Recent weeks have brought news on multiple fronts regarding supply chain risks and actions in response thereto:
Commerce ICTS Regulations to Go Into Effect; Chinese ICTS Companies, Products and Services in the Headlights
The Trump Administration rolled out regulations to implement prohibitions on the use or delivery of covered Chinese telecommunications and video surveillance products and services. Additionally, its Department of Commerce had engaged in rulemaking to implement processes and procedures for identifying supply chain risks posed by Chinese Information and Communications Technology Sector (ICTS) companies, products and services. The Biden Administration has come to town and many have wondered what is going to happen to this rulemaking when it becomes effective in March 2021. Law360 quotes the new Secretary of Commerce as saying “The Biden-Harris administration has been clear that the unrestricted use of untrusted ICTS poses a national security risk…Beijing has engaged in conduct that blunts our technological edge and threatens our alliances.” For those wondering whether the Biden Administration will continue its tough stance on Chinese ICTS, China and ICTS remain a target of potential enforcement activities under the Biden Administration: “The administration is firmly committed to taking a whole-of-government approach to ensure that untrusted companies cannot misappropriate and misuse data and ensuring that U.S. technology does not support China’s or other actors’ malign activities.” The Administration has backed up these words with actions, applying the Commerce rules to issue subpoenas to Chinese ICTS firms to further assess the risks they pose to the supply chain. However, the Administration is also holding talks with China this week and one wonders whether and to what extent this action is intended to impact that discussion.
FCC Votes to Revoke US Operating Licenses of Two Chinese Telecommunications Carriers
China Unicom, Pacific Networks and subsidiary ComNet USA LLC are now being considered for termination of their Section 214 licenses to interconnect with U.S. networks. Last spring, they were identified as potentially under the influence and control of the Chinese government. While they objected to that notion, Law360 reports that a Federal Communications Commission (FCC) staffer said that both “failed to dispel serious concerns’ about their security and data use practices.”
White House Previews Cybersecurity Ratings System
The White House recently previewed a proposal to promote more informed government procurement of software through a cybersecurity rating system. During a March 12, 2021 background press call, a senior administration official explained that the Biden Administration would like to make it easier to know the degree of cybersecurity offered by software companies selling to the federal government. The official touted the example of New York City Mayor Mike Bloomberg’s requiring restaurants to display their sanitation rating (A, B, C, D) in their front window “to make a market around health and sanitation.” They also referenced a similar approach being used by Singapore for Internet of Things devices, which provides cybersecurity standards for different types of devices (e.g. baby monitors) so consumers will know the level of cybersecurity offered by the product they’re buying. The Administration hopes to spur the development of a similar market for cybersecurity in the United States and promises an Executive Order addressing these issues in a couple weeks.
Court Enjoins DoD’s Designation of Xioami Corp. as a Communist Chinese Military Company
Under Section 1237 of the National Defense Authorization Act for FY 1999, the International Emergency Economic Powers Authority (IEEPA), U.S. persons are prohibited from purchasing or otherwise possessing publicly traded securities of Communist Chinese Military Companies (CCMC) or derivatives of such securities. CCMCs are defined under the IEEPA to include a person owned or controlled by, or affiliated with, the People’s Liberation Army, ministry of the People’s Republic of China (PRC), or an entity affiliated with the PRC defense industrial base. Executive Order 13959, issued in November 2020, implements the IEEPA.
Xioami, a multinational consumer electronics corporation that is headquartered in China and incorporated in the Cayman Islands, is the third-largest smartphone manufacturer in the world by volume and has a significant presence in the United States. In January 2021, the Department of Defense (DoD) submitted to Congress its list of designated CCMC companies, which included Xioami.
To avoid implementation and the adverse effects of the action, Xioami filed a suit for emergency injunctive relief and a preliminary injunction against enforcement of the IEEPA restrictions in the District Court for the District of Columbia. In that suit, the District Court found that Xioami had established that it was likely to succeed on the merits, suffer irreparable harm absent an injunction, and that the balance of equities tipped in favor of granting Xioami injunctive relief and such injunction was in the public interest. The decision indicates that the Court relied on the Administrative Procedure Act and determined that, under that authority, the DoD, in its defense of the action, did not provide sufficient reasoning to show the nexus of the facts to the conclusion that Xioami was a CCMC: “Even given this deferential standard, the Court finds that reasonable minds would be hard-pressed to accept as adequate the Department of Defense’s Xiaomi CCMC determination based on the paltry evidence on which the decision rests.” This decision makes real the conundrum of how to address supply chain risks when disclosure of the basis for the finding may pose risks in and of itself.
For government contractors, moving forward, there is still the DoD Federal Acquisition Regulation Supplement (DFARS) Supply Chain Risk Rule, 252.239-7018, which provides the DoD with authority to manage its supply chain risks by considering public and non-public information to determine whether an entity that sells information technology supplies or services to the DoD poses a supply chain risk. That rule provides that there is no right to appeal or protest. The District Court decision did not discuss the Supply Chain Risk Rule in making its decision. Given this, we are still left to question whether the District Court would even take jurisdiction over an action to enforce a supply chain risk ruling based on the DFARS rule, and related statute, 10 U.S.C. 2339a.