Thursday, January 28, 2021

U.S. National Security Regulation of Information Technology Supply Chains and IT Infrastructure as a Service: (CFIUS-Style National Security Review for Cloud Computing, Software, Hardware, SaaS, IoT and Other Tech-Enabled Devices)

Regulation of IT Supply Chain after January 19, 2021 and after SolarWinds

On January 19, 2021, as a final act of the departing Trump administration, the Department of Commerce published an interim final rule (the “Rule”) and President Trump signed an Executive Order (the “Order”) to regulate U.S. information technology (“IT”) companies in transactions with foreign actors.  Entitled “Securing the Information and Communications Technology and Services Supply Chain,” the Rule is based on delegated authority under the International Emergency Economic Powers Act. The Order expands on an Executive Order issued May 15, 2019.   The Rule coincides with newspaper reports that some U.S. governmental agencies and other tech services companies downloaded malicious software from SolarWinds, a Texas tech services company reportedly with over 18,000 customers, that appears to have been hacked by foreign hackers.

Summary of New ITSC Regulation

As of January 19, 2021, any American business’s purchase of Information and Communications Technology and Services (“ICTS”) from “persons owned, controlled our under the jurisdiction or direction” of a “foreign adversary” is subject to a Commerce Department review for national security and critical dependency risks.  The Rule covers all ICTS Transactions where the tech or services are “designed, developed, manufactured or supplied” by such persons.  The Rule seeks to protect the American IT supply chain (“ITSC”).  No exemptions apply, regardless of your company’s size, industry or activities.  

The 2021 ITSC Rule follows the policies reflected in the 2018 amendments to laws governing virtually all foreign acquisitions of U.S. tech companies, under scrutiny for national security by the Committee on Foreign Investment in the United States (“CFIUS”).  To avoid duplication, the Rule states it does not apply to ICTS Transactions that CFIUS is actively reviewing, unless the ICTS Transaction is distinct from a CFIUS-reviewed transaction.  Like the CFIUS review process, the Commerce Department can identify a mechanism and relevant factors for the negotiation of agreements to mitigate concerns raised in connection with the Order.

The ITSC Rule

Scope of ITSC Transactions

Virtually every digital service and product is covered, regardless whether it handles a single computer, a computer network, cloud service, telecommunications switches or just individual product data.

Definition of ICTS.  The Rule defines “Information and communications technology or services or ICTS” to mean “any hardware, software, or other product or service, including cloud-computing services, primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic, and photonic), including through transmission, storage, or display.”

Definition of ICTS Transaction.  Under the Rule, “ICTS Transaction” means any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download. An ICTS Transaction includes any other transaction, the structure of which is designed or intended to evade or circumvent the application of the Executive Order.”

Broad Scope.  In its preliminary discussion of ITSC vulnerabilities, the Commerce Department clearly intended to include SaaS (software as a service), Infrastructure as a Service, Cloud data storage and computing, IoT Internet-devices embedded in consumer goods, mobile phones and their Apps, Web browsers, drones and networked surveillance cameras.  

“Foreign Adversaries.”  The list of “foreign adversaries” consists of the following foreign governments and non-government persons: the People's Republic of China, including the Hong Kong Special Administrative Region; the Republic of Cuba; the Islamic Republic of Iran; the Democratic People's Republic of Korea; the Russian Federation; and Venezuelan politician Nicol├ís Maduro (Maduro Regime).

Effective Date of Rule

The Rule applies to any ICTS Transaction that is initiated, pending, or completed on or after January 19, 2021.  Further, any act or service with respect to an ICTS Transaction, such as execution of any provision of a managed services contract or installation of software updates, is an ICTS Transaction on the date that the service or update is provided.

Future Compliance Impact

The ITSC Rule imposes potentially costly compliance obligations for risk identification, assessment and regulatory licensing.  The Rule serves as a boycott of technologies from “foreign adversaries” unless approved by a Commerce Department license.  There are civil and criminal penalties, but prosecution of millions of small businesses is not practical.  Assuming the Biden Administration pursues the Rule, the scope will change the landscape for everyone, including our foreign trading partners, with potential retaliation by “foreign adversaries.”

If implemented, the ITSC Rule will likely generate a hornet’s nest in the business world and international politics.  But the reported SolarWinds hacking supports the logic of greater transparency in IT supply chains.

ICT Company Burdens.
  ICT providers will need to verify countries of origin and give warranties about their extended ICT supply chains.  Even absent a legal requirement, there will be an increased need to document supply chain risk management analysis in the event an ITSC transaction is investigated by the Commerce Department.  ICT services companies must now identify the nationality, origin, foreign control and sensitivity of data that flow through their digital infrastructures.   

Corporate Governance.  Corporate boards, officers, purchasing and procurement departments and strategic planners will need to identify the risks across a potentially multi-layered IT supply chain.  How much should a board spend on verification?  Is an ICTS supplier’s self-certification sufficient?  Will an independent sourcing audit become the norm?  What should be the policy, the process and the budget?

Information Governance.  New Information Governance ("IG") policies and procedures will be needed for ITSC risk management and regulatory licensing compliance.

Privacy and Cyber-Security Risk Management.  The ITSC Rule will highlight special risk management procedures, and perhaps insurance, that relate to compliance with privacy laws, such as the California Consumer Privacy Act (to be replaced in 2023 by a Consumer Privacy Rights Act) and potentially EU’s GDPR and draft Digital Services Act.

Antitrust and Competition Law.  If Google or other dominant market player were to insist that its European subsidiaries buy only from suppliers complying with the ITSC Rule, that would have the effect of exporting American ITSC risk management compliance.  Foreign local suppliers sourcing from a “foreign adversary” would be barred.  This would be a secondary boycott unless a Commerce Department license were granted.

Best Practices for Vetting: Know Your IT Service Provider.  If they don’t already do so, enterprise customers will include an ITSC Transaction questionnaire in their requests for proposals, requests for quotations and master services agreements.  ICT agreements will include warranties and rights to audit and inspect supply chain information.  Chief Information Security Officers (CISO’s) will push for more certifications by “ethical hackers” -- independent third party testers of malware – and perhaps even direct testing.

Redrawing Supply Chains and Strategic Alliances.  Geographic and national security issues will translate into modifications in supply chains, starting with digital business models and leading into all enterprise strategic alliances, global business services, outsourcing services providers and shared services centers.  Procurement and IT departments will also examine the impact across strategic sourcing, supplier management, assessment of third party risks, artificial intelligence and robotic/intelligent process automation.

M&A and Corporate Finance.  New representations and warranties will appear in die diligence and documentation for business valuation, corporate finance and M&A transactions.

Audits.  Accountants will require ITSC audits before certifying or commenting on financial statements, which could include disclaimers as to an entity’s viability due to “incomplete” ITSC disclosures.

Cyber-risks, Hacking, Cyber-Security and Privacy.  The new Rule concerns national security, digital security, privacy and extortion.  “This [potential] data exfiltration—supported by U.S. web data hosting and storage servers—threatens to allow foreign adversaries to exploit Americans' personal and proprietary information by allowing a foreign adversary to track the locations of Americans, build dossiers of sensitive personal data for blackmail, and conduct corporate espionage from inside the borders of the United States.” Cyber-insurance policies will need to be revised to impose underwriting constraints and higher premiums on non-conforming insured enterprises.

International Trade Agreements.  In light of the reported SolarWinds hacking, President Biden will need to decide how stringently to enforce the Trump administration’s ICTS Rule.  New trade agreements might create group action against the same “foreign adversaries.”  Conflicts with allies may arise as to ICT products designed or manufactured in a trade ally country by a subsidiary from a “foreign adversary.”  For example, the Chinese tech company Huawei is planning to build 5G telecom products in France, potentially for sale to other trade allies.

How to Get a Department of Commerce License.  

Assuming a company plans to update or sign up for any "foreign adversary" technologies, a license will be needed.  To afford parties greater certainty, the Commerce Department intends to publish, within 60 days after January 19, procedures to allow a party or parties to a proposed, pending, or ongoing ICTS Transaction to seek a license.  Implementation is scheduled within 120 days after January 19.  The change from President Trump to President Biden will determine how this Rule plays out in March and May 2021.

This summary is not legal advice.  These matters are subject to change.  If you have any questions or comments, please feel free to contact us. (C) 2021 W.Bierce.