Rule Authorizes "Foreign Adversaries" ICTS Review

28 Oct.,2024

 

Rule Authorizes "Foreign Adversaries" ICTS Review

Later this month, companies operating in the information and communications technology and services ("ICTS") sector will begin to contend with a new national security review process with potentially broad and disruptive effects on cross-border transactions. 

Link to kelingyizhi

Building on a May Executive Order issued under the International Emergency Economic Powers Act ("IEEPA"), the U.S. Department of Commerce ("Commerce") recently issued an interim final rule ("IFR") establishing an interagency review mechanism through which Commerce can identify and potentially prohibit ICTS transactions that pose an "undue or unacceptable risk" to national security. This mechanism provides the U.S. government with an additional tool to scrutinize and limit inbound activities when "transactions," which are defined broadly, involve non-U.S. governments or persons determined to be "foreign adversaries" of the United States. Companies operating in the ICTS sector or sourcing or supplying ICTS products or services from the designated countries, including China and Russia, should consider how the new review mechanism may affect their business.

What Is the Scope of the IFR?

Under the IFR, Commerce asserts authority to prohibit, unwind, or mitigate risks associated with "covered ICTS transactions" where the ICTS is "designed, developed, manufactured, or supplied" by persons "owned by, controlled by, or subject to the jurisdiction or direction of" designated "foreign adversaries," and where the transaction is determined to pose an "undue or unacceptable risk" to U.S. national security. 

Covered ICTS Transactions: The IFR defines "ICTS Transactions" to include the acquisition, importation, transfer, installation, dealing in, or use of ICTS, including hardware or software related to electronic communications, data storage, or data processing. Such transactions are "covered," and thus subject to review, when: 

  • The transaction is conducted by a person subject to the jurisdiction of the United States and relates to any property in which a foreign country or its nationals hold an interest; and
  • The associated ICTS falls into one of the following categories: (i) critical infrastructure; (ii) networks and satellites; (iii) data hosting or computing services involving sensitive personal data; (iv) monitoring and home network devices; (v) internet and telecommunications software; or (vi) emerging technology (including advanced robotics, artificial intelligence and machine learning, drones, and quantum computing). 

Importantly, ICTS transactions that are authorized under a "U.S. government industrial security program" or are submitted for review to the Committee on Foreign Investment in the United States ("CFIUS") are not subject to review under the IFR.

Foreign Adversaries: At present, Commerce has designated the following countries as "foreign adversaries" for purposes of ICTS review: China (including Hong Kong), Russia, Cuba, Iran, North Korea, and the Maduro Regime in Venezuela. However, the Secretary of Commerce has discretion to designate additional governments or persons as "foreign adversaries."

Undue or Unacceptable Risk: Commerce has not yet provided a precise definition of what qualifies as an "undue or unacceptable risk," but has made clear that the term at least includes the risk of sabotage or subversion of U.S. electronic communications, data storage, or data processing capabilities, as well as the risk of catastrophic effects on U.S. critical infrastructure or the U.S. digital economy.

How Is the Review Process Structured?

The IFR contemplates a multi-tiered review process of covered "ICTS Transactions":

  • Commencement: Commerce may begin a review on its own initiative, on a referral from a different agency, or by a referral from a private party. 
  • Initial Review: If Commerce opts to proceed on a referral, it will conduct an review to make preliminary determinations regarding the risk posed by the "ICTS Transaction," including the nature of the technology in the transaction and the level of control exercised by the "foreign adversary." If Commerce determines that the transaction likely poses an "undue or unacceptable risk," Commerce will then provide notice to and consult with an interagency panel to determine whether the "ICTS Transaction" meets the criteria established in the IFR for assessing "undue or unacceptable risk[s]." If Commerce determines that the transaction meets that criteria, then it will issue an initial determination and invite the parties to the transaction to respond within 30 days. 
  • Final Determination: If a party opts to respond, Commerce, in consultation with the interagency panel, will consider any new arguments or circumstances, and then issue a final determination that prohibits, permits, or sets out mitigation measures necessary for the transaction to proceed.

Unless the Secretary of Commerce determines in writing that additional time is necessary, all reviews will be completed within 180 days.

