Introduction

On 14 January 2021, as one of the last official actions of the Trump administration, the US Department of Commerce (Commerce) issued the Securing the Information and Communications Technology and Services [(ICTS)] Supply Chain interim final rule (ICTS rule), which would establish a structured process by which Commerce can assess certain ICTS transactions between US and foreign persons that pose an undue or unacceptable risk and "involve information and communications technology or services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary".

Then-Commerce Secretary Wilbur Ross noted in a recent Commerce press release that:

[a]ggressively securing the ICTS supply chain will protect American citizens and businesses from vulnerabilities that could undermine the confidentiality, integrity, and availability of their personal information or sensitive data by malicious foreign adversaries and those who wish harm on the United States.

In effect, the interagency review process that would be created under the new ICTS rule to screen inbound foreign technology transactions would loosely parallel the one used by the Committee on Foreign Investment in the United States (CFIUS) to screen inbound foreign investments. The provisions of the ICTS rule itself, as issued, would ensure that there is minimal or no overlap between the two screening systems, and the contentious question of where to draw the boundary between the two reportedly led to a bureaucratic battle within the Trump administration between Commerce and the Treasury Department, which delayed the rule's publication.

If implemented by the Biden administration, the ICTS rule would significantly affect companies that have an international nexus in numerous sectors, including:

  • telecoms service providers;
  • internet and digital service providers; and
  • data hosting or computing equipment manufacturers.

What you need to know

ICTS companies should note the following:

  • Such companies should be prepared to review their transactions closely to identify the equipment, software and technology that may fall under the scope of this rule.
  • Transactions that fall under the ICTS rule would be subject to a US government interagency review under this new set of regulations, which has a mechanism for delaying and even stopping such ICTS transactions.
  • The Biden administration has reportedly paused the implementation of the rule to allow for a review, but a revised version is expected to be published for additional public comment.
  • Interested companies should consider submitting comments on the ICTS rule now to highlight to the Biden administration the ways in which it might be unduly burdensome as written.

What prompted the ICTS rule?

The ICTS rule was issued pursuant to Trump's 15 May 2019 Executive Order (EO) 13873 (Securing the Information and Communications Technology and Services Supply Chain), in which Trump declared a national emergency with respect to the threat to the national security, foreign policy and economy of the United States by foreign adversaries which are "increasingly creating and exploiting vulnerabilities in information and communications technology and services." The ICTS rule follows the publication of the 27 November 2019 proposed rule (for further details please see "Administration tests waters for unprecedented government review of international technology transactions"). The review process set out in the ICTS rule is principally designed to ferret out ICTS transactions that pose a threat to US national security.

From a broader vantage point, the ICTS rule represents the culmination of a series of actions taken by the US government under the Trump administration to decouple the US information and communications technology infrastructure from telecoms equipment and service providers that the Trump administration and bipartisan majorities in Congress believed might pose a national security risk to the United States. In 2020 Congress enacted the Secure and Trusted Communications Networks Act 2019 (the so-called 'rip and replace' programme), which requires the Federal Communications Commission (FCC) to identify and publish a list of communications equipment and services that pose a national security risk (eg, Huawei equipment) and reimburse providers for the removal and replacement of prohibited equipment and services. On 13 January 2020 the FCC published a final rule (Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programmes) identifying the criteria for types of equipment that will be on the covered communications equipment and services list, which includes anything that Commerce identifies in the course of the ICTS rule.

The ICTS rule seeks to prevent, among other things, a similar future scenario where communications equipment or other technology products and services that pose a national security risk to the United States become widely used and require costly replacement.

What ICTS transactions are covered by the ICTS rule?

EO 13873 grants the Secretary of Commerce broad authority to prohibit "any acquisition, importation, transfer, installation, dealing in, or use of any" ICTS (an 'ICTS transaction') by any person, or with respect to any property, subject to US jurisdiction, when such ICTS transaction:

  • "involves any property in which any foreign country or a national thereof has any interest (including through an interest in a contract for the provision of the technology or service);"
  • "was initiated, is pending, or will be completed after the date" of the EO; and
  • which the Secretary of Commerce, in consultation with other agency heads, determines to:
    • involve ICTS "designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary"; and
    • pose an undue or unacceptable risk.

