Using a Sanctions Framework to Fix the ICTS Executive Order
The Commerce Department should restructure the ICTS rules to adopt a sanctions framework by creating a new list of entities that would be prohibited from selling ICTS into the U.S. market.
Published by The Lawfare Institute
in Cooperation With
At the start of the Biden administration, the president made a consequential decision to retain the Executive Order on Securing the Information and Communications Technology and Services Supply Chain, which was issued by President Trump and prohibits the import of information and communications technology and services (ICTS) from foreign adversaries. The executive order and its implementing regulations (together, the ICTS rules) are a critically important effort to prevent capable foreign cyber actors, notably China and Russia, from exploiting the open nature of the U.S. ICTS market. Notwithstanding this strong security rationale, the industry has heavily criticized the ICTS rules as overly broad and vague. To address these concerns, the Department of Commerce, the agency that leads the implementation of the ICTS rules, committed to implement a voluntary licensing process, which would allow transacting parties to apply for preapproval of their ICTS transactions. The objective of the licensing process is to provide certainty to transacting parties, allowing them to engage in nonrisky, commercially beneficial ICTS transactions without fear that the government will seek to unwind or ban the transactions in the future.
While laudable in intent, establishing a licensing regime based on the current structure of the ICTS rules is likely to fail. This is simply a matter of numbers. According to the Commerce Department’s own assessments, up to 4.5 million firms may engage in ICTS transactions on a regular basis. Opening up a licensing process for any—or all—of these firms would likely lead to an unmanageable flood of applications, forcing the department to divert its extremely limited resources to processing licenses for ICTS transactions that may not present any genuine national security risks. The department will inevitably be pressured to narrow the scope of the ICTS rules in order to effectively manage the licensing process, which would erode the national security benefits of the rules.
To address these challenges, the Commerce Department should restructure the ICTS rules to adopt a sanctions framework by creating a new list of entities that would be prohibited from selling ICTS into the U.S. market. In other words, this could function as an ICTS sanctions list. An ICTS sanctions approach would mirror the regulatory structure of existing U.S. sanctions authorities, preserving the broad authority and discretion of the government to respond to evolving threat and technology environments. A designations process for listing sanctioned ICTS entities, along with the scope of ICTS transactions subject to a prohibition, would provide much needed certainty to the private sector. This approach avoids the need for a resource-intensive, generally available voluntary licensing process, as the ICTS designations list would provide bright line rules around which transactions are or are not prohibited.
Plugging the Gap in Authorities
The ICTS rules address an urgent need to fill gaps in the U.S. government’s ability to prevent foreign cyber actors from exploiting ICTS sold in the U.S. market. Importation of information and communications technology goods and services is generally unrestricted under the United States’ open market system. The United States does implement certain targeted restrictions for national security purposes, including screening of foreign investments, controls on the export of sensitive technology, and licensing for the provision of international telecommunications services and submarine cables landing in the United States. Prior to the ICTS executive order, however, none of the existing authorities squarely addressed risks associated with the imports of ICTS that may be corrupted by foreign adversaries. Notably, the United States had no direct authority to prohibit Huawei from selling 5G equipment into the U.S. market, though U.S. authorities took a number of other measures that restricted Huawei’s commercial activity with U.S. entities. The intent of the executive order was to provide an additional layer of defense, supplying the government with an authority to prohibit the narrow set of ICTS transactions that present a high risk to U.S. national security and are otherwise unreachable under U.S. law.
How the ICTS Rules Work Now
The ICTS executive order sets out a three-part test to determine whether an ICTS transaction—or class of ICTS transactions—is prohibited. The implementing regulations set out broad parameters for how this three-part test will be interpreted by the government, but ultimately the secretary of commerce will assess on a case-by-case basis whether an ICTS transaction meets the criteria. Each of these criteria is intentionally designed to preserve maximal discretion for the Commerce Department and to ensure that any ICTS transaction that may present risk is subject to the rules.
First, the transaction must involve ICTS, broadly defined as any technology product or service used for the purpose of “information or data processing, storage, retrieval, or communication by electronic means, including transmission, storage, and display.” The implementing regulations provide further guidance on six categories of ICTS of particular interest, while carving out handsets from the rules. The regulations should be interpreted as mildly helpful guidance rather than a meaningful narrowing of the scope of jurisdiction, given that the six categories themselves are immensely broad and include categories such as “critical infrastructure” and “software designed to connect with or communicate over the internet.”
Second, the ICTS involved in the transaction must be “designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.” The implementing regulations adopted a country-based approach to listing foreign adversaries, determining that China and Russia, among other named countries, are foreign adversaries for the purposes of the ICTS rules. The regulations did not establish clear guidance on how transacting parties should evaluate whether or not they are “owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.” For example, the rule does not clarify frequent scenarios that arise in the context of cross-border transactions, such as minority ownerships, passive investment stakes and joint ventures. As a result, companies that have any part of their ICTS supply chain in a foreign adversary country must operate on the assumption that their ICTS transactions are subject to this rule.
Third, the ICTS transaction must present an undue risk to the integrity or resiliency of U.S. ICTS or critical infrastructure systems, or otherwise pose an unacceptable risk to the national security of the United States or the security and safety of U.S. persons. If the secretary determines that a covered ICTS transaction presents undue or unacceptable risk, the secretary may prohibit the transaction. The secretary makes this determination based on the Commerce Department’s internal investigation of specific ICTS transactions, aided by intelligence support and subpoena power. Companies do not know whether they are subject to an investigation until fairly late in the process, when the department informs them that a prohibition is under consideration and they are provided an opportunity to respond to the government’s findings, to the extent that such findings may be shared with the companies on an unclassified basis. The net effect establishes a framework that places heavy emphasis on government discretion and enforcement actions.
The Commerce Department has signaled that it intends to selectively enforce the ICTS rules and that companies generally need not worry unless they are informed that they are the subject of an investigation. Despite those assurances, companies are clearly worried about the significant amount of regulatory risk that they must assume under the ICTS rules and will therefore have a strong incentive to seek a voluntary license. That voluntary preclearance process remains unclear, as the department has not yet published draft regulations on the matter, though it has solicited comments on whether export controls or the Committee on Foreign Investment in the United States (CFIUS) presents a viable model for an ICTS voluntary licensing process. Neither of these models is likely to resolve the underlying tension among the government’s need to retain broad discretion over a vast swath of transactions, the private sector’s legitimate commercial need for certainty, and the interest that both have in an administratively efficient licensing process.
The Export Control Model
Export controls present a policy objective parallel to that of the ICTS rules, in that both regulatory systems seek to control the types of cross-border transfer of technology that companies engage in on a regular basis. To implement an ICTS licensing process comparable to that under export controls, the Commerce Department would need to develop a rulebook that is similar to the Commerce Control List (CCL). The CCL lists technical specifications of each technology controlled under the department’s export control authority, along with the licensing requirements for each technology. A significant challenge in crafting an ICTS analogue to the CCL is that many of the ICTS included would be standard commercial items, rather than items that have advanced performance characteristics or potential military applications as are included in the CCL. The ICTS list would have to include any item that is potentially corruptible by a foreign adversary, which is predominantly a function of who controls the supply chain rather than the technical characteristics of the item.
Another challenge is that the idea of a voluntary licensing process is inherently at odds with the structure of export control license requirements, which mandate that the technology export cannot proceed absent affirmative approval from the government. To fully adopt an export control licensing process, the Commerce Department would need to establish mandatory licensing requirements for particular classes of ICTS, rather than establishing a process in which companies can pick and choose when they apply for a license on a voluntary basis. Establishing a complex new control list with the accompanying licensing policies would be an intensive, multiyear process and would result in tens of thousands of license applications annually. It also is inconsistent with the Commerce Department’s current approach of prioritizing select enforcement actions while maintaining broad discretion to investigate other transactions in the future. Perhaps for these reasons, the department appears disinclined to adopt an export control licensing model.
The CFIUS Model
The CFIUS framework for screening foreign investments is a second model for the Commerce Department to consider, though one that applies to a markedly different set of transactions than envisioned under the ICTS rules. CFIUS is a regulatory burden that transacting parties must endure only on a sporadic basis, as foreign investments that trigger CFIUS jurisdiction are infrequent events rather than part of a company’s day-to-day business. In this context, CFIUS can efficiently maintain broad jurisdiction across all sectors of the economy—including all classes of technologies—and operate a voluntary preclearance or “safe harbor” process without overwhelming the administrative capacity of CFIUS.
Applying a similar broad scope of jurisdiction and safe harbor framework to the ICTS rules is less likely to succeed, given the substantially larger number of transactions covered by the ICTS rules. Any of the up to 4.5 million companies engaging in an ICTS transaction on a regular basis will have the ability to seek review, and many will feel compelled to do so in order to gain regulatory certainty. One might reasonably anticipate license applications reaching the level of those seen under export controls—tens of thousands of applications annually—given the similarities in the types of transactions targeted. In contrast, CFIUS reviewed just over 300 transactions in 2020, reflecting the less frequent nature of foreign investment transactions. Even at enhanced staffing levels, the Commerce Department will be overwhelmed by the resulting volume of license applications, losing its ability to focus on transactions of highest risk. The department’s 2022 budget request asks for only 13 additional staff for ICTS rules implementation, which would fall far short of the level of effort required to implement a licensing regime. In contrast, Commerce’s export licensing process is staffed by 175-200 employees and the Department of Treasury’s CFIUS team has approximately 100 employees, though neither of these figures accounts for the significant numbers of staff in other agencies that support both processes.
To adopt a safe harbor framework that could be administered efficiently, the Commerce Department may be forced to narrow the legal scope of the ICTS rules substantially. For example, the department could promulgate further regulations to define a smaller set of ICTS transactions that are most critical for U.S. communications infrastructure or set clear quantitative thresholds (such as 51 percent ownership) to determine when an ICTS transacting party is controlled by a foreign adversary. However, narrowing the jurisdictional scope of the ICTS rules raises troubling questions about what risks would be left on the table. CFIUS, for example, recently expanded its jurisdictional scope to cover a broader range of minority ownership transactions, in response to concerns that even small ownership stakes can raise national security concerns in certain circumstances. Further guidance on the ICTS transactions of greatest concern may ameliorate the licensing crush to a certain extent, though it is unlikely to address the fundamental issue that vast numbers of transactions will remain subject to the ICTS rules.
Moving to a Sanctions Model
Given the challenges in adapting the ICTS rules to either an export control licensing or a CFIUS safe harbor model, the Commerce Department should consider whether a sanctions framework may most effectively meet the policy objectives of the ICTS rules. As currently structured, the ICTS rules focus on targeting transactions rather than entities. At the same time, the department has issued subpoenas to an unspecified number of Chinese companies and has indicated that it intends to enforce the rules selectively. This results in a mismatch between the ICTS rules as written—based on regulating large swathes of ordinary economic activity—and how the government intends to enforce the rules—by targeting a small number of bad actors. Moving to an entity-based framework similar to sanctions programs would more closely align the structure of the rules with the government’s intent.
To establish an ICTS sanctions list, the department can use its authority under the ICTS executive order to determine that particular persons are foreign adversaries, rather than making this determination on a countrywide basis as the ICTS rules currently do. This would require the department to create a list of designated entities for the purposes of the executive order. When the Commerce Department designates an entity, it can then also identify the scope of ICTS transactions for which U.S. persons would be prohibited from engaging with the designated entity. For example, an ICTS sanctions listing could involve designating Huawei as an ICTS sanctioned entity and prohibiting the acquisition, importation, transfer, installation, dealing in or use of any Huawei router equipment. Thus, the listing process involves both an entity designation and a scoping of the transactions prohibited pursuant to the designation. This designation process would not be limited to prohibiting transactions on a case-by-case basis, as the current ICTS rules are constrained to do and that may result in uneven enforcement actions across the range of U.S. companies that may be engaging in ICTS transactions with foreign adversaries. Instead, prohibitions would holistically apply to any current or future transactions involving the designated ICTS entity and the ICTS transactions listed in the designation. As intelligence reporting and the government’s risk assessments warrant, additional entities or types of technologies can be added to the ICTS designations list.
This approach also eliminates the need for a cumbersome and unworkable voluntary licensing process. The designation process provides the private sector bright lines rules for which transactions are prohibited, thus reducing the uncertainty that has so troubled the private sector under the current structure of the ICTS rules. The department should retain the flexibility to issue general and specific licenses, though these licenses will be fundamentally different in nature than the voluntary preclearance licensing process currently envisioned by the Commerce Department. Under the sanctions-based approach, licensing will be limited to providing exceptions to transactions that are otherwise prohibited under an ICTS sanctions designation. For example, a temporary license could be used to allow U.S. companies to smoothly transition away from the products of the ICTS designated entity as part of their natural technology replacement cycle rather than forcing them to undertake a disruptive and costly rip-and-replace effort. While administration of an ICTS sanctions program will still be resource intensive, the Commerce Department’s limited resources can be put to better use by focusing on intelligence gathering, investigations, and enforcement rather than the unnecessary processing of thousands of voluntary license transactions of ICTS transactions that may not present national security concerns.
The ICTS sanctions approach should incorporate certain elements of the existing ICTS rules related to due process and enforcement. The current rules provide companies subject to an investigation with the ability to respond to unclassified information on which the government relied to make a determination. Companies should have a similar ability to respond to an ICTS sanctions designation, as a matter of due process and to ensure that government designations are made using the best possible information. The Commerce Department should establish processes for regular engagement with the private sector to understand the economic impacts of a designation and the full impact of a designation on complex global supply chains. For similar reasons, the department should establish a robust interagency review process, internal checks and balances, and high levels of political review to protect the integrity of the investigation and designations processes. The ICTS sanctions approach should also retain the strong enforcement teeth provided for in the ICTS rules, which ultimately derive from the International Emergency Economic Powers Act’s enforcement provisions. Persons who engage in prohibited transactions should be subject to stringent civil and criminal penalties.
The ICTS rules will be a critical part of the government’s efforts to mitigate national security risks associated with the involvement of foreign adversaries in the open U.S. economy. Reframing the ICTS rules to adopt a sanctions-based approach is the most effective way to maintain broad government discretion to address a rapidly evolving threat environment while providing U.S. firms the clarity they need to responsibly manage their complex supply chains.