At present, the IFR does not include a "safe harbor" procedure similar to that found in CFIUS or an affirmative licensing process. Commerce indicated in the IFR, however, that it intends to publish procedures "to allow a party or parties to a proposed, pending, or ongoing ICTS Transaction to seek a license" within 60 days of the publication of the IFR. Commerce further indicated that it intends to implement this licensing process within 120 days of the publication of the IFR. Notably, Commerce explained that it intends this license review process will include a fixed timeline, which would be similar to the approach used in CFIUS reviews. 

What's Next? 

Although the IFR is slated to take effect on March 22, , the future of Commerce's ICTS review process remains uncertain. The IFR remains open to public comment and, more significantly, the Biden administration has yet to explain publicly whether or how aggressively it plans to use the new interagency review structure and prohibition authority. 

Nevertheless, companies in the ICTS sector should prepare to comply with the proposed review procedures and assess ongoing, pending, and recently closed transactions to identify and, if possible, mitigate any potential impact this new review process may have, including by adding appropriate terms to the contract to apportion regulatory risk and plan for ICTS review contingencies.

Megan McKnelly, in the San Diego Office, assisted in the preparation of this Commentary.

Commerce restricts certain transactions involving Information ...

On 19 January , the U.S. Department of Commerce (Commerce) issued an interim final rule addressing national security concerns related to the Information and Communications Technology and Services (ICTS) supply chain, which takes effect 22 March . Pursuant to the interim rule, Commerce can review specified ICTS Transactions and may ultimately prohibit or restrict any ICTS Transaction connected to &#;foreign adversaries&#; that pose certain &#;undue or unacceptable risks.&#; Currently, &#;foreign adversaries&#; consist of China (including Hong Kong), Cuba, Iran, North Korea, Russia, and the Venezuelan regime of Nicolas Maduro. The interim final rule does not appear to impose a mandatory licensing requirement, but companies may proactively apply for a license, allowing Commerce to review a transaction prospectively. Violations of this interim rule may be subject to significant civil and criminal penalties.

On 19 January , Commerce issued an interim final rule addressing national security concerns related to the Information and Communications Technology and Services supply chain, which takes effect 22 March . Commerce is also accepting comments until that date. In addition, Commerce intends to publish additional regulations setting forth the licensing process for these rules within 60 days, which will also have a 60-day comment period of their own. Pursuant to the interim final rule, Commerce can review specified ICTS Transactions through a process similar to that of the Committee on Foreign Investment in the United States (CFIUS). Based on this review, Commerce may prohibit or restrict any ICTS Transaction connected to &#;foreign adversaries&#; that pose certain &#;undue or unacceptable risks.&#; At this time, &#;foreign adversaries&#; consist of China (including Hong Kong), Cuba, Iran, North Korea, Russia, and the Venezuelan regime of Nicolas Maduro.

Rather than waiting for Commerce and the other agencies involved in the review process to initiate a review on their own, companies will be able to apply for a license proactively, allowing Commerce to review ongoing or prospective transactions. Such license applications will be reviewed on a fixed timeline of no more than 120 days from accepting a license application. If Commerce does not issue a decision within 120 days, the application will be deemed granted. The rule does not appear to impose a mandatory licensing requirement, nor do the rules include a value or other threshold for transactions that would invite scrutiny, but violations of this interim final rule may be subject to significant civil and criminal penalties. Consequently, companies are advised to assess the risks of engaging in transactions with a connection to the &#;foreign adversaries&#; listed above.

Background

On 15 May , President Trump issued Executive Order (EO) , "Securing the Information and Communications Technology and Services Supply Chain." The EO authorizes the Secretary of Commerce to prohibit certain transactions involving ICTS that have been &#;designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversary&#; and that pose an &#;unacceptable risk&#; to U.S. national security or &#;undue risk&#; to U.S. ICTS or critical infrastructure.

Pursuant to this authority, Commerce issued a proposed rule in November . After reviewing public comments, Commerce issued this interim final rule on 19 January .

