Updates to Chapter 16
National Security: Economic Controls, Trade Limits, Equipment Bans
UPDATES TO THE SECOND EDITION
16.1.2.2 Enforcement of Executive Order 13873
On June 20, 2024, the Commerce Department's Bureau of Industry and Security (BIS) announced its first-ever enforcement action under EO 13873, issuing a Final Determination prohibiting Kaspersky Lab, Inc., the U.S. subsidiary of a Russia-based anti-virus software and cybersecurity company, from directly or indirectly providing anti-virus software and cybersecurity products or services in the United States or to U.S. persons. As a result of the determination, Kaspersky will generally no longer be able to sell its software within the U.S. or provide updates to software already in use. However, individuals and businesses that continue to use existing Kaspersky products and services will not face legal penalties under the Final Determination.
The determination was based on findings that –
Kaspersky is subject to the jurisdiction of the Russian Government and must comply with requests for information that could lead to the exploitation of access to sensitive information present on electronic devices using Kaspersky’s anti-virus software.
Kaspersky has broad access to, and administrative privileges over, customer information through its cybersecurity and anti-virus software.
Kaspersky employees could potentially transfer U.S. customer data to Russia, where it would be accessible to the Russian Government under Russian law.
Kaspersky has the ability to use its products to install malicious software on U.S. customers’ computers or to selectively deny updates, leaving U.S. persons and critical infrastructure vulnerable to malware and exploitation.
Kaspersky had proposed mitigation measures to address Russian jurisdiction, control, or direction over its actions, but the Commerce Department found them insufficient.
The ban, invoking the IEEPA-based EO 13873, was just the latest exercise of various legal authorities aimed at blocking Kaspersky from the U.S. ecosystem: In 2017, acting under 44 USC 3553 (part of FISMA), the Department of Homeland Security issued a “binding operational directive” requiring federal agencies to remove and discontinue use of Kaspersky-branded products on federal information systems. The National Defense Authorization Act for Fiscal Year 2018 prohibited the use of Kaspersky by the Federal Government. In 2022, acting pursuant to the Secure and Trusted Communications Networks Act of 2019, the Federal Communications Commission added Kaspersky products and services to its List of Communications Equipment and Services that Pose a Threat to National Security (“the covered list”), prohibiting their purchase with federal telecommunications subsidy funds. See Chapter 16.5.1.4 in the book for more on the Secure and Trusted Communications Networks Act.
16.1.2.3 [New] Rulemaking on Connected Vehicles
on September 23, 2024, the U.S. Department of Commerce’s Bureau of Industry and Security published a Notice of Proposed Rulemaking (NPRM) that would prohibit the sale or import of connected vehicles integrating specific pieces of hardware and software, or those components sold separately, with a sufficient nexus to the People’s Republic of China or Russia. The proposed rule focuses on hardware and software integrated into Vehicle Connectivity Systems and software integrated into Automated Driving Systems. Malicious access to these systems, the Commerce Department stated, could allow adversaries to access and collect our most sensitive data and remotely manipulate cars on American roads. The proposed rule would apply to all wheeled on-road vehicles such as cars, trucks, and buses, but would exclude vehicles not used on public roads like agricultural or mining vehicles. Comments were due by October 28, 2024.
16.1.3 Limiting Data Flows: IEEPA Bans on TikTok, WeChat, and Other China-Related Apps
On February 28, 2024, Biden signed Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Data and United States Government-Related Data by Countries of Concern.” The order is based on IEEPA and states that it expands the scope of the national emergency declared by President Trump in EO 13873. However, the Biden order represents a pretty sharp departure from the Trump approach: Rather than seeking to limit apps, the Biden EO takes initial steps in establishing a system to regulate data.
The Biden EO directs the Department of Justice to establish a regulatory process aimed at two categories of data: bulk sensitive personal data (defined as personal identifiers, geolocation and related sensor data, biometric identifiers, human ‘omic data, personal health data, and personal financial data) and United States Government-related data (defined as sensitive data in any volume that is linked to or can be used to identify government personnel). It contemplates outright bans on some transfers and, for others, restrictions that would impose security requirements intended to mitigate the risk of access by adversaries. It would regulate transfer to “countries of concern” and starts with those identified under the Trump EO: China, Cuba, Iran, North Korea, Russia, and Venezuela. It encompasses not only transfers directly to those countries’ government but also transactions between U.S. persons and persons subject to ownership, control, jurisdiction, or direction of those countries.
On October 21, 2024, the Justice Department issued its Notice of Proposed Rulemaking to implement EO 14117. The incredibly detailed proposed rule defines a “covered data transaction” as any transaction that involves any access to any government-related data or bulk U.S. sensitive personal data and that involves: (1) data brokerage, (2) a vendor agreement, (3) an employment agreement, or (4) an investment agreement. It identifies (1) certain classes of highly sensitive transactions with countries of concern or covered persons that the proposed rule would prohibit in their entirety (“prohibited transactions”) and (2) other classes of transactions that would be prohibited except to the extent they comply with predefined security requirements (“restricted transactions”) to mitigate the risk of access to bulk U.S. sensitive personal data by countries of concern. Among other things, the proposed rule also identifies countries of concern and classes of covered persons to whom the proposed rule applies, identifies classes of exempt transactions, establishes processes to issue licenses authorizing certain prohibited or restricted transactions, and addresses recordkeeping, reporting, and other due-diligence obligations for covered transactions. The comment period ends on November 29, 2024.
