A Department of Commerce proposal would establish broad authority to block threats to digital security.
This past summer, the U.S. government accused China-based telecommunications equipment vendor Huawei of spying for the Chinese government. To combat such security risks, the U.S. Department of Commerce recently proposed a rule that would establish a broad new authority to protect national security.
The proposed rule would authorize the Secretary of Commerce to review information and communications technology and services (ICTS) that have connections to a foreign adversary.
According to the Commerce Department, the ICTS proposal is essential to national security. Access to data can reveal a lot about national security and commercial strategies. ICTS “underpins our economy,” “supports critical infrastructure and emergency services,” and “facilitates the nation’s ability to store, process, and transmit” sensitive data, notes the Department.
Recently, the ICTS supply chain has become more susceptible to attacks and exploitation from foreign adversaries. Preventing foreign interference is necessary to avoid a “catastrophic effect” on our economic strength, explains the Commerce Department.
The Commerce Department’s proposed rule responds to Executive Order 13,873, which declared a national emergency concerning threats against ICTS in the United States.
The executive order authorizes the Secretary of Commerce to “prohibit or mitigate transactions initiated, pending, or completed after May 15, 2019.” The Secretary would only evaluate transactions subject to the jurisdiction of the United States and of interest to a foreign state or national.
Under the proposed rule, the Secretary would block a transaction if it raises: “an undue risk of sabotage or subversion of ICTS,” “an undue risk of catastrophic effects on the security and resiliency” of the digital economy, or an “unacceptable risk to national security.”
Although the executive order recommends the Secretary immediately prohibit any ICTS transactions identified as risks, the proposed rule establishes a less sweeping authority. Under the proposed rule, the Secretary would view transactions on a case-by-case basis and analyze the individual facts of each case.
The Secretary would also have guidance from other agencies. For example, the Secretary of Homeland Security and the Director of National Intelligence would create and provide assessments to assist the Secretary of Commerce.
The proposed rule would include additional steps. First, once the Secretary makes a preliminary decision to prohibit or mitigate a transaction, the Secretary would provide notice to the affected parties. Second, these parties would have a chance to respond and propose solutions. Finally, the Secretary would make a final determination and notify the parties. The written determination would explain how the decision meets the goals of the executive order.
But critics worry that the proposed rule may be too broad. Its language leaves a lot of uncertainty for impacted businesses, they say.
For example, the proposed rule fails to define the terms “undue risk” and “unacceptable risk.” As a result, the Secretary would have the sole discretion to determine what activities count as risks.
Also, the proposed rule grants broad authority to the Secretary to determine which foreign entities are “foreign adversaries.” A foreign adversary is defined only as “any foreign government or foreign non-government person engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security” of the United States. Such a broad definition provides little guidance to affected corporations, critics charge.
Corporate lawyers suggest that businesses potentially impacted by the proposed rule should submit comments urging the Department “to resolve some uncertainty that may chill business transactions.” Companies based in the United States may be “targeted” by this proposed rule and caught by surprise, since the rule can impact industries other than network or internet service providers, explain lawyers.
Other corporate lawyers assert that the broad definition of this proposed rule could cover the vast majority of businesses in the United States. This proposed rule could broadly apply to any ICTS transaction with a foreign element and a direct tie to the U.S. In fact, any foreign transactions involving U.S. companies, citizens, or green card holders could be impacted, some commentators assert.
Furthermore, almost every modern day technology can count as ICTS, including tablets, watches, and even cars, explain lawyers. Thus, the proposed rule would apply to an even wider range of transactions than affected corporations might imagine.