This interim final rule from Commerce is part of broader, multi-agency effort by the U.S. government to address national security concerns related to the use of foreign communications and information technology equipment in U.S. networks. Most notably, the Federal Acquisition Regulations (FAR) Council published a separate interim rule on 14 July implementing a government-wide ban on federal contracting with any entity that uses covered telecommunications equipment or services from certain Chinese entities. The FAR Council promulgated this interim rule to implement Section 889(a)(1)(B) (Part B) of the fiscal year National Defense Authorization Act (FY19 NDAA). See Hogan Lovells&#; update on the FAR Council&#;s regulations here.

Summary of key provisions

In relevant part, this interim final rule states that Commerce may determine whether an ICTS Transaction that has been &#;designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries poses undue or unacceptable risks.&#; Based on this review, Commerce may approve the transaction, prohibit the transaction, or require mitigation. Below is a summary of key definitions and additional details regarding the scope of this interim final rule.

Contact us to discuss your requirements of communication technology ltd. Our experienced sales team can help you identify the options that best suit your needs.

ICTS defined

ICTS means &#;any hardware, software, or other product or service, including cloud-computing services, primarily intended to fulfil or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic, and photonic), including through transmission, storage, or display.&#;

ICTS Transaction defined

An ICTS Transaction means &#;any acquisition, importation, transfer, installation, dealing in, or use of any ICTS, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download.&#; This definition includes &#;any other transaction, the structure of which is designed or intended to evade or circumvent the application&#; of EO . This definition also includes a class of ICTS transactions.

Foreign adversaries definition

As of now, Commerce has identified the following government or non-government persons as &#;foreign adversaries&#; for purposes of these regulations:

  • The People&#;s Republic of China, including Hong Kong;
  • Cuba;
  • Iran;
  • The Democratic People&#;s Republic of Korea (North Korea);
  • Russia; and
  • The regime of Nicolas Maduro (Venezuela).

This list may be revised, and countries may be added or removed.

Scope of covered ICTS Transactions

The interim final rule only applies to ICTS Transactions that meet all of the four following criteria; that is, the transaction:

  • Is conducted by any person, or involves any property, subject to U.S. jurisdiction;
  • Involves any property in which any foreign country or a national thereof has an interest (including through an interest in a contract for the provision of the technology or service);
  • Is initiated, pending, or completed on or after 19 January , regardless of when any contract applicable to the transaction is entered into, dated, or signed, or when any license, permit, or authorization applicable to such transaction was granted.  Any act or service with respect to an ICTS Transaction, such as execution of any provision of a managed services contract, installation of software updates, or the conducting of repairs, that occurs on or after 19 January may be deemed an ICTS Transaction even if the contract was initially entered into or the activity commenced prior to January 19, ; and
  • Involves one of the following six kinds of ICTS:
  • Critical infrastructure: ICTS that will be used by a party to a transaction in a sector designated as critical infrastructure by Presidential Policy Directive 21 &#; Critical Infrastructure Security and Resilience, including any subsectors or subsequently designated sectors;
  • Network infrastructure: ICTS integral to wireless local area networks, mobile networks, satellite payloads, satellite operations and control, cable access points, wireline access points, core networking systems, and long- and short-haul networks;
  • Sensitive personal data: ICTS integral to data hosting or computing services that uses, processes, or retains, or is expected to use, process, or retain, sensitive personal data on greater than one million U.S. persons at any point over the twelve months preceding an ICTS Transaction;
  • Surveillance and monitoring: Internet-enabled sensors, webcams, any other end-point surveillance or monitoring device; routers, modems, any other home networking device; drones, or any other unmanned aerial system if greater than one million units have been sold to U.S. persons at any point over the twelve months prior to an ICTS Transaction;
  • Communications software: Software designed primarily for connecting with and communicating via the Internet that is in use by greater than one million U.S. persons at any point over the twelve months preceding an ICTS Transaction;
  • Emerging technology: ICTS integral to artificial intelligence and machine learning; quantum key distribution; quantum computing; drones; autonomous systems; or advanced Robotics.