16.1.3.1 Outside IEEPA, Congress Bans TikTok unless Divested
In April, 2024, in the supplemental appropriations act, Congress circumvented IEEPA by adopting free-standing legislation requiring divestiture of TikTok. The law makes it unlawful to distribute, maintain, or update (such as through a mobile app store) a “foreign adversary controlled application.” Foreign adversary controlled application is specifically defined to include any app owned by TikTok (unless divested from its China-based parent ByteDance), but the term also includes any other app operated by a company that is controlled by a foreign adversary and determined by the President to present a significant threat to the national security. The TikTok ban takes effect on January 19, 2025. TikTok challenged the law in the U.S. Court of Appeals for the District of Columbia, with oral argument scheduled for September 16.
16.1.3.2 Outside IEEPA, Congress Regulates Data Brokers
Also in the April 2024 supplemental, Congress adopted the Protecting Americans’ Data from Foreign Adversaries Act of 2024. The law, which took effect on July 17, makes it unlawful for a data broker to sell, license, or disclose “personally identifiable sensitive data of a United States individual” to any foreign adversary country or an entity that is controlled by a foreign adversary. Through a cross-reference, foreign adversary is defined as China, Russia, Iran and North Korea. Sensitive data is broadly defined as data that identifies or is linked or reasonably linkable to an individual or to a device that identifies or is linked or is reasonably linkable to an individual. It includes government-issued identifiers (Social Security numbers, driver’s license numbers), health data, financial data, precise geolocation data, and online browsing data, among other listed categories. Data broker is defined as an entity that sells, licenses, discloses or otherwise makes available data that the entity did not collect directly from individuals. That leaves out first-party data collectors, such as the many mobile apps that collect and sell location data or health data from their users, and which are a large part of the data ecosystem.
16.3 Limits on Investments in the U.S. (Defense Production Act and CFIUS)
On April 11, 2024, the U.S. Treasury Department issued a Notice of Proposed Rulemaking to augment the penalty and enforcement authority of the Committee on Foreign Investment in the United States. The NPRM marks the first update to CFIUS’ mitigation and enforcement toolkit since Congress passed the Foreign Investment Risk Review Modernization Act of 2018. Assistant Secretary for Investment Security Paul Rosen said, “these updates to our enforcement toolkit provide CFIUS with a sharper scalpel to carefully and methodically address violations and protect U.S. national security.” The proposal, which is not specifically aimed at cybersecurity concerns but rather relates to CFIUS procedures in general, would expand the categories of information CFIUS may request from transaction parties and others; authorize the Committee to require transaction parties to respond to mitigation agreement drafts within a specified number of days; increase the maximum penalty amount (from $250,000 to $5 million) for violations such as submitting false information or failing to abide by a mitigation agreement; allow the Committee to impose penalties for material misstatements or omissions in certain information submitted to the Committee outside of the submission of a declaration or notice; and extend the time frames related to a petition for reconsideration of a penalty. For more, see Paul Weiss, Treasury Proposes a “Sharper Scalpel” for CFIUS Enforcement (Apr. 12, 2024).
CFIUS publishes basic information about its enforcement actions, including its 2024 fine of $60 million against T-Mobile.
Chapter 16.4 Limits on Foreign Participation in the U.S. Telecom Sector (Team Telecom)
Another statute relevant to the cybersecurity of the U.S. telecom infrastructure is the Cable Landing License Act of 1921, which authorizes the President to grant, withhold, revoke, or impose conditions on cable-landing licenses. 47 U.S.C. §§ 34–39. Specifically, the act grants to the President discretion to withhold, revoke, or impose conditions on cable-landing licenses if the President determines “after due notice and hearing that such action[s] … will promote the security of the United States.” The President delegated that authority to the FCC in Executive Order 10530 (1954). See also Review of Commission Consideration of Applications under the Cable Landing License Act, Report and Order, 16 FCC Rcd 22167 (2001); Rules and Policies on Foreign Participation in the U.S. Telecommunications Mkt., Report and Order and Order on Reconsideration, 12 FCC Rcd 23891 (1997) (“Foreign Participation Order”). The EO, as well as the FCC’s own regulations, require the FCC to obtain approval from the Secretary of State and to seek advice from Team Telecom before granting or revoking any such license. See 47 C.F.R. § 1.767(b). The FCC has said that it will “accord deference to the expertise of Executive Branch agencies in identifying and interpreting issues of concern related to national security, law enforcement, and foreign policy.” Foreign Participation Order, 12 FCC Rcd at 23920, ¶ 63.
The FCC has interpreted its authority broadly, to encompass not only cable landings in the U.S. but also landings in other countries by cable system otherwise subject to FCC jurisdiction. Thus, for example, in 2022, Team Telecom recommended that the FCC deny a request from the Americas Region Caribbean Optical-Ring System (ARCOS-1), a submarine cable system connecting two dozen landing points in 15 countries in the Caribbean and South and Central America, to add a landing point in Cuba. Soon thereafter, the request was withdrawn.
