Security news that informs and inspires

Industry Groups Don’t Like Commerce Department’s Supply Chain Security Rules

By

Multiple business groups have pushed back on proposed Commerce Department rules on information and communications technology supply chain security, citing concerns about lack of transparency and potential overreach .

The proposed Commerce rules Securing the Information and Communications Technology and Services Supply Chain would execute May’s Executive Order 13873, which banned United States entities from purchasing information and communications technology from “foreign adversaries.” While the rules are written to be country-agnostic and does not name any companies, they are understood to mean United States companies cannot buy from Chinese telecom equipment providers Huawei and ZTE.

The “proposed framework would likely have only a marginal impact on improving supply chain security, while severely constraining US companies’ ability to innovate,” said BSA, The Software Alliance. BSA represents companies with supply chains that are highly dependant on international partners. U.S. intelligence agencies have warned over the years that Huawei and ZTE’s close ties with the Chinese government posed significant risks to national security. Using equipment from these companies in U.S. critical infrastructure could potentially give the Chinese government the ability to infiltrate and compromise U.S. networks for espionage.

In the rules, the Department of Commerce outlined the process for identifying, assessing and addressing certain information and communication technology and service (ICTS) transactions that pose a risk to the U.S. critical infrastructure, digital economy, or national security. The evaluations would be on a case-by-case basis, since the rules do not designate which technologies, participants, or transactions are exempt or prohibited.

“Nothing less than a very significant reconsideration of both substance and process will render such a rule workable or effective in terms of American national security, U.S. economic competitiveness, or overall due process,” said the Information Technology Industry Council (ITI), while urging the department to rewrite the rules, which were "fundamentally flawed."

Scope Overreach

The scope was “staggeringly” broad, as the department would be able to intervene with any transactions involving anyone (“any person subject to the jurisdiction of the United States”), involved any property a foreign country may be interested in, and was initiated or completed after May 15, 2019. If a transaction was “an undue or unacceptable risk,” then the Secretary of Commerce would be able to impose measures to mitigate the risks, or prohibit the transaction entirely. Even if the technology was already deployed and in use, it would need to be suspended.

The rules would give the Secretary of Commerce “unbounded discretion to review commercial ICT transactions, applying highly subjective criteria in an ad hoc and opaque process that lacks meaningful safeguards for companies,” Christian Troncoso, BSA's director of policy, wrote in the comment letter. The vague terms (what makes something a ‘transaction’?), the lack of transparency, and the fact that there was no way to know what transactions were being reviewed, put unnecessary pressure on companies.

“This undefined scope would leave industry in a constant and irremediable state of uncertainty about whether their operations are, or soon will be, subject to regulatory scrutiny,” Troncoso warned.

ITI called the scope and breadth of the proposed rule "alarming and unnecessarily undermines" all ICTS transactions that may touch the United States, even peripherally. The executive order gives authority to block transactions with "a clear connection to a foreign adversary and pose unacceptable risks to national security or undue risks to critical infrastructure or the digital economy," but the proposed rules do not limit the Commerce Department's authority to only those situations, wrote John S. Miller, ITI's vice president of policy and senior counsel. In fact, as written, the rules would allow Commerce to evaluate and block transactions that present no or low risks to national security.

The U.S. Chamber of Commerce (not a government agency) was also concerned about the rule’s reach, as ICTS can be found in "virtually every type of company in every industry, with thousands of ICTS transactions happening every day," the Chamber of Commerce wrote in its comments. The rule would provide the Department with "nearly unlimited authority to interfere in virtually any commercial transaction,” wrote Neil L. Bradley, chief policy officer for the Chamber of Commerce, and Christopher D. Roberti, the senior vice president of cyber, intelligence, and security at the Chamber. The uncertainty associated with operating in an environment where any and all ICTS transactions may be subject to review could disrupt global supply chains and make investment and sourcing decisions very difficult, Bradley and Roberti wrote.

Practical Challenges

The broad and vague language used would make it difficult for organizations to know what they have to do in order to make sure they are following the rules.

The rules as drafted are "too broad to be practically implementable," Miller said.

USTelecom, which represents larger telecommunications operators, recommended modifying the rules "to draw clearer lines between prohibited and permitted transactions." That could mean publishing a list of persons or governments that are foreign adversaries providing ICTS, or a "policy guidance with unmistakably clear criteria," USTelecom wrote. That would help organizations understand what types of transactions would fall under the scope of the rules.

Overlapping Authority

The Chamber of Commerce also noted that there are several national security programs already working on this problem, such as the Bureau of Industry and Security’s Entity List and the Committee on Foreign Investment in the United States (CFIUS). The supply chain may be an “attractive target for espionage, sabotage, and foreign interference activity,” but supply chain security which leaves out the U.S. business community cannot be done. This proposal provides “little in terms” on what businesses can do to make sure they are planning around potential threats.

“A more deliberate discussion of how this proposal would complement existing programs without overlapping them is necessary,” the Chamber said.

USTelecom said the department needed to coordinate its evaluations “formally with other agencies at every step.” One way to do so is to look at the ongoing work done by the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency's Supply Chain Risk Management Task Force, and other arenas to develop a framework on how subcomponents are evaluated instead of trying to come up with their own approach.

The Rural Wireless Association, which represents smaller rural carriers in the United States, noted in its comments a parallel effort at the Federal Communications Commission to block Huawei and ZTE from collecting funds from the Universal Service Fund. The fund is an annual pool of $ 8.5 billion collected from consumers for expanding broadband access. RWA members would be particularly affected by the proposed rules because they rely on low-cost equipment from Huawei and ZTE to extend internet connectivity to hard-to-cover rural areas.

ITI's Miller also noted the challenge of providing comments to a rule "with such vast legal scope and economic implications" within an "expedited timeframe." As the draft provided "almost no specifics, industry cannot meaningfully comment on it," Miller said.