Beyond TikTok and WeChat: Industry Should Expect Action by New Commerce Department ICTS Czar

Businesses will need to keep a closer eye on their digital supply chains if they want to steer clear of looming government oversight and enforcement as part of a U.S. government push to secure the information and communications technology infrastructure from exploitation by foreign adversaries.

The Department of Commerce’s (Commerce) Office of Information and Communications Technology and Services (OICTS), housed within the Bureau of Industry and Security, was created to implement the Information and Communications Technology and Services (ICTS) Program. Under the authority of the International Emergency Economic Powers Act — which grants the president broad authority to identify and address the existence of “unusual and extraordinary threat[s] ... to the national security, foreign policy, or economy of the United States,” and particularly those that originate “in whole or substantial part outside the United States” — the ICTS Program enacts and enforces the ICTS Supply Chain Rule (the Rule), 15 C.F.R. Part 7.

The final ICTS Supply Chain Rule — effective July 17, 2023 — implements a series of Executive Orders spanning the Trump and Biden administrations, including the Trump administration’s famously enjoined orders against TikTok and WeChat transactions and culminating in EO 14034 issued by President Biden. The Executive Orders declare that the Department of Commerce may take action to mitigate the risk of transactions where:

• The transaction involves information and communications technology or services that were developed or supplied by persons controlled by or subject to the jurisdiction of a “foreign adversary”
• The transaction poses an “undue” or “unacceptable” risk to U.S. information and communications technology or services, digital infrastructure, or national security

Acting upon threat information provided by law enforcement or the intelligence community, Commerce can now elect to review and block such transactions. This expanded power covers not only future transactions, but present and ongoing ICTS activities, and gives wide discretion to the Commerce Secretary in evaluating and addressing threats from the six enumerated “foreign adversaries”: China (including Hong Kong), Russia, Iran, North Korea, Cuba, and Venezuela.

On January 22, OICTS announced that its first Executive Director would be Elizabeth “Liz” Cannon, suggesting that the office is approaching a time of rapid expansion since its inception in 2021. In particular, Cannon has been cited for extensive national security experience in both the government and corporate spaces, stating that she “look[s] forward to safeguarding our nation’s information and communications systems from foreign adversaries through an open and collaborative process.” The office’s buildup and rising profile, along with the announcement of an OICTS Executive Director and the recent finalization of the ICTS Supply Chain Rule last July, is setting off alarm bells that an increase in oversight and enforcement is around the bend.

In preparation, U.S. businesses that operate on or utilize the ICTS supply chain will want to consider the following questions:

Does my business conduct transactions along the ICTS supply chain?

If you are operating a business in today’s digital world, there is a good chance the answer to this question is “yes.” The ICTS Supply Chain Rule defines information and communications technology and services broadly, including any hardware, software, or other service “primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means.” The rule specifically notes that “apps” are included, as well as cloud-computing services and “connected software applications.” Connected software applications encompass software, a software program, or a group of such programs, designed to be used on an “end-point computing device” and be able to collect, process, or transmit data via the internet.

Further, the regulations take a broad view of what it means to “transact” on the ICTS supply chain. Transactions include not only acquisition or transfer of ICTS, but also “installation” and “use” of ICTS. Notably, Commerce refused to carve out transactions involving sporadic access to software to include security patches and updates. In Commerce’s view, this would “create a loophole that would allow exactly the types of malicious cyber acts the rule is meant to prevent.” Moreover, Commerce is not just looking at prospective transactions; ongoing activities, uses, and relationships can and will be investigated and could draw enforcement action.

As a final note, when considering whether your transactions on the ICTS supply chain are in violation of the Rule, it is important to understand the sweeping standard applied: the technology or service need only be “designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.” A simple consideration of ownership alone will be insufficient to determine risk.

Will I know if my business is under investigation?

In short, not necessarily. In fact, you may not know your transactions are in question until Commerce has completed its initial review and reached a preliminary determination. Commerce’s initial review — which may be taken up at the Commerce Secretary’s discretion or prompted by an outside referral provided to the agency — does not require notice to the party or parties under investigation. Only upon reaching an initial determination that the ICTS transaction in question does meet the criteria of a prohibited transaction is Commerce required by the regulations to provide notice of its determination to the party.

Can I challenge the agency’s determination?

Yes, but only to an extent. If Commerce makes an initial determination that you are party to a prohibited ICTS transaction, there is a brief 30-day response period. A response may include arguments and evidence that the initial determination did not have a sufficient basis, or could include a remediation plan to negate the need for the basis for the initial determination. You would also have the opportunity to request a meeting with Commerce regarding the determination; however, the regulations explicitly permit the agency to decline such a meeting at its discretion.

Significantly, you would not have a right to review the information considered by Commerce in reaching its decision. In other words, a responding party is flying blind. The party may put forth its own argument and evidence, but will not necessarily have the opportunity to see and respond to Commerce’s own evidence.

Alternatively, you could assert to Commerce that circumstances have changed such that the initial determination of a prohibited ICTS transaction no longer apply. This could potentially allow a party to self-enforce and remove the offending piece of its business/supply chain. However, the regulations state that such a response could rescind or mitigate the agency’s determination, meaning that Commerce may not be inclined to drop the enforcement action entirely.

What will enforcement look like?

A final determination issued by Commerce will direct the timing and manner for a prohibited transaction to be terminated. This can manifest in a variety of ways, depending on what activity on the ICTS supply chain Commerce has identified. For instance, the direction by Commerce could be as simple as ceasing to transact with a third-party vendor. However, it might also involve removing infrastructure — even hardware, like servers — from your supply chain if that infrastructure is, for instance, deemed to be under the control or jurisdiction of a foreign adversary and prohibited.

Alternatively, you might be able to reach a “mitigation agreement” with Commerce that would include the terms of ceasing or mitigating the prohibited transaction. In most instances, this will be a preferred route for a party because it will give the party some input on the ultimate solution.

Importantly, the final determination will also state the potential penalties if the party does not abide by the final determination and/or mitigation agreement. The government may pursue criminal and civil penalties against anyone that violates — or even attempts to or conspires to violate — Commerce’s final determination and related directions, including the terms of any mitigation agreement reached with the party. These penalties can be quite serious. Criminal penalties have a fine of up to US$1,000,000, imprisonment of up to 20 years, or both, while a civil penalty may result in a fine of up to $307,922 or twice the value of the transaction that is the basis of the violation, whichever is greater.

What can I do to limit my ICTS risk?

As we have noted, investigation and enforcement of the ICTS Supply Chain Rule may occur quietly, behind a veil of administrative confidentiality, yet can carry hefty implications for your supply chain and equally hefty penalties if you do not comply. Therefore, as the Office of Information and Communication Technology and Services ramps up its work, it will be imperative for businesses to take steps to limit their risk of becoming a target.

Beyond understanding the Rule itself, businesses should proactively investigate their own ICTS supply chain to ensure it is compliant. Due diligence cannot stop at their own infrastructure but rather businesses must conduct a holistic review, extending their visibility into third-party vendor information and technology ecosystems. As part of this review, businesses must stay closely attuned to its own and its customers’ sales patterns, immediately investigating abnormal patterns such as extreme or sudden upticks in sales. Additionally, conducting a consistent comparison between new and ongoing transactions and the U.S. sanctions list is essential.

Arnold & Porter’s team of experienced attorneys, including ex-government officials with direct knowledge of how Commerce and its interagency partners will carry out the goals of the administration, are able to help businesses reach creative solutions to this significant new area of agency enforcement.

About the authors:

Deborah A. Curtis — Deb is a partner in Arnold & Porter’s White Collar Defense & Investigations group. She has held a number of high-level government enforcement positions, including Deputy Chief for Export Control and Sanctions at the U.S. Department of Justice and Chief Counsel for Industry and Security at the U.S. Department of Commerce, where she advised executive leadership on legal enforcement and policy decisions, including initial implementation of the ICTS Supply Chain executive orders.

Henry B. Morris — Henry is a litigation associate, focusing on white collar defense and investigations.

Cate Baskin — Cate is an associate, focusing on government contracts and national security matters, including export controls.

© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.