Commerce clarifies tech supply chain rule reaches ‘connected software applications’ but leaves many questions unanswered
The Biden administration has taken another step in the process of implementing national security restrictions on the domestic use of foreign-made telecommunications equipment. On November 26, 2021, the Department of Commerce (“Commerce”) issued a Notice of Proposed Rulemaking (“NPRM”) clarifying that “connected software applications” – “applications” in common vernacular language – fall within the realm of information technologies. information and communications. and Services (“ICTS”) subject to Executive Order 13873, Securing the Information and Communications Technology and Services Supply Chain, and Executive Order 14034, Protecting Sensitive American Data from Foreign Adversaries. These executive orders and the ICTS Regulations of Commerce empower the Secretary of Commerce to block ICTS “transactions” — which even include the mere use of technology — that pose an “undue or unacceptable threat” to national security. The NPRM does not change the basic contours of the regulatory regime, but clarifies the types of technology and services subject to regulation, as well as the factors the Department will consider in assessing national security risks. Comments are due by December 27, 2021.
Specify that applications are subject to review
The Biden administration has continued, and at times expanded, the Trump administration’s efforts to address the perceived national security threat posed by foreign technology. In June 2021, President Biden issued Executive Order 14034, which revoked a number of Trump-era executive orders, but upheld Executive Order 13873 and further directed the Secretary of Commerce to assess transactions involving apps. connected software.
Under these executive orders, the Secretary of Commerce is empowered to review and block ICTS transactions. The definition of transactions is broad and includes any “acquisition, import, transfer, installation, transaction or use of any information and communication technology or service”. Notably, Executive Order 13873 and the ICTS Commerce Regulations make the mere “use” of any ICTS a covered “transaction”. Therefore, the Commerce Department could, if it wanted to, prohibit US businesses and consumers from using designated foreign technologies.
Executive Order 14034 covers “connected software applications”, which it defines as “a piece of software, software program, or group of software programs, designed for use on an endpoint computing device and comprising as an integral feature, the ability to collect, process or transmit data over the Internet. The NPRM proposes to incorporate this definition into the current ICTS Commerce Regulations, but does not otherwise change the scope of the regulations. The NPRM thus serves to clarify that applications are included in the types of technologies and services that could raise national security concerns.
The NPRM would also embed in the Commerce Regulations specific risk factors that the Secretary may consider with respect to connected software applications:
- whether the transaction is owned, controlled or managed by persons who support the military, intelligence or proliferation activities of a foreign adversary;
- whether the application can perform surveillance that would allow a foreign adversary to gain access to sensitive or confidential government, commercial or personal data;
- ownership, control or management by persons subject to coercion or co-option by a foreign adversary;
- ownership, control or management by persons involved in malicious cyber activities
- the absence of a thorough third-party audit;
- scope and sensitivity of data collected;
- number and sensitivity of users; and
- the extent to which the risks can be addressed by independently verifiable measures.
The amended rule allows the secretary to assess the risk of a transaction by evaluating how applications protect the data they store or transfer. By specifically highlighting the number of users potentially impacted, the type of information collected, and the presence of third-party monitoring, the new rule provides guidance on what Commerce will consider to be unacceptable risk.
In addition, the Commerce Department specifically sought public comment on:
- whether the proposed definition of “connected software applications” is sufficient to fully identify the intended category of ICTS, including whether the category should include devices that communicate via SMS and low-power radio protocols; and
- whether the expanded criteria that the Secretary may consider for assessing risk are sufficient and whether they should apply generally to ICTS transactions or only to transactions involving connected software applications.
Although the NPRM proposes technical changes to comply with the requirements of Executive Order 14034, it sheds little light on how aggressively the government will use this authority, the types of ICTS transactions it will prioritize, the intensity of the process review and whether Commerce will establish a formal licensing regime. These unanswered questions continue to preoccupy the industry, which has asked for more clarity on how the potentially drastic authorities will be implemented. But for now, companies remain in a wait-and-see posture as ongoing tensions with China create uncertainty over potential government regulation of foreign technology.
O’Melveny acknowledges legal scholar Joshua Goode for his valuable contributions to researching and writing this article.