FN 42:
The correct citation for the revocation of the authorization of Pac. Networks Corp., is FCC 22-22, 2022 WL 905270, at *1 (FCC Mar. 23, 2022) (Revocation Order). The revocation was upheld in Pacific Networks Corp. v. FCC, No. 22-1054, 2023 U.S. App. LEXIS 21246 (D.C. Cir. Aug. 15, 2023).
16.7 Limits on Outbound Investment
On October 28, 2024, the U.S. Department of the Treasury issued a final rule to implement E.O. 14105 of August 9, 2023, “Addressing United States Investments in Certain National Security Technologies and Products in Countries of Concern” (the Outbound Order). As required by that E.O., the regulations (1) prohibit U.S. persons from engaging in certain transactions with persons of a country of concern involving a defined set of technologies and products that pose a particularly acute national security threat to the United States, and (2) require U.S. persons to notify Treasury of certain other transactions with persons of a country of concern involving a defined set of technologies and products that may contribute to the threat to the national security of the United States. As the President had directed, the regulation focuses on investments involving the People’s Republic of China, the Special Administrative Region of Hong Kong and the Special Administrative Region of Macau. The technologies and products subject to the prohibition and notification requirement were identified in the Outbound Order as semiconductors and microelectronics; quantum information technologies; and artificial intelligence. The Final Rule provides details on subsets of technologies and products within these three sectors.
The Outbound Investment Security Program will be administered by the newly created Office of Global Transactions, within Treasury’s Office of Investment Security. The Final Rule becomes effective on January 2, 2025.
________________________________________________________________
ARCHIVED UPDATES TO THE FIRST EDITION (last updated, February 17, 2023), INCORPORATED INTO THE SECOND EDITION
16.1.1 Economic Sanctions under IEEPA for Cyber- Related Activities
In September 2022, the Treasury Department issued revised Cyber-Related Sanctions Regulations implementing E.O. 13694. 31 C.F.R. Part 578. The regulations also implement certain provisions of title II of the Countering America’s Adversaries Through Sanctions Act, Pub. L. 115-44, 131 Stat. 886 (codified in scattered sections of 22 U.S.C.) The regulations implement targeted sanctions that are directed at persons determined to have engaged in certain cyber-related activities posing a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.
16.1.2 Executive Order on Securing the ICT Supply Chain
On May 11, 2021, and again on May 12, 2022, in accordance with section 202(d) of the National Emergencies Act (50 U.S.C. 1622(d)), President Biden continued for one year the national emergency declared in Executive Order 13873.
16.1.2.1 Commerce Department Rule Implementing EO 13873
The process for adopting the licensing procedures referenced in the last paragraph of this section in the book was commenced in March 2021. Department of Commerce, Securing the Information and Communications Technology and Services Supply Chain: Licensing Procedures, Advance Notice of Proposed Rulemaking, 86 Fed. Reg. 16,312 (Mar. 29, 2021).
On November 26, 2021, the Department of Commerce proposed amendments to its Interim Final Rule on Securing the Information and Communications Technology and Services Supply Chain (the “Supply Chain Rule”), initially issued in the final days of the Trump Administration under EO 13873. The proposed amendments were, Commerce said, intended to implement President Biden’s June 2021 Executive Order 14034 on Protecting Americans’ Sensitive Data from Foreign Adversaries. In essence, the proposed amendments merge implementation of the Trump and Biden orders. Specifically, the proposed rule would revise the definition of Information and Communications Technology and Services (ICTS) in the Supply Chain Rule to expressly include “connected software applications” and would add a definition of “connected software application” that is consistent with that used in EO 14034. The amendments would also provide for additional criteria that the Secretary of Commerce may consider when determining whether ICTS Transactions (as defined in the Supply Chain Rule) that involve connected software applications present an undue or unacceptable risk. The Department asked for comments on the additional criteria for connected software applications, including whether they should be applied to all ICTS Transaction reviews.
[New subchapter:] 16.1.2.2 Enforcement of EO 13873
In March 2021, the Department of Commerce served subpoenas on multiple Chinese companies that provide information and communications technologies and services in the United States, seeking information relevant to determining whether transactions involving the subpoenaed companies should be barred under the criteria in EO 13873. Dept. of Commerce Press Release, U.S. Secretary of Commerce Gina Raimondo Statement on Actions Taken Under ICTS Supply Chain Executive Order (March 17, 2021). Issuance of the subpoenas clearly indicated that the new Administration would enforce the Trump EO, a message reconfirmed later in March when the Commerce Department began the rulemaking referenced above in Chapter 16.1.2.1.
16.1.3 IEEPA Bans on TikTok, WeChat, and Other China-Related Apps
In June 2021, President Biden revoked all three of the Trump EOs on Chinese apps discussed in the book (EOs 13942, 13943, and 13971). EO 14034, Protecting Americans’ Sensitive Data From Foreign Adversaries (June 9, 2021), 86 Fed. Reg. 31423. At the same time, President Biden ordered a broad review of the harm from unrestricted sale or transfer of Americans’ sensitive data, and access to large data repositories, by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary and of the risks posed by software applications developed by persons subject to the jurisdiction or control of a foreign adversary. The President directed his administration to submit to him recommendations to address those issues.
