On January 19, 2021, the U.S. Department of Commerce published an interim final rule (the “ICTS Rule”) under former President Trump’s Information and Communications Technology and Services Executive Order issued in May 2019. If implemented by the Biden administration, the ICTS Rule will grant the U.S. government sweeping powers to counter foreign threats to the U.S. supply chain for a wide range of transactions that (1) involve information and communications technology or services (“ICTS”) designed, developed, manufactured, or supplied (2) by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, and that (3) pose an undue or unacceptable risk to U.S. national security.
Depending on how broadly its ambiguous terms are construed and the scope and intensity the Commerce Department brings to the task, the ICTS Rule could impact all manner of otherwise standard, arms-length cross-border commercial transactions in the digital economy — particularly those involving China — and subject them to mitigation or even prohibition (the Commerce Department identified 4.5 million firms potentially subject to review). The ICTS Rule would establish a “CFIUS-like” review regime for covered activities within the U.S. digital economy, including a voluntary licensing option to counter the possibility of U.S. government intervention at a future date.
The ICTS Rule follows related executive actions to secure the ICTS supply chain, including former President Trump’s January 5, 2021 Executive Order prohibiting certain transactions related to eight Chinese-connected software applications (Alipay, CamScanner, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat Pay, and WPS Office) and August 6, 2020 Executive Order prohibiting certain transactions related to TikTok and WeChat. Though the scope of transactions covered under the ICTS Rule includes enumerated categories of hardware, software, and services (see below), these executive orders suggest mobile applications and software services will be key targets. If implemented, the ICTS Rule would vest greater authority in the Commerce Department to evaluate threats and impose restrictions without an executive order.
Further public comment is invited before the ICTS Rule takes effect on March 22, 2021, although the Biden administration’s pause on implementation of rules of the previous administration may result in a delay or reconsideration.
Although the ICTS Rule nominally targets six “foreign adversaries” for ICTS supply-chain scrutiny — China, Cuba, Iran, North Korea, Russia, and the Maduro regime of Venezuela — its most significant impact will be felt in respect of China (including Hong Kong), and, to a lesser extent, Russia. The balance of foreign adversaries are already subject to comprehensive U.S. economic sanctions that largely prevent ICTS from entering the U.S. supply chain.
Less clear under the ICTS Rule’s terms is when a supply-chain counterparty will qualify as a “[p]erson owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.” The ICTS Rule vests the U.S. government with broad discretion to make these determinations, under criteria that private parties will struggle to apply with accuracy absent further guidance from the Commerce Department. For instance, ties between an ICTS supplier’s officers, directors, or employees and a foreign adversary, or mere operations (e.g., headquarters, research, development, manufacturing, test, distribution, or service facilities) within the jurisdiction of a foreign adversary, may support the Commerce Department’s exercise of jurisdiction. By covering even minor touchpoints with a foreign adversary, the ICTS Rule reserves the Commerce Department’s authority to address weak links at any point in the supply chain.
Scope of Covered ICTS Transactions
For ICTS “designed, developed, manufactured, or supplied by” persons subject to the jurisdiction of a foreign adversary, the ICTS Rule broadly targets any “ICTS Transaction” — i.e., acquisition, importation, transfer, installation, dealing in, or use of ICTS, including managed services, data transmission, software updates, repairs, platforming/hosting of applications — within a defined scope. This scope would include transactions that (a) involve persons or property subject to U.S. jurisdiction, in which (b) any foreign country or national has an interest (including, e.g., a contractual interest), that are (c) initiated, pending, or completed on or after January 19, 2021, even under a contract formed at an earlier date, and (d) involve the following ICTS:
- A sector designated as critical infrastructure by Presidential Policy Directive 21;
- Software, hardware, or other products/services integral to wireless LAN, mobile networks, satellite payloads/operations, cable access points, wireline access points, core networking systems, and long- and short-haul networks;
- Software, hardware, or other products/services integral to data-hosting/computing services that do or are expected to use, process, or retain sensitive personal data (including as defined in the CFIUS regulations) on greater than one million U.S. persons at any point in the preceding 12 months, including internet hosting services, cloud-based/distributed computing and data storage, managed services, and content delivery services;
- Internet-enabled sensors, webcams, et al., routers/modems/home networking devices, and drones, if greater than one million units have been sold to U.S. persons at any point in the preceding 12 months;
- Software designed primarily for connecting with or communicating via the internet (e.g., desktop applications, mobile applications, gaming applications, web-based applications) in use by greater than one million U.S. persons at any point in the preceding 12 months; and
- ICTS integral to artificial intelligence/machine learning, quantum key distribution, quantum computing, advanced robotics, drones, or autonomous systems.
Narrow exceptions from the ICTS Rule are limited to transactions (i) authorized under a U.S. government-industrial security program; or (ii) that are or have been under direct CFIUS review (but not including ICTS Transactions distinct from the investment-related covered transaction notified to CFIUS).
Review of ICTS Transactions
The ICTS Rule establishes an interagency process and timeline by which the Commerce Department and other federal agencies may determine if a transaction is a covered ICTS Transaction and presents “an undue or unacceptable risk” to the U.S. national security.
The ICTS Rule contemplates additional rulemaking to establish procedures by which parties to an ICTS Transaction can seek a license from the Commerce Department, although the fate and timing of the as-yet-unpublished regulations will be determined by the Biden administration.
The ICTS Rule does not impose any mandatory filing requirements nor penalties for merely engaging in an otherwise lawful ICTS Transaction involving a foreign adversary. For those who violate a final determination, mitigation agreement, or other ICTS Rule order, civil penalties are available under the International Emergency Economic Powers Act (up to the greater of $307,922 or an amount that is twice the value of the transaction), while willful violations may invite criminal penalties.
* * * * * * *
If implemented to its fullest extent, the ICTS Rule could touch scores of commercial transactions across the range of targeted sectors and activities, disrupting commercial activities in the digital economy. For that reason, we expect a more focused exercise of these authorities, to address high-order threats to the supply chain for ICTS but not every conceivable ICTS Transaction within the scope of the ICTS Rule. Parties searching for comfort could enhance their diligence efforts to better understand suppliers’ ties to foreign adversaries, ensure that contractual agreements account for a disruption in services, and, in a minority of transactions, consider pre-clearance through the Commerce Department’s forthcoming licensing process.
In any case, a close consideration of this rule — including the persistent risks it introduces, the associated uncertainties, and an increased legal expense — may become a common feature for formerly “garden variety” ICTS Transactions in much the same way that “CFIUS” has become a four-letter word for foreign investments in U.S. businesses.