On 26 November 2019 the U.S. Department of Commerce issued a long-awaited proposed rule (or draft regulations) to implement Executive Order 13873, "Securing the Information and Communications Technology and Services Supply Chain," which was signed on 15 May 2019. The proposed rule gives the secretary of commerce broad authority to review, mitigate, or prohibit many transactions that involve information and communications technology and services (ICTS) once there is designation of a "foreign adversary" under the executive order. The proposed rule also establishes a process for the review, mitigation, and prohibition of relevant transactions and gives the secretary of commerce extremely broad authority to determine which foreign states, entities, or persons are "foreign adversaries." The Commerce Department is seeking public comment until Friday, 27 December 2019.
The proposed rule is also significant for what it does not directly address. Despite speculation that it would identify particular foreign states or entities, the proposed rule – on its face – takes a more neutral approach. The rule does not identify any specific foreign states, entities, or persons as a "foreign adversary." In terms of timing, the executive order gave the Commerce Department 150 days from 15 May 2019 to release an implementing rule.
The Commerce Department did not meet the 12 October 2019 deadline, perhaps out of deference to the ongoing U.S.-China trade negotiations. During the intervening time, there had been speculation that Chinese telecommunications companies, in particular, could be identified by the rule. Finally, the proposed rule comes at a time when U.S. government agencies are increasingly concerned about the national security risks posed by foreign interference with information and communications technology and services in the United States. For instance, the Federal Communications Commission (FCC) voted unanimously on 22 November 2019 to prospectively block U.S. telecommunications companies from using federal funds to purchase equipment from two named Chinese companies. The agency grounded its decisions in national security concerns.
Executive Order 13873: Securing the Information and Communications Technology and Services Supply Chain
As set forth in the executive order, the Trump administration's objective is to reinforce and secure U.S. national security, foreign policy, and the economy against threats from vulnerabilities in the ICTS supply chains. To do so, the executive order gave broad authority to the secretary of commerce. Specifically, the secretary of commerce has the authority to review, mitigate, and prohibit transactions that represent an "undue" or "unacceptable" national security risk and involve "information and communications technology or services" that are associated with a "foreign adversary."
Certain key terms are defined in the executive order and copied in the draft regulations. "Foreign adversary" is defined as "any foreign government or foreign non-government person engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons." However, the executive order did not designate any foreign adversaries.
In order to assist the secretary of commerce with determining threats to the United States posed by foreign adversary interference in the ICTS supply chains, the executive order requires the director of national intelligence and the secretary of homeland security to provide written threat assessments. The secretary of commerce will use these assessments to guide his evaluation of transactions.
"Information and communications technology or services" is defined as "any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including transmission, storage, and display."
In other words, the terms of the executive order are meant to capture nearly all ICTS transactions involving any foreign states, entities, or persons that the secretary of commerce deems to be a threat to U.S. interests when the transaction involves a U.S. person or property within the U.S. jurisdiction.
The proposed rule The proposed rule implements "the process and procedures that the secretary of commerce will use to identify, assess, and address certain information and communications technology transactions that pose an undue risk to critical infrastructure or the digital economy in the United States, or an unacceptable risk to U.S. national security or the safety of United States persons." The terms, "undue risk" and "unacceptable risk," are left undefined.
The proposed rule primarily does two things: first, it gives broad authority to the secretary of commerce to determine which foreign states, entities, or persons are "foreign adversaries." Second, it provides a process for the secretary's review and prohibition of transactions falling within the scope of the executive order.
The secretary of commerce, in consultation with other heads of executive departments (including the chairman of the FCC), has the authority to determine which foreign states, entities, or persons are "foreign adversaries." The definition of "foreign adversary" mirrors that in the executive order. Notably, the proposed rule does not specify any such "foreign adversaries." Additionally, the draft regulations do not provide additional clarity on the factors the secretary of commerce will use to determine who is a "foreign adversary"; in fact, it notes that it "is a matter of executive branch discretion."
The draft regulations would effectively codify the secretary of commerce's sweeping authority to prohibit a wide swath of covered transactions. As a practical matter, the secretary will use "a caseby-case, fact-specific approach to determine" which transactions fall within the scope of the executive order and the proposed rule. Further, the proposed rule adopts the executive order's criteria for which transactions are subject to review and possible mitigation or prohibition. It also provides for the process by which the secretary will commence and conduct an evaluation. Finally, it requires a written determination from the secretary of commerce.
The key elements of the proposed rule are as follows: