The Department of Commerce has come up with rules--and is seeking comment on them--to implement President Donald Trump's Executive Order last May directing the U.S. to block tech transactions--like, say, sales of chips to Huawei--that pose an undue risk to the supply chain.
With the race to 5G, cybersecurity of the supply chain has become top of mind in D.C., particularly when it comes to Chinese telecoms with big shares of the market but identified as potential security threats.
Commerce will take a case-by-case approach and have an appeal/mitigation process, except when pressing national security interests do not allow for that.
The President issued the order back in May, when he declared the threat to the tech supply chain by foreign actors a national emergency.
"The Secretary has chosen to adopt a case-by-case, fact-specific approach to determine which transactions must be prohibited, or which can be mitigated, according to the requirements in the Executive Order," Commerce said in announcing the proposed approach. "The Secretary will use assessments developed by the Secretary of Homeland Security and the Director of National Intelligence pursuant to the Executive Order, among other things, to inform his evaluation of ICTS transactions.
"While Executive Order 13873 empowers the Secretary immediately to prohibit or mitigate ICTS [Information and Communications Technology and Services] transactions that pose the risks identified in the Executive Order, the proposed rule sets forth procedures the Secretary will follow, except in instances where the risk of public harm or national security interests require a deviation from such procedures. Under the proposed rule, if the Secretary makes a preliminary determination, in consultation with other Federal agencies, to prohibit or mitigate a transaction, the Secretary will provide notice to the parties engaged in the transaction. Notified parties will have an opportunity to submit a position, which may include proposed measures for mitigation, prior to any final determination issued by the Secretary. The Secretary will provide an unclassified, written final determination provided to the parties that, to the extent possible, explains how the decision is consistent with the terms of the Executive Order, and, as appropriate, a summary of the final determination will also be made publicly available."
The President's order gave Commerce 150 days to write rules on reviewing any transaction pending or completed by the order date--May 15, 2019--involving information or communications technology crucial to critical infrastructure and subject to control by a "foreign adversary" and thus posing a national security threat.
More specifically, that involves "ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, if such transactions pose: an undue risk of sabotage or subversion of ICTS in the United States; an undue risk of catastrophic effects on the security and resiliency of critical infrastructure or the digital economy in the United States; or an unacceptable risk to national security or to the security and safety of U.S. persons."
USTelecom was pleased that Commerce will take a case-by-case approach to identifying transactions that should not be allowed, and that it is seeking industry comment before implementing the rules.
“Given the weightiness and sheer complexity of this issue, we appreciate the Commerce Department accepting our recommendation to seek industry comment before establishing interim final rules, a process that should reduce the risk of unintended consequences and advance the shared goal of securing our communications supply chain and protecting consumers," said Robert Mayer, senior vice president, cybersecurity, at USTelecom. "We are especially encouraged the Department has already adopted a process to determine whether a transaction meets the requirements of the Executive Order on a case-by-case, fact-specific basis.”
The Commerce framework comes just days after the FCC voted to prohibit broadband subsidy money to go carriers using tech from Chinese telecoms Huawei and ZTE, as well as other suspect tech, in their networks.