US moves to secure telecom equipment supply chain

The Department of Commerce has proposed new rules requiring case-by-case approvals of all purchases of telecommunication equipment in a move likely to hit major Chinese suppliers such as Huawei.

The proposal issued on Tuesday follows President Donald Trump’s order in May declaring a national emergency and restricting purchases by US companies of telecoms equipment that might be considered a security threat.
That order did not name specific countries or companies but was thought to target Chinese suppliers such as Huawei Technologies and ZTE Corp.
The proposed rule sets out the procedures the secretary of commerce plans to use to identify, assess, and address ICTS transactions that pose an undue risk to ICTS in the United States, to the critical infrastructure or the digital economy in the United States, or an unacceptable risk to national security or to the security and safety of US persons. The public will have a 30-day period to submit comments.
“These actions will safeguard the Information and Communications Technology Supply Chain,” said Secretary of Commerce Wilbur Ross. “These rules demonstrate our commitment to securing the digital economy, while also delivering on President Trump’s commitment to our digital infrastructure.”
The President issued EO 13873 on 15 May 2019 pursuant to statutory authorities, including the International Emergency Economic Powers Act and the National Emergencies Act, in light of the finding that foreign adversaries are increasingly exploiting ICTS to commit cyber actions, including economic and industrial espionage against the United States. The EO gives the secretary of commerce, in consultation with other relevant federal agencies, authority to prohibit or mitigate transactions initiated, pending, or completed after 15 May  2019, that involve ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, if such transactions pose: 
  • An undue risk of sabotage or subversion ICTS in the United States; 
  • An undue risk of catastrophic effects on the security and resiliency of critical infrastructure or the digital economy in the United States; or 
  • An unacceptable risk to national security or to the security and safety of US persons.
The secretary of commerce has chosen to adopt a case-by-case, fact-specific approach to determine which transactions must be prohibited, or which can be mitigated, according to the requirements in the executive order. The secretary will use assessments developed by the Secretary of Homeland Security and the Director of National Intelligence pursuant to the executive order, among other things, to inform his evaluation of ICTS transactions.
While Executive Order 13873 empowers the secretary immediately to prohibit or mitigate ICTS transactions that pose the risks identified in the executive order, the proposed rule sets forth procedures the secretary will follow, except in instances where the risk of public harm or national security interests require a deviation from such procedures. Under the proposed rule, if the secretary makes a preliminary determination, in consultation with other federal agencies, to prohibit or mitigate a transaction, the secretary will provide notice to the parties engaged in the transaction. Notified parties will have an opportunity to submit a position, which may include proposed measures for mitigation, prior to any final determination issued by the secretary. The secretary will provide an unclassified, written final determination provided to the parties that, to the extent possible, explain how the decision is consistent with the terms of the executive order, and, as appropriate, a summary of the final determination will also be made publicly available.