The Department of Commerce on Tuesday issued a proposed rulemaking seeking public feedback on its plans to implement a presidential directive signed in May to secure the nation’s information and communications technology and services (ICTS) supply chain from products and services provided by companies that may be owned by, or subject to, the control and influence, of foreign adversaries.
The Notice of Proposed Rulemaking, which will be published in the Nov. 27 Federal Register, lays out the procedures the Secretary of Commerce will use to identify and evaluate whether a pending acquisition of technology or service presents a risk to ICTS in the U.S. and should be prohibited.
The proposal stems from President Trump’s Executive Order (EO 13873), Securing the Information and Communications Technology and Services Supply Chain, that warns that foreign adversaries are conducting “economic and industrial espionage against the United States and its people” by creating and taking advantage of cyber security vulnerabilities in the nation’s ICTS, which is crucial to critical infrastructure and the digital economy.
The executive order also highlights a weak point in the ICTS ecosystem, which is the use of services and technologies “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to, the jurisdiction or direction of foreign adversaries” can lead to the exploitation by these adversaries of these same services and technologies “with potentially catastrophic effects” and therefore represent a grave risk to the country.
The executive order is targeted at ICTS product and service companies such as China’s Huawei and Russia’s Kaspersky Labs, whose products are seen by the U.S. intelligence community and other security agencies as potential entry points into U.S. information systems and networks for the benefit of their home countries.
“These actions will safeguard the Information and Communications Technology Supply Chain,” Commerce Secretary Wilbur Ross said in a statement. “These rules demonstrate our commitment to security of the digital economy, while also delivering on President Trump’s commitment to our digital infrastructure.”
The proposed rulemaking says the secretary will assess ICTS transactions on a case-by-case basis against the requirements set out in the executive order. No specific technologies or “particular participants” are included or excluded from possible rejection, it says.
To help the Commerce Department implement Trump’s directive, the Office of the Director of National Intelligence provided a classified threat assessment from ICTS subject to prohibition under the executive order and the Department of Homeland Security provided “an initial vulnerabilities assessment identifying and assessing ICTS hardware, software, and services that present vulnerabilities in the United States,” according the proposal.
Respondents have 30 days to submit their feedback on the proposed rule.