Legislation to grant U.S. government sweeping authority over ICT-related national security threats

On 7 March 2023, U.S. Senators Mark Warner and John Thune, joined by a bipartisan group of their colleagues, introduced the Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act (the RESTRICT Act or the Act).  The RESTRICT Act would grant sweeping authority to the Secretary of Commerce (the Secretary) and/or the president to address threats originating in China, Cuba, Iran, North Korea, Russia, and Venezuela (Foreign Adversaries) in the form of (i) certain transactions in the information and communications technology (ICT) sector in which Foreign Adversaries have an interest (Covered Transactions) and (ii) Foreign Adversaries’ controlling interests in entities in the ICT sector (Covered Holdings).  The bill empowers the Secretary to review, prevent, and mitigate Covered Transactions and to refer certain Covered Holdings to the president for action, including forced divestment.

Practically speaking, the Department of Commerce could use its power over Covered Transactions to restrict or ban the use of hardware, software, or other products or services financed, manufactured, or supplied directly or indirectly by a Foreign Adversary and posing a risk to national security. At a minimum, this means that certain mobile apps provided by Chinese-owned companies may be caught by the RESTRICT Act.  Unlike other bills directed at specific Chinese apps, the RESTRICT Act is much broader in nature and appears to be intended to target a wide range of technologies and software.

The RESTRICT Act would direct the Department of Commerce to identify ICT-related threats from Foreign Adversaries—and specifically prioritize ICT products used in critical infrastructure, integral to telecommunications, or pertaining to a wide range of emerging, foundational, and disruptive technologies with national security implications.  The Act grants the Secretary of Commerce, in coordination with relevant department and agency heads, the authority to identify such threats and, for Covered Transactions, tailor solutions to prohibit or mitigate associated national security risks.  The Secretary also may refer Covered Holdings that “pose an undue or unacceptable risk” to U.S. national security to the president, who may impose mitigation or divestment.  Overall, the RESTRICT Act would give the Department of Commerce sweeping authority to restrict the use and supply of ICT products and services to or from Foreign Adversary countries, including China,  and would grant the agency express authority to target assets outside the United States that are used to support or enable the use of Foreign Adversary ICT products and services in the United States.

Amidst a push by many in Congress and within the Biden Administration for at least selective economic de-coupling from China, the RESTRICT Act is the latest effort by U.S. policymakers intended to address perceived national security threats from China.  Separately, the Biden Administration is soon expected to introduce a regime to review certain outbound investments from the United States into sensitive technologies that could enhance the technological capabilities of countries of concern in ways that threaten U.S. national security. The investments that would be subject to the regime would be ones not presently captured by U.S. export controls, sanctions, or other related authorities.

Legislative Landscape

In an era of deep polarization, the perceived national security threat and state-driven economic competition from China has galvanized Republicans and Democrats.  The RESTRICT Act was introduced by a bipartisan group of twelve Senators and only a week after the first meeting of the House Select Committee on China, which has also made the threat from Chinese-origin technologies a feature of its work. 

Notably, the White House and the Department of Commerce took the unusual step of endorsing the legislation on the day that it was introduced. Two days later, Deputy Attorney General Lisa Monaco also endorsed the Act. National Security Advisor Jake Sullivan urged both parties to pass the RESTRICT Act quickly and to send it to the president’s desk for his signature.  It would be premature to speculate exactly when the Act will advance and in what form, whether as a standalone bill or incorporated into a must-pass vehicle.  Nevertheless, the bipartisan rollout, public backing by the Biden Administration, and intense focus on Tik Tok make it highly likely that the RESTRICT Act—or legislation comparable to it—will become law.

Scope of Authority, Covered Transactions, and Covered Holdings

As explained in further detail below, the RESTRICT Act empowers the Secretary of Commerce to review and assess “Covered Transactions” and “Covered Holdings.”  Each of “Covered Transactions” and “Covered Holdings” is tied to ICT products or services, which the Act defines as “any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including transmission, storage, and display.” The Act also specifically identifies six Foreign Adversaries: China (including the Hong Kong and Macao Special Administrative Regions), Cuba, Iran, North Korea, Russia, and Venezuela.1