The ICTS rule defines 'information and communications technology or services' or 'ICTS' as:

any hardware, software, or other product or service, including cloud-computing services, primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic, and photonic), including through transmission, storage, or display.

This broad definition leaves a wide swath of transactions involving computing, cloud computing, data storage and retrieval and telecoms infrastructure open to review.

Under the new screening process that would be established, the interagency review would evaluate – to potentially block or require measures to mitigate – transactions that involve the acquisition, import, transfer, installation, dealing in or use of ICTS by any person, where the transaction:

  • "[i]s conducted by any person subject to US jurisdiction or that involves property subject to US jurisdiction";
  • "[i]nvolves any property in which any foreign country or foreign national has an interest (including through an interest in a contract for the provision of the technology or service)"'
  • was initiated, is pending or will be completed on or after 19 January 2021, "regardless of when any contract applicable to the transaction is entered into, dated, or signed or when any license, permit, or authorization applicable to such transaction was granted". Any act or service relating to an ICTS transaction, which occurs after 19 January 2021, but is related to a contract that was initially entered into, or the activity commenced prior to 19 January 2021, may also be deemed an ICTS transaction. The regulations do not specify how Commerce would determine which acts or services performed for pre-19 January 2021 contracts could be deemed not to be an ICTS transaction; or
  • involves an ICTS specified in the regulation, which includes:
    • certain software, hardware or another product or service integral to wireless local area networks and mobile networks;
    • internet hosting services;
    • cloud-based or distributed computing and data storage;
    • managed services; and
    • content delivery services.

Who is a foreign adversary?

As noted above, an ICTS transaction can be blocked after review if it:

  • involves ICTS "designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary;" and
  • poses an undue or unacceptable risk.

The ICTS rule retains the definition of 'foreign adversary' in the proposed rule and the EO – namely:

any foreign government or foreign non-government person determined by the Secretary [of Commerce] to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons.

The ICTS rule identifies six specific foreign governments and non-government persons as foreign adversaries:

  • China, including the Hong Kong Special Administrative Region;
  • Cuba;
  • Iran;
  • North Korea;
  • Russia; and
  • Venezuelan politician Nicolás Maduro (Maduro Regime).

This list of foreign adversaries can be revised by the Secretary of Commerce; updates would be effective immediately on publication in the Federal Register without prior notice or opportunity for public comment.

A 'person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary' includes:

  • "any person, wherever located, who acts as an agent, representative, or employee;"
  • "any person who acts in any other capacity at the order, request, or under the direction or control, of a foreign adversary or of a person whose activities are directly or indirectly supervised, directed, controlled, financed, or subsidized in whole or in majority part by a foreign adversary;"
  • "any person, wherever located, who is a citizen or resident of a nation-state controlled by a foreign adversary;"
  • "any corporation, partnership, association, or other organization organized under the laws of a nation-state controlled by a foreign adversary;" and
  • "any corporation, partnership, association, or other organization, wherever organized or doing business, that is owned or controlled by a foreign adversary."

This means that any ICTS designed, developed, manufactured or supplied by a Chinese, Cuban, Iranian, North Korean or Russian corporation (or other legal entity), or a third-country corporation owned or controlled by Chinese, Cuban, Iranian, North Korean or Russian corporations, or citizens or residents of those countries, is at risk for review under the ICTS rule. Between the vast breadth of the ICTS equipment whose transactions could be reviewed and the huge number of predominantly Chinese companies – and subsidiaries of Chinese companies that make ICTS equipment of this kind – the ICTS rule allows Commerce to review and potentially order the removal of Chinese ICTS equipment from US ICTS systems.

What factors are evaluated in the ICTS transaction review analysis?

To determine whether an ICTS transaction involves ICTS designed, developed, manufactured or supplied by persons owned by, controlled by or subject to the jurisdiction or direction of a foreign adversary, Commerce would consider:

  • whether the party or its component suppliers "have headquarters, research, development, manufacturing, test, distribution, or service facilities or other operations in a foreign country, including one controlled by a foreign adversary";
  • personal and professional ties between the party – including its officers, directors or similar officials, employees, consultants or contractors – and any foreign adversary;
  • laws and regulations of the foreign adversary in which the party is "headquartered or conducts operations, including research and development, manufacturing, packaging, and distribution;" and
  • "any other criteria that the Secretary deems appropriate".