President Biden’s June 2021 order specifically preserved President Trump’s EO 13873, Securing the Information and Communications Technology and Services Supply Chain, and directed the Secretary of Commerce to evaluate on a continuing basis transactions involving connected software applications that may pose a variety of risks to U.S. interests and to take appropriate action in accordance with EO 13873 and its implementing regulations. On November 26, 2021, to implement this portion of EO 14034 and merge it with EO 13873, the Department of Commerce proposed amendments to its Interim Final Rule on Securing the Information and Communications Technology and Services Supply Chain, issued under 13873. See a bit more under additions to Chapter 16.1.2.1, above.
Just closing the loop on the bans and the injunctions against them:
The Department of Commerce rescinded the “Identification of Prohibited Transactions” it had issued to ban downloads of TikTok and WeChat.
In July 2021, in accordance with the agreement of the parties, and in light of the rescission of the Trump EO, the Third Circuit dismissed the government’s appeal in Marland v. Trump and the D.C. Circuit dismissed the government’s appeal in TikTok Inc. v. Biden.
Also in July 2021, the parties agreed to dismissal of TikTok’s underlying case in the federal district court for the District of Columbia. TikTok Inc v. Biden, Case No. 20-cv-02658 (CJN).
In August, the Ninth Circuit, granting the government’s unopposed motion, dismissed the government’s appeal of the district court injunction in U.S. WeChat Users Alliance v. Trump.
16.2 Export Controls
The Biden Administration has kept Huawei on the Entity List. As predicted in the book, there continue to be further developments regarding the details of implementations of the listing, including the further grant of licenses for export of technologies to the company. See, for example, Karen Freifeld, Huawei gets U.S. approvals to buy auto chips, sparking blow back, Reuters (Aug. 25, 2021).
More on export controls under the Wassenaar Arrangement: In May 2022, the Commerce Department issued a final rule (amending an October 2021 interim final rule) to implement a set of decisions made by the WA countries in 2017 related to surveillance technologies that can be used for both legitimate and malicious purposes. The not-suitable-for-amateurs rule is codified at 15 CFR parts 740, 772, and 774. In essence, it requires a license for the export, reexport or transfers in-country of “cybersecurity items,” including “intrusion software” and “IP network communications surveillance systems or equipment.” (The term “cybersecurity items” is defined by a list of Export Control Classification Numbers (ECCNs).) At the same time, however, the rule creates a license exception for Authorized Cybersecurity Exports (ACE), allowing the export, reexport and transfer in-country of “cybersecurity items” to many destinations.
According to analysis of the interim final rule, it represented a complete ban for only 4 countries (Cuba, Iran, North Korea and Syria). “For nearly 40 other countries (including China and Russia), License Exception ACE contains a complex series of limitations and conditions extending to both ‘government end-users’ and ‘non-government end-users.’” Tamer A. Soliman, Rajesh De, David A. Simon, and Anjani D. Nadadur, BIS Announces New Export Controls on Cybersecurity Items Used for Malicious Cyber Activity (Oct. 21, 2021). See also Brandon L. Van Grack, Charles L. Capito, and Panagiotis C. Bayz, BIS Releases Interim Final Rule on Export Controls for Cybersecurity Items (Nov. 5, 2021).
State Department Guidance on Implementing the “UN Guiding Principles” for Transactions Linked to Foreign Government End-Users for Products or Services with Surveillance Capabilities (Sept. 2020) is intended to minimize the risk that such products or services are misused by governments to violate or abuse human rights.
16.3 Limits on Investments in the U.S. (Defense Production Act and CFIUS)
Emphasizing one point that was mentioned in passing in the book: It is mostly voluntary whether to notify CFIUS of a pending transaction (although not notifying carries risks, since the Committee can claim jurisdiction over even completed transactions). However, FIRRMA made pre-transaction filings (“declarations”) mandatory for investments involving “critical technology” and certain investments involving foreign governments. A rule clarifying what transactions require mandatory filing was issued in September 2020, effective October 2020. Basically, the rule requires mandatory declaration for transactions involving technologies that are otherwise subject to export controls. As with all things CFIUS-related, there are depths that this volume could not possibly capture. See, for example, Brian Egan, Stewart Baker & Evan Abrams, New CFIUS “Critical Technology” Mandatory Filing Rules Increase Importance of Export Controls Analysis (Sept. 29, 2020); Covington, CFIUS Publishes Final Rule Governing Mandatory Filing Requirements for Critical Technology Businesses (Sept. 22, 2020).
Another example of CFIUS’s extraordinary reach: In 2021, the Committee issued an interim order blocking an attempt by a China-based private equity firm to acquire Magnachip, a Delaware-incorporated, U.S. exchange-traded, but South Korea-based semiconductor company. Although all of Magnachip’s assets and activities appeared to be outside the U.S., with limited sales into the U.S., the fact that the company was incorporated in Delaware seems to have been enough for CFIUS to get its hooks in, with China plus semiconductors providing the motivation. See Scott M Flicker, David S Wang, Jia Yan, & David Cao, Magnachip CFIUS Case Underscores Focus of U.S. Government on Semiconductor Supply Chain Security (Sept 17, 2021).
