On November 27, 2019, the U.S. Department of Commerce (“Commerce”) issued proposed regulations implementing a Presidential mandate from earlier this year to review and, where necessary for national security, to restrict the import, dealing in, or use of certain foreign-made information and communications hardware, software, and technology, or related services. The proposed regulations will impact U.S. businesses that integrate and utilize foreign developed information and communications products and technology, particularly from countries that could be seen as adversarial to the U.S.. In particular, the proposed regulations focus on identifying and addressing any transactions involving the U.S. information and communications technology and services (“ICTS”) supply chain and foreign persons that pose an undue risk to critical infrastructure or the digital economy in the United States, or an unacceptable risk to U.S. national security or the safety of U.S. persons.
A. Growing Concerns Over Foreign Threats to the U.S. ICTS Supply Chain
The proposed regulations are issued in response to findings made earlier this year by the President that:
- foreign adversaries are increasingly creating and exploiting ICTS supply chain vulnerabilities (which store and communicate vast amounts of sensitive information, facilitate the digital economy, and support critical infrastructure and vital emergency services) to commit malicious cyber-enabled actions, including economic and industrial espionage against the U.S. and its people; and
- the unrestricted acquisition or use in the U.S. of ICTS products designed, developed, manufactured, or supplied by persons owned or controlled by foreign adversaries augments the ability of those foreign adversaries to create and exploit ICTS vulnerabilities, with potentially catastrophic effects.1
To address this threat, the Secretary of Commerce has been granted the authority to prohibit any transaction subject to U.S. jurisdiction involving the acquisition, import, transfer, installation, dealing in, or use of any information and communications technology and services that:
- involves property in which a foreign country or national has an interest;
- includes any ITCS hardware, software, or technology designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary2 ; and
- poses certain undue risks to critical infrastructure or the digital economy in the United States or certain unacceptable risk to U.S. national security or U.S. persons.
B. Broad Authority to Address Supply Chain Threats Will Make a Wide Range of ICTS-Related Transactions Subject to Commerce Department Oversight
Under the proposed regulations, any transaction in information and communications technology and services that meets the following conditions can be subject to review by Commerce and may require mitigation, prohibition, or an unwinding of the transaction if determined to be prohibited:
- The transaction is conducted by any person, or involves any property, subject to U.S. jurisdiction;
- The transaction involves any property in which any foreign country or a national thereof has an interest (this includes any interest that a foreign country or national has in a contract for the provision of the technology or service); and
- The transaction was initiated, is pending, or will be completed after May 15, 2019, regardless of when any contract applicable to the transaction was entered into, dated, or signed or when any license, permit, or authorization applicable to such transaction was granted. Transactions involving certain ongoing activities, such as managed services, software updates, or repairs, constitute transactions that “will be completed” on or after May 15, 2019 even if a contract was entered into prior to May 15, 2019.
The proposed regulations state that Commerce will adopt a case-by-case, fact-specific approach to determine whether any transaction that meet the above requirements is prohibited or must be mitigated on the basis that it:
- Poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology and services in the United States;
- Poses an undue risk of catastrophic effects on the security or resiliency of U.S. critical infrastructure or the U.S. digital economy; or
- Otherwise poses an unacceptable risk to U.S. national security or the security and safety of U.S. persons.
In the event that Commerce makes a preliminary determination that an information and communications technology and services transaction poses such an undue or unacceptable risk, the proposed regulations state that Commerce will provide written notice to the parties of the transaction, which would then have 30 days to submit written opposition together with supporting information, or information on proposed measures for mitigation.
Commerce must then make a final determination, within 30 days after receipt of any such information from the parties, as to (i) whether or not the transaction is prohibited, or (ii) whether measures and specific timeframes to mitigate risks identified in its evaluation may be sufficient to allow for approval of a transaction that may otherwise be prohibited. Such measures may include requiring that the parties engaged in the transaction immediately cease the use of the ICTS at issue, even if it already has been installed or was in operation prior to Commerce’s determination.
C. New Review of Inbound Foreign Information and Communications Technology and Services Parallels Existing Reviews of Inbound Foreign Direct Investment
In many ways, the proposed regulations mirror the authority of the Committee on Foreign Investment in the United States (“CFIUS”) to suspend or prohibit any acquisition of a U.S. business by a foreign person, where the transaction is determined to threaten U.S. national security. Like CFIUS, there does not appear to be a statute of limitations or time limit to Commerce’s authority to review ICTS transactions, and thus Commerce could initiate a review at any time. However, in its issuance of the proposed regulations, Commerce has stated unequivocally that it will not issue advisory opinions or a declaration ruling with respect to any particular transaction. While Commerce may initiate a review based on information submitted by private parties that it determines to be credible, it is not required to conduct such a review. This differs greatly from the CFIUS regulations, which allow parties to submit a Joint Voluntary Notification of a proposed investment transaction and receive a determination from CFIUS as to whether or not there are national security concerns with the proposed investment transaction. The proposed rules for ICTS require no such action by Commerce when receiving information from private parties.
Commerce is accepting public comments on the proposed regulations until December 27, 2019 and will finalize the regulations sometime thereafter.
1See, Executive Order (“EO”) 13873 of May 15, 2019, “Securing the Information and Communications Technology and Services Supply Chain.”
2The term “foreign adversary” means any foreign government or foreign non-government person determined by the Secretary of Commerce to have engaged in a long‑term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons. No specific countries are named in the proposed regulations.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.