These criteria allow for an even greater expansion of the scope of ICTS transactions that could be reviewed. US companies that source components from China or other foreign adversary countries or from US companies that are owned by Chinese companies could have their transactions reviewed and blocked.

To determine whether an ICTS transaction poses an undue or unacceptable risk, Commerce would consider:

  • "threat assessments and reports prepared by the Director of National Intelligence";
  • "removal or exclusion orders issued by Department of Homeland Security, the Defense Department, or the Director of National Intelligence";
  • relevant provisions of the Defence Federal Acquisition Regulation and the Federal Acquisition Regulation;
  • "entities, hardware, software, and services that present vulnerabilities in the United States as determined by the Department of Homeland Security";
  • "actual and potential threats to [the] execution of a 'National Critical Function' identified by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency";
  • "the nature, degree, and likelihood of consequence to the United States public and private sectors that could occur if ICTS vulnerabilities were to be exploited"; and
  • "any other source or information that the Secretary deems appropriate".

However, the ICTS rule does not offer any clear-cut standard as to which risks would trigger the blocking of transactions, instead adopting the standards set out in the EO, which include the murky "unacceptable risk to the national security of the United States or the security and safety of United States persons". Which risks are acceptable and which are unacceptable would be determined on a discretionary basis.

What are the review procedures?

The ICTS rule, as issued, allows for federal agencies, including Commerce, to request a review of a transaction to determine whether it is an ICTS transaction covered by the ICTS rule. Commerce would have the power to accept the referral and commence an initial review of the transaction. If it found that the ICTS transaction met the criteria for an undue or unacceptable risk, Commerce would issue an initial written determination and would notify the transactions' parties through a Federal Register notice or by serving a copy of the initial determination. The parties to the transaction would have the option of responding to the initial determination within 30 days of it being served or its publication in the Federal Register. Upon receipt of such a submission, Commerce would consider whether the information provided affects the initial determination. Commerce would issue a final determination on the ICTS transaction within 180 days of accepting a referral and commencing the initial review unless it determined that additional time was necessary. The final determination would state whether the ICTS transaction was:

  • prohibited;
  • not prohibited; or
  • permitted pursuant to the adoption of negotiated mitigation measures.

The ICTS rule, as issued, does not indicate which Department of Commerce office would handle reviews of ICTS transactions.

What technology sectors are covered by the ICTS rule?

Commerce broke down the types of technology covered by the ICTS rule into six main categories:

  • "ICTS that will be used by a party to a transaction in a sector designated as critical infrastructure by Presidential Policy Directive 21 – Critical Infrastructure Security and Resilience, including any subsectors or subsequently designated sectors";
  • software, hardware or any other product or service integral to wireless local area networks, mobile networks, satellite payloads, satellite operations and control, cable access points, wireline access points, core networking systems or long and short-haul networks;
  • software, hardware or any other product or service integral to data hosting or computing services that "uses, processes, or retains, or is expected to use, process, or retain, sensitive personal data on greater than one million US persons at any point over the twelve (12) months preceding an ICTS Transaction";
  • certain ICTS products with sales of greater than 1 million units to US persons over the 12 months prior to an ICTS transaction;
  • "software designed primarily for connecting with and communicating via the internet that is in use by greater than one million US persons at any point over the twelve (12) months preceding an ICTS Transaction"; and
  • ICTS integral to AI and machine learning, quantum key distribution, quantum computing, drones, autonomous systems or advanced robotics.

The definition of 'sensitive personal data' in the ICTS rule includes many of the same categories of sensitive personal data as the CFIUS regulations. However, the CFIUS regulations exclude data maintained or collected by a US business concerning employees of the US business and data that is a matter of public record, whereas the ICTS rule does not contain such an exclusion. Therefore, there may be some ICTS transactions involving sensitive personal data that would be covered by the ICTS rule but are not covered by CFIUS.