An interesting nuance under CFIUS: certain investors from certain countries are excepted from the process, based on a determination by the U.S. government that those countries have processes similar to CFIUS that will, in effect, prevent the onward flow of technology or data to hostile countries. Currently, the excepted countries are Australia, Canada, New Zealand, and United Kingdom. See 50 U.S.C. § 4565(a)(4)(E); 31 C.F.R. §§ 800.211, 800.218 (definition of excepted foreign state); 800. 219 (definition of excepted foreign investor); 800.304, 800.401(e)(1) and, for real estate transactions, 31 C.F.R. §§ 802.216, 802.302(a). As with the rest of CFIUS, interpreting and navigating these exceptions is not for the amateur.
On September 15, 2022, President Biden signed Executive Order 14083 defining additional national security factors for CFIUS to consider in evaluating transactions, including some relating to cybersecurity risks. Section 1702(c)(6) of FIRRMA had already identified “exacerbating or creating new cybersecurity vulnerabilities” as a relevant consideration for the Committee. The new EO expanded upon this, stating that CFIUS "shall consider, as appropriate, whether a covered transaction may provide a foreign person who might take actions that threaten to impair the national security of the United States as a result of the transaction, or their relevant third-party ties that might cause the transaction to pose such a threat, with direct or indirect access to capabilities or information databases and systems on which threat actors could engage in malicious cyber-enabled activities affecting the interests of the United States or United States persons." Sec. 3(b)(ii). (That sentence is really hard to parse; the core is “whether a covered transaction may provide a foreign person … with direct or indirect access to capabilities or information databases or systems on which threat actors could engage in malicious cyber-enabled activities.”) The EO went on to say that CFIUS "shall also consider, as appropriate, the cybersecurity posture, practices, capabilities, and access of both the foreign person and the United States business that could allow a foreign person who might take actions that threaten to impair the national security of the United States as a result of the transaction, or their relevant third-party ties that might cause the transaction to pose such a threat, to manifest cyber intrusion and other malicious cyber-enabled activity within the United States." The EO also spelled out factors relating to national security concerns surrounding access to personal data that might be implicated by a transaction." Section 3(b)(iii). One section of the EO may represent a significant expansion in the scope of CFIUS review: In language applicable to all covered transactions, the EO noted that a series of acquisitions in the same, similar, or related United States businesses may result in a particular transaction giving rise to a national security risk when considered in the context of transactions that preceded it. Therefore, the EO directed CFIUS to consider, as part of the Committee’s review of a covered transaction, the risks arising from the covered transaction in the context of multiple acquisitions or investments. Sec. 3(a)(ii).
16.4 Limits on Foreign Participation in the U.S. Telecom Sector (Team Telecom)
The book notes that, in 2020, Team Telecom recommended that the FCC revoke and terminate China Telecom (Americas) Corp.’s authorizations under section 214 of the Communications Act to provide telecommunications services to and from the U.S. In October 2021, the Commission acted, adopting an order ending China Telecom’s ability to provide domestic interstate and international telecommunications services within the United States. China Telecom (Ams.) Corp., FCC No. 21-114 (rel. Nov. 2, 2021). The order found that China Telecom Americas, as the U.S. subsidiary of a Chinese state-owned enterprise, is subject to exploitation, influence, and control by the Chinese government. This raised significant national security and law enforcement risks by providing opportunities for China Telecom Americas, its parent entities, and the Chinese government to access, store, disrupt, and/or misroute U.S. communications, which in turn allowed them to engage in espionage and other harmful activities against the United States. The FCC concluded that there were no mitigation measures that would address these significant national security and law enforcement concerns. It didn’t help China Telecom Americas that the Commission found the company had willfully violated two of the five provisions of its 2007 Letter of Assurances with the Executive Branch agencies, compliance with which was an express condition of its international section 214 authorizations. The order is due to take effect on January 3, 2022.
China Telecom Americas petitioned the Court of Appeals for review of the FCC decision. China Telecom (Americas) Corp. v. FCC, No. 21-1233 (D.C. Cir.). On December 2, 2021, the court denied the company’s motion to stay the agency’s order. A year later, the court denied China Telecom’s petition for review. China Telecom (Ams.) Corp. v. FCC, No. 21-1233 (D.C. Cir. Dec. 20, 2022). See also the companion proceeding, U.S. v. China Telecom (Americas) Corp., No. 21-5215, (D.C. Cir. Dec. 20, 2022).
Other similar revocations:
China Unicom Americas (rel. Feb. 2, 2022).
Pacific Networks & ComNet (adopted Mar. 16, 2022)
The authority of Team Telecom extends beyond communications services involving foreign control. Under 47 U.S.C. § 34, no person (even a purely domestic company) may land or operate in the United States any submarine cable directly or indirectly connecting the United States with any foreign country, unless a written license to land or operate such cable has been issued by the President of the United States. Under 47 U.S.C. § 35, the President may withhold or revoke such license after due notice and hearing if doing so will maintain the rights or interests of the United States or of its citizens in foreign countries, or will promote the security of the United States.
