transactions where the risk could be mitigated, and, if so, what form could such mitigation measures take?
- How should Commerce ensure that parties subject to mitigation requirements actually comply with these measures?
- How should the terms "dealing in" and "use of" be interpreted for the purposes of defining "transaction"?