Are any ICTS transactions exempt or excluded?

The ICTS rule, as issued, clarifies that it would not apply to:

an ICTS Transaction that CFIUS is actively reviewing, or has reviewed, as a covered transaction or covered real estate transaction or as part of such a transaction under section 721 of the Defense Production Act of 1950, as amended, and its implementing regulations.

However, transactions separate or subsequent to transactions for which CFIUS has concluded action under Section 721 may be subject to review under the ICTS rule if they are separate from the transaction reviewed by CFIUS.

In addition, Commerce has exempted from ICTS transactions:

  • "the acquisition of ICTS items by a United States person as a party to a transaction authorized under a US government-industrial security program;" and
  • ICTS transactions solely involving personal ICTS hardware devices, such as handsets.

Is there a licensing process for potential transactions?

In the ICTS rule, as issued, Commerce stated an intention to publish licensing procedures by 22 March 2021 and to implement the licensing process by 19 May 2021. These procedures would provide criteria for seeking a licence to enter into a proposed or pending ICTS transaction or engage in an ongoing ICTS transaction. Parties to a proposed, pending or ongoing ICTS transaction would have the option of seeking such a licence. Reviews of licence applications would be conducted on a fixed timeline, not to exceed 120 days from acceptance of an application. A licence would be deemed granted if Commerce did not issue a licence decision within 120 days from acceptance of an application for one. It is assumed that this intention to issue a proposed licensing process, like the ICTS rule itself, is on hold while it is being studied.

What are the next steps?

The ICTS rule was slated to take effect on 22 March 2021. However, according to Politico, Commerce has delayed its implementation for now. Commerce's final rule would have addressed additional comments that were due by 22 March 2021, but that will likely be paused as well. Commerce has not yet announced a timeline for its review of the ICTS rule.

It remains to be seen exactly how the Biden administration will treat the underlying EO and the ICTS rule. Its apparent freezing of the ICTS rule does not come as a major surprise. Incoming administrations commonly freeze pending rules in order to conduct their own assessment and sometimes make adjustments. On 20 January 2021 Ronald Klain, the assistant to the president and chief of staff, sent a memorandum to the heads of executive departments and agencies asking them to consider a 60-day postponement of the effective date for any rules that have been published in the Federal Register but have not yet taken effect. The stated purpose of this postponement is to review any "questions of fact, law, and policy the rules may raise". The memorandum also encourages agency heads to consider opening a 30-day comment period for postponed rules to allow for comments on issues of fact, law and policy raised by those rules and further postponing the effective date if the rules raise substantial questions. Here, a 60-day postponement from 20 January 2021 would result in the same effective date (ie, 22 March 2021); however, the reported pause on the ICTS rule could be lengthier.

The Biden administration is expected to continue the relatively assertive approach to China, albeit with a greater emphasis on working with allied countries. The reported delay of this rule's effective date may allow for further narrowing of its scope, which may occur due to the significant impact that the ICTS rule may have on Commerce and industry, as well as the likelihood of substantial additional comments by the public.

How does the ICTS rule affect companies?

If implemented as written, the ICTS rule would significantly affect companies that have an international nexus in numerous sectors, including:

  • telecoms service providers;
  • internet and digital service providers (including cloud computing service providers); and
  • data hosting or computing equipment manufacturers.

In addition, the ICTS rule would cover a large swath of ICTS transactions and give the Secretary of Commerce great discretion in determining whether a transaction should be prohibited or permitted subject to mitigation measures. Critically, in addition to a large number of Chinese and Russian companies already caught within the proposed rule, the Secretary of Commerce would have the discretion to designate additional foreign adversaries without notice and with immediate effect.

ICTS companies should therefore be prepared to review their transactions closely in order to identify the equipment, software and technology that may fall under the scope of the ICTS rule, if it is implemented as issued. The docket for commenting on the ICTS rule is still open and interested companies should consider submitting comments now to highlight to the Biden administration the ways in which the rule might be unduly burdensome as written. Further, companies are advised to submit further comments if the ICTS rule is revised by the Biden administration and an additional comment period is opened, as expected.