Thus, a proposal by Google and Meta/Facebook and their cable subsidiaries to build and operate an undersea fiber optic cable system connecting the United States, Taiwan, and the Philippines required a license and this brought in Team Telecom. In December 2021, after negotiations, Team Telecom entered into National Security Agreements (NSAs) with the companies and Team Telecom recommended that the Federal Communications Commission condition any license to operate the system on compliance with the NSAs. In a rare move, the Justice Department posted the NSAs, giving insight into the types of conditions the government demands. See agreement with Meta and its cable sub; agreement with Google and its sub. Provisions include the authority of the U.S. government agencies to approve all principal equipment used in the system; the authority to approve the policies, which the companies are required to have, for logical and physical security of the system; the authority to approve all employees working on the system; detailed breach notice requirements; what looks like a kill switch (“Edge USA will have the ability to promptly and effectively interrupt, in whole or in part, traffic to and from the United States on the U.S.-Philippines Segment within twenty-four (24) hours of notice by disabling or disconnecting circuits at the U.S. cable landing station or at other locations within the United States.”); and a requirement to “make communications to, from, or within the United States, as well as records thereof, available in a form and location that permits them to be subject to a valid and lawful request or legal process in accordance with U.S. law.”
Note: On page 493, the book incorrectly refers to the agreements that Team Telecom enters into setting license conditions as “Network Security Agreements.” They are in fact called National Security Agreements.
16.5.1. 1 NDAA Provisions Aimed at Huawei and ZTE
Resources on Section 889 are compiled at https://www.acquisition.gov/FAR-Case-2019-009/889_Part_B.
16.5.1.4 Secure and Trusted Communications Networks Act
On March 12, 2021, pursuant to the Secure and Trusted Communications Networks Act, the FCC published a list of communications equipment and services (Covered List) that are deemed to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons. The initial designation covered telecommunications equipment produced or provided by Huawei and ZTE as well as video surveillance and telecommunications equipment from Hytera, Hangzhou Hikvision, and Dahua Technology Company. FCC Public Notice, Public Safety and Homeland Security Bureau Announces Publication of the List of Equipment and Services Covered by Section 2 of the Secure Networks Act, WC Docket No. 18-89 (Mar. 12, 2021).
In March 2022, the FCC added equipment and services from three more companies to the list: AO Kaspersky Lab, China Telecom (Americas) Corp, and China Mobile International USA Inc. The additions of China Telecom and China Mobile International were foregone conclusions, given the Commission’s determination, based on Team Telecom recommendations, to deny or revoke the companies’ authorizations to offer services in the U.S., as described in Chapter 16.4. However, the listing of cybersecurity provider Kaspersky was unique. It was based on a Binding Operational Directive (BOD) issued by the Department of Homeland Security in 2017 that required federal agencies to remove “Kaspersky-branded products” from federal information systems. The FCC interpreted that directive as a “determination” under the Secure and Trusted Communications Networks Act: “we interpret the BOD to be a finding from the Department of Homeland Security that Kaspersky-branded products pose an unacceptable risk to the national security of the United States.” The addition of equipment and services to the Covered List has the relatively narrow effect of prohibiting use of federal telecommunications subsidy funds to purchase covered equipment or services.
As noted in the book, in December 2020, in its Second Report and Order in the Supply Chain docket, the Commission created the Secure and Trusted Communications Networks Reimbursement Program (Reimbursement Program) to reimburse providers of advanced communications services for costs reasonably incurred in removing, replacing, and disposing of communications equipment and services in their networks that pose an unacceptable risk to national security and the security and safety of United States persons.
In the Consolidated Appropriations Act for FY 2021, Pub. L. No. 116–260, § 901, 134 Stat. 1182, Congress appropriated $1.895 billion for the Reimbursement Program and provided additional guidance for and directed changes to several of its provisions.
Specifically, Congress amended section 4(b)(1) of the Secure Networks Act to increase the eligibility criteria for participation in the Reimbursement Program from those providers of advanced communications service with two million or fewer customers to those with 10 million or fewer customers. Congress also amended section 4(c) of the Secure Networks Act to limit the use of reimbursement funds “solely for the purposes of permanently removing covered communications equipment or services . . . as identified in the [2019 Supply Chain Order and Designation Orders].” The appropriations act amended section 4(c)(2)(A) of the Secure Networks Act to prohibit Reimbursement Fund recipients from using these funds to remove, replace, or dispose of any equipment or services purchased after June 30, 2020, and also established a different prioritization scheme than the one adopted by the Commission in the 2020 Supply Chain Order to help the Commission allocate money appropriated for the Reimbursement Fund if demand exceeded available funds. Finally, the FY 2021 appropriations act amended section 9(10) of the Secure Networks Act by changing the definition of “provider of advanced communications service” to include educational broadband providers and certain schools and libraries that provide broadband service.
In a July 2021 Report and Order, the FCC incorporated those changes into its Reimbursement Program rules. See FCC, Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs, Third Report and Order (adopted July 13, 2021).