Covered Transactions

Covered Transactions are certain types of transactions in which a covered entity has an interest – namely, transactions that consist of “any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology product or service, including ongoing activities such as managed services, data transmission, software updates, repairs, or the provision of data hosting services.”  Covered entities include (1) Foreign Adversaries; (2) entities subject to the jurisdiction of, or organized under the laws of, a Foreign Adversary; and (3) any entity owned, directed, or controlled by a person described in (1) or (2).  The RESTRICT Act authorizes the Secretary, in consultation with the relevant executive department and agency heads, to identify, deter, disrupt, prevent, prohibit, investigate, or otherwise mitigate any risk arising from any Covered Transaction that poses an undue or unacceptable risk of sabotage or subversion of ICT products and services in the United States; catastrophic effects on the security or resiliency of the critical infrastructure or digital economy of the United States; interference or alteration to the reported result of a federal election; or coercive or criminal activities that are designed to undermine democratic processes and institutions or influence policy and regulatory decisions in favor of the Foreign Adversary to the detriment of U.S. national security.  Once the Secretary determines that a transaction is a Covered Transaction and one that poses an undue or unacceptable risk, the Secretary will determine whether the transaction should be prohibited or any other action should be taken to mitigate the effects of the transaction. 

Pursuant to the Defense Production Act of 1950, as amended (the DPA), the Committee on Foreign Investment in the United States (CFIUS), a U.S. government interagency committee, has the authority to conduct national security reviews of foreign investments in, or acquisitions of, U.S. businesses.  CFIUS’s jurisdiction can extend to some asset purchase transactions, joint ventures, or broad licensing arrangements with foreign persons, if the assets to be transferred or contributed to the foreign person collectively constitute a U.S. business.  So, it is at least possible that some transactions (e.g., transfers of U.S. assets, including ICT products, to a U.S. subsidiary of a Chinese technology company) might be Covered Transactions under the Act and also be subject to CFIUS’s jurisdiction.  The potential jurisdictional overlap could cause confusion for the parties to the Covered Transaction and for the Department of Commerce and CFIUS.  See the Covered Holdings description for a further description of the relationship between the Act and the DPA.

Covered Holdings

”Covered Holdings” are controlling ownership interests (whether existing interests or contingent interests) that “covered entities” (e.g., Foreign Adversaries) hold in entities that own, control, or manage ICT products or services.  For Covered Holdings, the RESTRICT Act grants the Secretary the power to determine, in consultation with the relevant executive department and agency heads, whether the Covered Holding poses an undue or unacceptable risk to U.S. national security.  If the Secretary determines that the Covered Holding does pose such a risk, the Secretary may then refer the matter to the president for such action as the president considers appropriate to compel divestment of, or mitigate the risk associated with, the Covered Holding.

Similar to the president’s powers under the DPA, the president’s powers under the RESTRICT Act include forcing divestment and imposing mitigation for certain Covered Holdings.  Under the RESTRICT Act, presumably the president could exercise these powers even in scenarios in which the Foreign Adversary simply established a new U.S. business – a “greenfield” investment – whereas the DPA exempts true greenfield investments from CFIUS’s jurisdiction.  Moreover, the president’s divestment and mitigation powers in the RESTRICT Act appear to apply extraterritorially.  In certain cases, a Covered Holding could fall within the scope of the Act and also be subject to CFIUS’s jurisdiction, potentially causing confusion for the parties to the Covered Holding and for the Department of Commerce and CFIUS.  The RESTRICT Act clarifies, though, that (i) the Act does not prevent or preclude the president from exercising any authority under the DPA and (ii) the president may not force a divestment or impose mitigation on a Covered Holding, if the Covered Holding resulted from a transaction that CFIUS cleared or for which the president announced a decision not to take any action.  The Act specifically requires that the Secretary  address coordination with respect to review by CFIUS in implementing the Act.

RESTRICT Act and Current ICT Rules

There is significant overlap between the proposed RESTRICT Act and current ICT rules established under Executive Order (EO) 13873, “Executive Order on Securing the Information and Communications Technology and Services Supply Chain”. 15 C.F.R. § 7.  The EO authorized the Secretary to prohibit certain transactions involving ICT products and services that have been “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a Foreign Adversary” and that pose an “unacceptable risk” to U.S. national security or “undue risk” to U.S. ICT or critical infrastructure.  The current rules were later amended under EO 14034 to include connected software applications, adding such products to the definition of ICT.  ICT transactions involving the acquisition of ICT items by a U.S. person as a party to a transaction authorized under a U.S. government-industrial security program or transactions under review or already reviewed by CFIUS are exempted under the rules.

