At the start of the Biden administration, the president made a consequential decision to retain the Executive Order on Securing the Information and Communications Technology and Services Supply Chain, which was issued by President Trump and prohibits the import of information and communications technology and services (ICTS) from foreign adversaries. The executive order and its implementing regulations (together, the ICTS rules) are a critically important effort to prevent capable foreign cyber actors, notably China and Russia, from exploiting the open nature of the U.S. ICTS market. Notwithstanding this strong security rationale, the industry has heavily criticized the ICTS rules as overly broad and vague. To address these concerns, the Department of Commerce, the agency that leads the implementation of the ICTS rules, committed to implement a voluntary licensing process, which would allow transacting parties to apply for preapproval of their ICTS transactions. The objective of the licensing process is to provide certainty to transacting parties, allowing them to engage in nonrisky, commercially beneficial ICTS transactions without fear that the government will seek to unwind or ban the transactions in the future.
While laudable in intent, establishing a licensing regime based on the current structure of the ICTS rules is likely to fail.
This is simply a matter of numbers. According to the Commerce Department’s own assessments, up to 4.5 million firms may engage in ICTS transactions on a regular basis. Opening up a licensing process for any—or all—of these firms would likely lead to an unmanageable flood of applications, forcing the department to divert its extremely limited resources to processing licenses for ICTS transactions that may not present any genuine national security risks. The department will inevitably be pressured to narrow the scope of the ICTS rules in order to effectively manage the licensing process, which would erode the national security benefits of the rules.
To address these challenges, the Commerce Department should restructure the ICTS rules to adopt a sanctions framework by creating a new list of entities that would be prohibited from selling ICTS into the U.S. market. In other words, this could function as an ICTS sanctions list. An ICTS sanctions approach would mirror the regulatory structure of existing U.S. sanctions authorities, preserving the broad authority and discretion of the government to respond to evolving threat and technology environments. A designations process for listing sanctioned ICTS entities, along with the scope of ICTS transactions subject to a prohibition, would provide much needed certainty to the private sector. This approach avoids the need for a resource-intensive, generally available voluntary licensing process, as the ICTS designations list would provide bright line rules around which transactions are or are not prohibited.
Read the full article from Lawfare.
More from CNAS
ReportsSanctions by the Numbers: Economic Measures against Russia Following Its 2022 Invasion of Ukraine
Executive Summary Following the unprovoked Russian invasion of Ukraine in late February, the United States and its allies have unleashed an impressive array of economic measur...
By Emily Kilcrease, Jason Bartlett & Mason Wong
CommentaryCan Russia Rebuild Its Tech Sector with China's Help?
China will play a crucial role in the future of Russia’s tech sector, but a complicated one....
By Emily Kilcrease & Maria Shagina
PodcastThe Lawfare Podcast: China’s NFT Plans for Digital Control
Lawfare fellow in cybersecurity law Alvaro Marañon sat down with Yaya Fanusie, an adjunct senior fellow at the Center for a New American Security, to speak about the China gov...
By Yaya J. Fanusie
CommentarySharper: The Indo-Pacific Pivot
Previous presidential administrations have laid much groundwork diplomatically and militarily to ensure a strategic pivot to the Indo-Pacific. The past week has seen the ASEAN...
By Anna Pederson