On May 15, 2019, President Trump issued an Executive Order on Securing the Information and Communications Technology and Services Supply Chain that authorizes the Commerce Secretary to regulate the acquisition and use of information and communications technology and services from a “foreign adversary.”
Broadly speaking, the order authorizes the creation of national security focused import regulation mirroring the long-standing export control and foreign investment regimes. The order represents a dramatic expansion of federal power without Congressional involvement. Given the pervasiveness of information and communications technology and services throughout the economy and the globalization of supply chains, practical effects could be far-reaching and surprising.
The Commerce Secretary has 150 days (until mid October) to promulgate regulations implementing the Supply Chain Order. The Commerce Department has broad discretion, and businesses developing, making and using information and communications technology and services should consider weighing in with the department on the scope, content and effect of this new regulatory program.
In promulgating the Supply Chain Order under International Emergency Economic Powers Act of 1977, the President declared a national emergency, asserting the order was necessary because “foreign adversaries are increasingly creating and exploiting vulnerabilities in information and communications technology and services … in order to commit malicious cyber-enabled actions, including economic and industrial espionage.” In the President’s words, “openness must be balanced by the need to protect our country against critical national security threats.”
The Supply Chain Order provides that the Commerce Secretary, in consultation with other agencies, may prohibit or condition the acquisition, importation, transfer, installation, dealing in, or use by persons subject to U.S. jurisdiction of information and communications technology or services “designed, developed, manufactured, or supplied” by persons owned, controlled or directed by a “foreign adversary” where the Secretary believes there is an “unacceptable risk” to U.S. national security.
The term “information and communications technology or services” is defined capaciously as “hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including transmission, storage, and display.” Products ranging from watches to cars now include information and data processing technologies. Just about the only things not potentially covered by the Supply Chain Order are raw materials and other commodities.
A “foreign adversary” is any foreign government, entity or individual “engaged in a long‑term pattern or serious instances of conduct significantly adverse to the national security.” Thus, prohibitions and restrictions could extend to products and services from specific companies and individuals as well as more broadly from particular countries.
In sum, the Supply Chain Order authorizes the Commerce Secretary to regulate from where and from whom businesses operating in the United States may acquire information and communications technology and services. If the Secretary deems that a particular country or entity presents an “unacceptable risk,” he can prohibit U.S. persons from using products or services made or supplied by that “foreign adversary.” He could also prohibit U.S. businesses from buying inputs from foreign firms from allied countries that employ, say, programmers or technicians the Secretary thinks are subject to the direction of a foreign adversary. Arguably, he could even effectively prohibit U.S. companies from employing in the United States foreign individuals the Secretary believes are subject to the direction of a foreign adversary. Given the centrality of the United States to information and communications technologies and services globally, one could expect any such U.S. prohibitions would have global repercussions.
The Commerce Secretary is to publish implementing regulations by mid October 2019. The regulations will presumably define (1) the types of technologies or services that will be covered, (2) the countries, companies and people (“foreign adversaries”) that will be the target of regulation, and (3) procedures and conditions to license particular transactions and classes of transactions. Given how much discretion the Commerce Secretary has in designing the regulatory regime, it will be important for interested parties to provide input.
Interagency Consultation and Decision Authority
In promulgating and applying these regulations, the Commerce Secretary is to consult with other economic and security agencies. This list of agencies overlaps significantly with the Committee on Foreign Investment in the United States (CFIUS), which has decades of experience in applying U.S. foreign investment law. However, in the investment context, the ultimate decision power rests with the President, and CFIUS operates by consensus, which has a moderating effect. Under the Supply Chain Order, the Commerce Secretary is the decision-maker, and he need not heed input from other agency heads.
The Supply Chain Order is a remarkable appropriation of legislative authority by the executive and it will likely lead to new and disruptive market interventions. As dramatic as it is, the order is but one of series of recent regulatory measures prompted by national security concerns arising from commercial transactions, with other measures relating to sanctions, foreign investment, dual use exports, and government procurement.  While tariffs on U.S./China trade have attracted the most attention, the expanding regulation in the name of national security may prove more durable and important, reflecting as it does growing geo-strategic competition and concerns over new vulnerabilities created by technology.