The RESTRICT Act contains similar rules regarding ICT transactions, i.e., Covered Transactions, but the provisions of the Act are generally broader than those under EO 13873 and 15 C.F.R. § 7.  As with EO 13873 and 15 C.F.R. § 7, the Act still grants the Secretary the primary responsibility for assessing whether an ICT transaction might pose an undue or unacceptable risk to U.S. national security.  The RESTRICT Act adds two categories of undue or unacceptable risks that fall within the scope of the Secretary’s power to review Covered Transactions and that are not identified in the ICT rules: (1) interfering in or altering the results of a federal election and (2) coercive or criminal activities by a Foreign Adversary designed to undermine democratic processes and institutions or steer policy and regulatory decisions in favor of said adversary to the detriment of the United States.  Additionally, whereas reviewable transactions and activities under the existing ICT rules are limited to those occurring on or after January 19, 2021, transactions covered by the RESTRICT Act would include current, past, or potential future transactions.  Therefore, the RESTRICT ACT can be viewed as supplementing and expanding the Secretary’s authority under the ICT rules, rather than replacing those rules.

One of the key areas where the RESTRICT Act goes beyond the current rules is under its rules for Covered Holdings.  The current ICT rules established under EO 13873 only cover transactions, but the RESTRICT Act also empowers the Secretary to review and the president to take steps in addressing the risks presented by Covered Holdings even in the absence of a separate transaction. 

The president’s powers to impose divestment or mitigation remedies on Covered Holdings does not appear to be a wholly new power for the president, however, as the International Emergency Economic Powers Act (IEEPA) grants the president the authority to, among other things, “direct and compel, nullify, void, prevent or prohibit” acquisitions, holdings, or uses of any property in which a foreign country or a national has any interest in the face of “any unusual and extraordinary threat” once a national emergency has been declared.  The RESTRICT Act, while similarly empowering the president to order the divestment of a Covered Holding or issue any other mitigating orders, only requires that a Covered Holding exist that poses an undue or unacceptable risk to national security.  Thus, the president’s authority is broader under the RESTRICT Act than IEEPA.

If passed, the RESTRICT Act provides for a transition period for existing delegations, rules, regulations, orders, determinations, licenses, or other forms of administrative action taken under EO 13872 or IEEPA.  Such administrative actions would remain in effect unless they are subsequently modified, superseded, set aside, or revoked under the authority of the RESTRICT Act.  This would initially include, among others, the definitions of undue or unacceptable risk and Covered Transactions, as noted above. 

Named Priorities and Path Forward

The RESTRICT Act sets a number of areas for the Secretary to prioritize in addressing Covered Transactions and Covered Holdings.  These include, but are not limited to:

• ICT products or services used by a party to a covered transaction in a sector designated as critical infrastructure;
• Software, hardware or any other product or service integral to telecommunications products and services;
• Software, hardware or any other product or service integral to data hosting or computing service that actually or is expected to use, process, or retain the sensitive personal data of more than one million persons in the U.S. at any point in the year preceding the date on which the covered transaction is referred to the Secretary or the Secretary initiates a review;
• Internet or network-enabled sensors, webcams, end-point surveillance, or monitoring devices, modems, and home networking devices if greater than one million units have been sold to persons in the U.S. in the year preceding the date on which the covered transaction is referred to the Secretary or the Secretary initiates a review;
• Unmanned vehicles or any other product or service integral to the provision, maintenance, or management of such products or services;
• Software designed or primarily used for connecting with and communicating via the internet that is in use by more than one million persons in the U.S. in the year preceding the date on which the covered transaction is referred to the Secretary or the Secretary initiates a review, including desktop, mobile, gaming, payment, and web-based applications; and
• Information and communications technology products and services integral to artificial intelligence and machine learning, quantum computing, and other advanced technological innovation

Next steps

Hogan Lovells will continue to monitor the legislative horizon and keep you apprised of any significant updates.  Please contact any of the Hogan Lovells lawyers listed above with any questions or concerns regarding the potential implications of the RESTRICT Act. 

Authored by Josh LaFianza, Zach Alvarez, Ari Fridman, Ajay Kuntamukkala, Anne Salladin, Brian Curran, and Tim Bergreen.

References