[New subchapter:] 16.5.1.5 Further FCC Action Against Foreign-Made Equipment
As explained in the book, the FCC’s Supply Chain proceeding, Docket No. 18-89, which began in 2018, has merged with the process established by Congress in the Secure and Trusted Communications Networks Act of 2019. In the immediate term, both are aimed at prohibiting use of Universal Service Funds to purchase Huawei and ZTE equipment and at managing and funding the rip and replace efforts to subsidize removal of such equipment. The full name of what is referred to in the book as the Supply Chain proceeding is indicative of its scope: “Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs” (emphasis added).
In June 2021, the FCC took a further step, opening a proceeding aimed at preventing equipment from being authorized for sale in the U.S. if the manufacturers are barred from participating in other FCC programs for national security reasons. Again, the name of the proceeding is revealing: “Protecting Against National Security Threats to the Communications Supply Chain through the Equipment Authorization Program” (emphasis added) This makes sense: If equipment has been deemed a national security threat for purposes of the Universal Service Fund, it shouldn’t be allowed into the networks at all. At the same time, the Commission opened a linked proceeding entitled “Protecting Against National Security Threats to the Communications Supply Chain through the Competitive Bidding Program,” aimed at bidding for Commission spectrum licenses.
Then in November 2021, President Biden signed Pub. L. 117-55, the Secure Equipment Act of 2021, mandating that the FCC do what it was already proposing in the Equipment Authorization rulemaking: to adopt a rule clarifying that it will no longer review or approve any authorization application for equipment authorization for equipment that is on the Covered List of communications equipment or services published by the Commission under section 2(a) of the Secure and Trusted Communications Networks Act of 2019 (47 U.S.C. 1601(a)).
In November 2022, the FCC issued a Report and Order revising its equipment authorization program to prohibit authorization of equipment that has been placed on the Commission’s Covered List, thereby prohibited the marketing and importation of such equipment in the United States. The Report and Order begins with a lengthy and very useful summary of interrelated Congressional, Commission, and Executive Branch actions. The ruling also addressed what constitutes “covered” equipment for purposes of implementing the equipment authorization. The Commission took no final action on the competitive bidding issue, instead seeking further comment on it.
16.5.2 Ban on Foreign Equipment in the Bulk Electric Power System
On December 17, 2020, the Secretary of Energy issued a Prohibition Order invoking the authority of President Trump’s EO 13920. The order prohibited a limited number of utilities from acquiring, importing, transferring, or installing certain bulk electric power system equipment manufactured or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the People's Republic of China.
As noted in the book at the beginning of this subchapter, on January 20, 2021, President Biden suspended EO 13920 for 90 days. See EO 13990, Protecting Public Health and the Environment and Restoring Science to Tackle the Climate Crisis. As the December 2020 Prohibition Order was predicated on the authorities delegated to DoE by EO 13920, the Prohibition Order was also suspended during this same time period. After the EO 13920 suspension had expired, the Secretary revoked the December 2020 Prohibition Order entirely, effective April 20, 2021. DoE, Revocation of Prohibition Order Securing Critical Defense Facilities, 86 Fed. Reg. 21308 (Apr. 22, 2021). E.O. 13990 also directed the Secretary of Energy and the OMB director to “jointly consider whether to recommend that a replacement order be issued.”
EO 13920 remains in effect, but on hold pending the DoE/OMB recommendation on a replacement order, which is also tied to the outcome of the review initiated by EO 14017 and a related DoE Request for Information (RFI), described immediately below. See A Clean Slate for Executive Order 13920: The Bulk Power Order, JD Supra (May 3, 2021). However, in announcing the RFI, the Secretary of Commerce stated that “the Department expects that, during the period of time in which further recommendations are being developed, utilities will continue to act in a way that minimizes the risk of installing electric equipment and programmable components that are subject to foreign adversaries’ ownership, control, or influence.”
In February 2021, the Biden Administration initiated a process taking a different direction from the approach of the Trump EO on the electric grid. On February 24, President Biden issued EO 14017, America’s Supply Chains, 86 Fed. Reg. 11849. Rejecting, at least temporarily, the Trump Administration’s singular emphasis on cyber threats, and putting off any equipment bans indefinitely, the Biden EO directed multiple agencies to prepare reports on supply chain threats in many different sectors considering all threats, including not only cyber, but also the defense, intelligence, homeland security, health, climate, environmental, natural, market, economic, geopolitical, human-rights or forced-labor risks or other contingencies that may disrupt, strain, compromise, or eliminate the supply chain—including risks posed by supply chains' reliance on digital products that may be vulnerable to failures or exploitation, and risks resulting from the elimination of, or failure to develop domestically, the necessary manufacturing capabilities. With respect to the energy sector, EO 14017 directed the Secretary of Energy to submit a report and make recommendations within one year on supply chain risks for the energy sector industrial base (as determined by the secretary).
On April 20, 2021, in support of the department’s considerations for a replacement to EO 13920, the Department of Energy issued a request for information from electric utilities, academia, research laboratories, government agencies, and other stakeholders. DoE, Notice of Request for Information (RFI) on Ensuring the Continued Security of the United States Critical Electric Infrastructure, 86 Fed. Reg. 21309 (Apr. 22, 2021). Comments were due on June 7, 2021.
