Commerce Department Proposes Measure to Block “Foreign Adversaries” from U.S. Communication Supply Chains
The U.S. Government continues to move ahead on multiple fronts to try to deny access to U.S. internet and communications infrastructure to companies from countries deemed to be hostile to the United States. From measures targeted at specific companies, such as Huawei, to more sector focused steps, the motivation behind these initiatives is to protect the U.S. from cybersecurity threats emanating from other nations. The most recent such proposal is one announced on November 26, 2019 by the Commerce Department, which issued a proposed rule to secure information communications technology and services (“ICTS”) supply chains and review transactions with certain unspecified foreign actors believed to pose an “undue” or “unacceptable” national security risk. This rule would implement Executive Order 13873, signed May 15, 2019, and give the Secretary of Commerce (“Secretary”) broad authority to determine what risks are acceptable and, if unacceptable, to prohibit or even unwind deals that involve ICTS goods sourced from or services provided by “foreign adversaries.”
The proposed rule leaves some questions unanswered, including what will constitute an “undue” or “unacceptable” risk. The rule also does not designate any particular foreign actors as “foreign adversaries,” although the list is likely to be narrowly focused on companies from countries such as China and Russia initially.
Potential Impacts on U.S. Businesses
Most critically, businesses buying ICTS goods or services overseas will need to re-evaluate their supply chain arrangements to comply with the proposed rule. Generally, the proposed rule implements
…the process and procedures that the [Secretary] will use to identify, assess, and address certain [ICTS] transactions that pose an undue risk to critical infrastructure or the digital economy in the United States, or an unacceptable risk to U.S. National Security or the safety of United States persons.
The specific transactions intended for review under the proposed rule include transactions that
- Involve the acquisition, importation, transfer, installation, dealing in, or use of any ICTS;
- Are subject to U.S. jurisdiction;
- Involve property in which any foreign country or national has an interest (including mere contractual interests for ICTS); and
- Were initiated, pending, or completed after May 15, 2019, regardless of when any contract applicable to such transactions was entered.
For transactions that apply, the Secretary will assess their effects through the following considerations:
- Whether the transaction involves ICTS goods or services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary; and
- Whether the transaction poses an undue risk of sabotage to or subversion of U.S. ICTS design and manufacturing; whether the transaction poses an undue risk of catastrophic effects on the security or resiliency of U.S. critical infrastructure or digital economy; or whether the transaction poses an unacceptable risk to U.S. national security.
While the proposed rule fails to designate any particular foreign adversary, it defines foreign adversary as follows:
…any foreign government or foreign non-government person determined by the Secretary to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States….
If, under its broad authority, the Secretary determines the effects of a transaction pose an undue or unacceptable risk by a foreign adversary, then the Secretary will make a written determination available to the public with the basis for the decision. Significantly, the proposed rule authorizes the Secretary to mitigate, prohibit, or even unwind transactions found to pose an undue or unacceptable risk by a foreign adversary. Notwithstanding the procedures identified, the proposed rule also provides the Secretary with emergency authority “to vary or dispense with any or all of the procedures” “when public harm is likely to occur” or “national security interests require it.”
Takeaways
While this proposed rule is subject to public comment until December 27, 2019 and could change, it nevertheless highlights the importance of businesses managing their supply chains with a view to geopolitical risks. In many cases, tracing the provenance of particular equipment may require a difficult back-tracing of the supply chain, which is often best done with advance planning. Similarly, because of the proposed rule’s lack of clarity as to what constitutes an undue or unacceptable risk and which foreign actors are “foreign adversaries,” it may be advisable for companies to undertake an internal review that reaches back to the ultimate source of supply to identify areas of particular risk. Finally, we strongly recommend that companies more closely integrate supply chain management with their compliance functions to ensure these regulatory risks are being handled and mitigated at the appropriate level within the organization and with all the necessary stakeholders involved.
For additional information, please contact Guillermo Christensen, Reena Bajowala, or Christian Robertson.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.