The regulations do not apply to an ICTS Transaction that:

  • Involves the acquisition of ICTS by a U.S. person as a party to a transaction authorized under a U.S. Government industry security program; or
  • CFIUS is actively reviewing or has reviewed the transaction as a covered transaction or covered real estate transaction, or as part of such a transaction.
    • ICTS transactions that were not part of the covered transaction or covered real estate transaction reviewed by CFIUS remain subject to the regulations.
Review process

Commerce may decide to make a referral for review of a transaction based on the written request of an appropriate agency head, at the Commerce Secretary&#;s discretion, or based on any of the categories of information set forth in section 7.100(a) of the regulations.

Upon receiving a referral, Commerce shall decide whether to conduct an initial review of the transaction to assess whether it poses an undue or unacceptable risk. In doing so, Commerce shall consider the following criteria:

  • The nature and characteristics of the information and communications technology or services at issue in the ICTS Transaction, including technical capabilities, applications, and market share considerations;
  • The nature and degree of the ownership, control, direction, or jurisdiction exercised by the foreign adversary over the design, development, manufacture, or supply at issue in the ICTS Transaction;
  • The statements and actions of the foreign adversary at issue in the ICTS Transaction;
  • The statements and actions of the persons involved in the design, development, manufacture, or supply at issue in the ICTS Transaction;
  • The statements and actions of the parties to the ICTS Transaction;
  • Whether the ICTS Transaction poses a discrete or persistent threat;
  • The nature of the vulnerability implicated by the ICTS Transaction;
  • Whether there is an ability to otherwise mitigate the risks posed by the ICTS Transaction;
  • The severity of the harm posed by the ICTS Transaction on at least one of the following: (i) Health, safety, and security; (ii) Critical infrastructure; (iii) Sensitive data; (iv) The economy; (v) Foreign policy; (vi) The natural environment; and (vii) National Essential Functions (as defined by Federal Continuity Directive-2 (FCD-2)); and
  •  The likelihood that the ICTS Transaction will in fact cause threatened harm.

These criteria are to be assessed by Commerce in interagency consultation with the U.S. Departments of Treasury, State, Defense, Justice, and Homeland Security, as well the Office of the U.S. Trade Representative, the Director of National Intelligence, the General Services Administration, the Federal Communications Commission, and any other agency Commerce deems appropriate.

The initial review can result in a determination that the transaction does not meet these criteria, in which case the review will end. But if the transaction does meet these criteria, Commerce can propose mitigation measures or seek to prohibit the transaction.  The parties to the transaction must be notified in writing in either such case.

This written notification triggers a 30 day period whereby the parties may respond to Commerce, and such response may submit arguments contesting the basis of Commerce&#;s determination, or proposing remedial steps.

Commerce will then review these responses and, in interagency consultation, decide whether a final determination regarding the transaction shall be issued. A final determination can conclude that a transaction is: 1) prohibited; 2) not prohibited; 3) permitted pursuant to the adoption of negotiated mitigation measures.

Such a final determination must be issued within 180 days of accepting a referral and commencing the initial review of a transaction (though this period can be extended by Commerce).  The final determination must be sent in writing to the parties. Final determinations prohibiting a transaction will be published in the Federal Register.

Penalties

Violations of these regulations can be subject to civil or criminal penalties pursuant to the International Emergency Economic Powers Act (IEEPA). These include violations of any final determination, direction, or mitigation agreement pursuant to the regulations.

Civil penalties may not be more than the greater of either: i) US$307,922; or ii) twice the value of the transaction that is the basis of the violation, per violation.

Criminal penalties may be no greater than US$1,000,000 and/or 20 years&#; imprisonment, per violation.

Next steps

Comments on this interim final rule are due 22 March . Commerce has stated that it is committed to ultimately issuing final regulations. However, Commerce issued this interim rule under the Trump administration, and it is therefore uncertain what, if any changes, the new Biden administration may seek to make or may suspend the implementation of the rule.  

In the meantime, businesses should be cognizant of the potentially retroactive nature of the interim final rule. Though it does not take effect until 22 March , the interim rule applies to ICTS Transactions &#;initiated, pending, or completed on or after&#; 19 January .

For further information or assistance, please contact any of the Hogan Lovells lawyers identified below.

 

 

Authored by Ajay Kuntamukkala, Adam Berry, Molly Newell

 

If you want to learn more, please visit our website telecom bts.