16.5.3 Initial Efforts Aimed at Foreign-Made Unmanned Aircraft Systems
In 2018, well before E.O. 13981, DoD issued a ban on the purchase and use of all commercial off-the-shelf drones, regardless of manufacturer, due to cybersecurity concerns. The following year, Section 848 of the Fiscal Year 2020 National Defense Authorization Act, Pub. L. 116–92, 133 Stat. 1198, 1508, prohibited the secretary of defense from operating or procuring any unmanned aircraft system manufactured in China or by an entity domiciled there. The ban further covers any unmanned aircraft system that uses flight controllers, radios, data transmission devices, cameras, or gimbals manufactured in China or by an entity domiciled there; ground control systems or operating software developed in China or by an entity domiciled there; or network connectivity or data storage located in or administered by an entity domiciled in China. The ban also covers any system manufactured in China or by an entity domiciled there for the detection or identification of unmanned aircraft systems. The Secretary of Defense may waive the restriction on a case by case basis by certifying in writing to the congressional defense committees that the operation or procurement is required in the national interest of the United States.
Under Section 848, “the Secretary of Defense is exempt from the restriction [on using covered systems] if the operation or procurement is for the purposes of— (1) Counter-UAS surrogate testing and training; or (2) Intelligence, electronic warfare, and information warfare operations, testing, analysis, and training.” According to a July 2021 DoD statement, U.S. Special Operations Command (USSOCOM) has purchased commercial off-the-shelf drone technology consistent with Section 848 of the FY20 NDAA and E.O. 13981. According to the statement, “USSOCOM has accounted for cybersecurity concerns in all purchased systems through a rigorous review process, strict adherence to the usage guidelines, and other applicable risk mitigation measures.”
In January 2021, the GSA announced that it was removing all drones as defined by 49 USC Ch. 448 from Multiple Award Schedules (MAS) contracts, except those drones approved by the Department of Defense Defense Innovation Unit through its Blue sUAS Program. The move made it very difficult if not impossible for U.S. government agencies to purchase Chinese-made drones. Interestingly, the GSA cited as the basis for its decision the risk of non-compliance with existing procurement law, specifically the Trade Agreements Act and Section 889 of the NDAA for FY19.
16.6 Other Supply Chain Measures
On February 24, 2021, President Biden issued Executive Order 14017, America’s Supply Chains. The E.O. addresses not just cybersecurity. Instead, it situates cyber-attacks within a spectrum of other concerns that includes biological threats, climate shocks and extreme weather events, terrorist attacks, geopolitical and economic competition, and “other conditions can reduce critical manufacturing capacity and the availability and integrity of critical goods, products, and services.” The order directed White House staff and heads of four agencies to conduct a 100-day review of supply chain risks, focused on specific items, including semiconductors and pharmaceuticals, but not including ICT. The order also required, within one year, a separate set of supply chain assessments for specified sectors and subsectors. Within this second set of reports, the President ordered one from the Secretary of Commerce and the Secretary of Homeland Security “on supply chains for critical sectors and subsectors of the information and communications technology (ICT) industrial base … including the industrial base for the development of ICT software, data, and associated services.” Of course, other assessments, such as one by the Secretary of Agriculture on supply chains for the production of agricultural commodities and food products, should also include consideration of cyber-risks, especially in light of the late May 2021 ransomware attack on a major meat processor. Each report must contain specific policy recommendations for ensuring a resilient supply chain for the sector. In addition, senior White House advisors are directed to present, as soon as practicable following the submission of the one-year reports, their recommendations concerning reforms needed to make supply chain analyses and actions more effective, including statutory, regulatory, procedural, and institutional design changes.
On August 26, 2021, effective September 27, 2021, the Federal Acquisition Security Council finalized the interim rule referred to in the book. The rule prescribes mandatory information-sharing criteria for Federal agencies, but establishes only voluntary information sharing procedures for non-Federal entities to share information with the FASC. The rule establishes procedures for the exercise of the FASC’s authorities to recommend issuance of removal and exclusion orders to address supply chain security risks.
[New subchapter:] 16.7 State Law Limits on Foreign Participation in U.S. Infrastructure
With the 2021 adoption of the Lone Star Infrastructure Protection Act, S.B. 2116, Texas got into the business of limiting foreign involvement in critical infrastructure. The Act added a new Chapter 113 to Title 5, Subtitle C of the Business and Commerce Code stating: “A business entity may not enter into an agreement relating to critical infrastructure in this state with a company: (1) if, under the agreement, the company would be granted direct or remote access to or control of critical infrastructure in this state, excluding access specifically allowed by the business entity for product warranty and support purposes;” and (2) if the business knows that the company is (A) owned, or a majority of its stock is controlled, by (i) citizens of China, Iran, North Korea or Russia or (ii) a company or other entity owned or controlled by the citizens or government of China, Iran, North Korea or Russia or (B) headquartered in of China, Iran, North Korea or Russia.
The group of listed countries can be added to by designation of the governor.
The statute defines critical infrastructure as “a communication infrastructure system, cybersecurity system, electric grid, hazardous waste treatment system, or water treatment facility.” The statute also amended the Texas Government Code to add a new Chapter 12274 prohibiting any governmental entity from entering into a contract relating to critical infrastructure in Texas with a company meeting criteria that are the same as those laid out in the new Chapter 113.
Last updated: Nov. 20, 2024.
Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.