Bipartisan Legislation Seeks to Address National Security Threats From Foreign Information and Communications Technology

A newly introduced Senate bill seeks to bolster the U.S. Government’s ability to effectively respond to national security threats posed by foreign information and communications technology products and services offered in the United States. Recently, a bipartisan group of senators introduced the Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act to authorize the Secretary of Commerce to review, mitigate, and prohibit information and communications technology (“ICT”) transactions that threaten U.S. national security. Intended to be a comprehensive tool for the federal government to address threats posed by ICT from countries deemed to be foreign adversaries, the legislation was immediately supported by the White House in a statement by National Security Advisor Jake Sullivan. The bill is still in an early stage, but appears likely to have support to be enacted in some form during the 118th Congress.

Concerns about Foreign ICT Products and Services

Over the last number of years, there has been increasing concern in the U.S. public and private sectors that certain types of foreign technology products used by many U.S. companies and citizens pose threats to U.S. data, critical infrastructure, and communications privacy. According to the bill’s co-authors, Sen. Warner and Sen. Thune, these foreign technologies include telecom equipment produced by Huawei, social media apps like TikTok and WeChat, e-commerce platforms like AliPay, and security software created by Kaspersky.

The U.S. Government has used various authorities to address these ostensible threats, including banning TikTok on federal government devices, prohibiting the use of certain Chinese telecom and video surveillance equipment, and forcing Chinese companies to divest acquisitions of U.S. companies. See our prior alerts: FCC Bans New Licenses for the Import and Use of Certain Chinese Telecommunications and Video Surveillance Equipment; President Trump Orders Chinese Company to Divest Acquisition of US Hotel Software Company. These efforts all have the same stated aim – to protect U.S. national security from threats posed by foreign technology – but the execution has been through a patchwork of authorities, none of which provides a comprehensive mechanism to address national security risks from the complex, rapidly changing, and globally interconnected ICT supply chain.

Key Aims of the RESTRICT Act

The RESTRICT Act aims to address this gap by authorizing the Commerce Department to create a framework to systematically review and address any ICT transaction involving countries deemed to be foreign adversaries under the statue, including entities organized under the laws of a foreign adversary or entities owned, directed or controlled by them (“covered entities”), and that pose undue or unacceptable risks to U.S. national security. Foreign adversaries are defined in the RESTRICT Act as China, Cuba, Iran, North Korea, Russia and Venezuela, and the proposed law would empower the Commerce Department to designate additional foreign adversaries.

The scope of such transactions is broadly defined to include transactions in which “covered entities” have “any interest,” including through a contract to provide technology or services (“covered transactions”). The legislation does not define what constitutes an “interest,” which would be left to the Commerce Department to define in its implementing regulations. If enacted, such broad language gives the Commerce Department enormous discretion in fashioning its regulatory mandate. To illustrate the potential breadth, the proposed language would authorize the Commerce Department to bar the importation of all ethernet switches from China, or prohibit U.S. firms from using China-based data hosting services.

Notably, the RESTRICT Act specifically directs the Commerce Department to prioritize the evaluation of ICT products and services used in a number of key areas: critical infrastructure, telecommunications, data hosting and computing services, internet- and network-enabled sensors, monitoring and networking devices, UAVs, internet-based communications, and ICT products and services integral to emerging technologies, including quantum communications and computing, advanced robotics, biotech, and e-commerce technology and services. These areas, however, are not exclusive, and the Commerce Department would be authorized to review “covered transactions” involving any technologies.

As the bill has just been introduced in the Senate, it remains to be seen whether the legislation will become law and in what form. Given the broad bipartisan support (the bill has nine Republican and nine Democrat co-sponsors), support from the White House, and the generally accepted view that current law does not adequately authorize the federal government to comprehensively address threats posed by foreign ICT, we expect that a version of the legislation will become law during the current Congress. The Commerce Department will then be required to create a regulatory framework to implement its authority.

Relationship to ICT Supply Chain Executive Orders

The RESTRICT Act would build on existing Commerce Department authorities to review and block ICT transactions under Executive Orders 13873 and 14034 (“ICTS Executive Orders”), which leveraged the International Emergency Economic Powers Act (“IEEPA”). Under this authority, the Commerce Department is empowered to block ICT transactions – which includes the mere use of technology – that pose an “undue or unacceptable threat” to U.S. national security. The Commerce Department has taken steps to implement this authority, but has not yet taken any public enforcement action. 

The RESTRICT Act reflects many of the core features of the ICTS Executive Orders, but provides greater direction on the processes, scope, transparency, and priorities for the review of foreign ICT products. Notably, the RESTRICT Act explicitly empowers the U.S. Government to compel divestment in covered transactions as well as to take “appropriate action" to mitigate the threat of any data obtained or derived from use of a covered entity’s products in the United States. It also provides an independent statutory basis for conducting these reviews, perhaps out of a concern that prior efforts to leverage IEEPA to address ICT threats had gone too far. 

Companies should be mindful that even if passage is delayed, the Commerce Department already has the authority to take many of the actions described in the legislation. And with clear bipartisan support for addressing these issues, the Commerce Department may be emboldened to act swiftly should the need arise.

Other National Security Measures Coming Down the Pike

In parallel, we expect both the Biden Administration and the Congress to continue to introduce new national security measures to address potential threats posed by perceived foreign adversaries, in particular, China. Notably, the Biden Administration reportedly plans to introduce an outbound investment screening mechanism in the near future that will impose restrictions on certain U.S. investments in foreign companies, with a focus on China. Companies engaged in the ICT space and in cross-border transactions should continue to monitor these measures to assess potential impact on their businesses. The Biden Administration has also signaled that it will continue to expand export controls on advanced and emerging technology destined for China, building on its recent expansion of controls related to semiconductors (see our prior alert), and several new additions of Chinese companies to the Entity List, which results in a company being effectively barred from receiving most U.S. goods and technology.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Greta Lichtenbaum, an O’Melveny partner licensed to practice law in the District of Columbia, David J. Ribner, an O'Melveny counsel licensed to practice law in the District of Columbia and New York, John Dermody, an O'Melveny counsel licensed to practice law in the District of Columbia and California, and Shruti Kannan, an O'Melveny associate licensed to practice is the District of Columbia and New York, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2023 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.