Commerce Clarifies That Technology Supply Chain Rule Reaches “Connected Software Applications” But Leaves Many Questions Unanswered
December 8, 2021
The Biden Administration has taken another step in the process of implementing national security restrictions on the domestic use of foreign-made telecommunications equipment. On November 26, 2021, the Department of Commerce (“Commerce”) published a Notice of Proposed Rulemaking (“NPRM”) clarifying that “connected software applications” – “apps” in common vernacular – fall within the scope of information and communications technology and services (“ICTS”) transactions subject to Executive Order 13873, Securing the Information and Communications Technology and Services Supply Chain, and Executive Order 14034, Protecting Americans’ Sensitive Data From Foreign Adversaries. These executive orders and Commerce’s ICTS regulations empower the Secretary of Commerce to block ICTS “transactions” – which even include the mere use of technology – that pose an “undue or unacceptable threat” to national security. The NPRM does not change the basic contours of the regulatory regime, but clarifies the types of technology and services subject to the regulation, as well as factors that Commerce will consider in evaluating national security risks. Comments are due by December 27, 2021.
Clarifying that Apps are Subject to Review
The Biden Administration has continued, and at times expanded upon, Trump Administration efforts to address the perceived national security threat posed by foreign technologies. In June 2021, President Biden issued Executive Order 14034, which revoked a number of Trump-era executive orders, but maintained Executive Order 13873 and further directed the Secretary of Commerce to evaluate transactions involving connected software applications.
Under these executive orders, the Secretary of Commerce is empowered to review and block ICTS transactions. The definition of transactions is broad, and includes any “acquisition, importation, transfer, installation, dealing in, or use of any information and communication technology or service.” Notably, Executive Order 13873 and Commerce’s ICTS regulations make the mere “use” of any ICTS a covered “transaction.” Consequently, Commerce could, if it chose to, prohibit U.S. businesses and consumers from using designated foreign technologies.
Executive Order 14034 covers “connected software applications,” which it defines as “software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the internet.” The NPRM proposes to incorporate this definition into Commerce’s current ICTS regulations, but does not otherwise change the regulations’ scope. The NPRM thus serves to clarify that apps are included in the types of technology and services that could raise national security concerns.
The NPRM would also incorporate into Commerce’s regulations specific risk factors the Secretary may consider in relation to connected software applications:
- whether the transaction is owned, controlled or managed by persons that support a foreign adversary’s military, intelligence, or proliferation activities;
- whether the application can conduct surveillance that would allow a foreign adversary to access sensitive or confidential government, business, or personal data;
- ownership, control, or management by persons subject to coercion or cooptation by a foreign adversary;
- ownership, control, or management by persons involved in malicious cyber activities
- lack of thorough third-party auditing;
- scope and sensitivity of data collected;
- number and sensitivity of users; and
- the extent to which risks can be addressed by independently verifiable measures.
The amended rule allows the Secretary to gauge a transaction’s risk by evaluating how applications protect the data that they store or transfer. By specifically highlighting the number of users potentially impacted, the type of information collected, and the presence of third-party monitoring, the new rule provides guideposts for what Commerce will consider an unacceptable risk.
In addition, Commerce specifically sought public comment on:
- whether the proposed definition of “connected software applications” is sufficient to fully identify the intended category of ICTS, including whether the category should include devices that communicate via SMS and low-power radio protocols; and
- whether the expanded criteria the Secretary may consider to assess risk are sufficient, and whether they should apply generally to ICTS transactions or only to transactions involving connected software applications.
Implications
Although the NPRM proposes technical amendments to conform with the requirements of Executive Order 14034, it sheds little light on how aggressively the government will use this authority, the types of ICTS transactions it will prioritize, how intensive the review process will be, and whether Commerce will establish a formal licensing regime. These unanswered questions continue to be of concern to industry, which has called for greater clarity on how the potentially sweeping authorities will be implemented. But for now, businesses remain in a wait and see posture as continued tensions with China create uncertainty regarding the governments potential regulation of foreign technology.
O’Melveny recognizes law clerk Joshua Goode for his valuable contribution in researching and drafting this article.
This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Greta Lichtenbaum, an O'Melveny partner licensed to practice law in the District of Columbia, John Dermody, an O'Melveny counsel licensed to practice law in the District of Columbia and California, Rachel Chung, an O'Melveny associate licensed to practice law in New York, and Lorenzo d’Aubert, an O'Melveny associate licensed to practice law in the District of Columbia, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.
© 2021 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.