A new Justice Dept. rule limiting foreign access to U.S. data is the latest effort to address globalized data and technology supply chains.
In its final weeks, the Biden administration established a complex new regulatory structure that affects potentially every American company collecting personal information. The rule is aimed at limiting foreign access—particularly access by China—to Americans’ sensitive data. With the new administration placing almost all federal regulations under scrutiny, it seemed that this rule was a prime candidate for the shredder. Instead, on April 11, President Trump’s Justice Department declared the Biden-era rule a “critical national security program.”
Where did this rare respect for the prior administration’s work come from? What does it portend for future policy directions? Answers can be found in the now decade-long effort of the U.S. government to manage the cybersecurity and geopolitical risks posed by globalized supply chains for digital data, products, and services. This article examines three defining initiatives: the banning of products and services offered by the Russia-based cybersecurity company Kaspersky, the ongoing effort to rip and replace China-made switches from the U.S. telecommunications infrastructure, and the TikTok saga. This review of recent history shows, first, that the restrictions emerging in U.S. law are based on a broad consensus across both political parties. Second, the policies have found support in all three branches of government: the executive branch, Congress, and the courts. Third, there is a certain tension between approaches that would flatly prohibit a foreign company’s products or services in the U.S. versus those approaches that allow the product or service subject to conditions aimed at mitigating national security concerns. Fourth, while some actions with regard to particular high-profile companies seem to have been taken in isolation, frameworks and fora are beginning to emerge to address these questions in a systematic way. And fifth, as a result of these developments and their likely extension, companies have to develop sophisticated policies, programs, and tools to illuminate and risk-manage their supply chains.
Kaspersky Lab
The first concrete action the U.S. government took to address geopolitical risk in information technology concerned Kaspersky Lab, a cybersecurity company whose cornerstone product is anti-virus (AV) software. Like other AV software, the Kaspersky product scans computers to identify and block viruses and malware. It works because once it’s been installed on a system it has privileged access to the entire computer. Moreover, it has some communication with its creator, to receive updates and to compare what it is learning about one subscriber’s computers with what it is learning about the other information systems it is operating on.
By the 2010s, the Kaspersky AV product was widely used in the U.S., including on some government computers. Although the parent company is incorporated in the United Kingdom, its owners, analysts, and some of its servers are located in Russia. As a result, Kaspersky Lab operated subject to the information technology, law enforcement, and intelligence laws of Russia. Further, its owner and many of its senior staff had come originally from the intelligence, military, and law enforcement services in Russia.
U.S. government leaders grew increasingly concerned. Therefore, in 2017, Acting Secretary of Homeland Security Elaine Duke invoked the Federal Information Security Modernization Act (FISMA), governing federal networks, to issue a binding operational directive (BOD) to other federal agencies indicating that she was planning to order them to remove Kaspersky AV products and services. The BOD gave the agencies 90 days to plan for the removal of the Kaspersky products.
Duke’s order marked the first time the BOD authority had been used to take action with regard to a specific company and its products. Although FISMA does not require due process for companies in these types of situations, the acting secretary and her team concluded that the company should be given notice sufficient to understand the government’s concerns and an opportunity to respond. When the government is faced with complex technical questions, such due process is important not only because it is a cornerstone of our legal system but also because it benefits the governmental decision-maker, as the company may be able to explain elements of its products, services, or infrastructure that are not immediately apparent.
Moreover, the Department of Homeland Security and Department of Justice’s legal team concluded that they would use no classified information in making the final decision about whether to remove Kaspersky products. While classified information can be very helpful to inform a decision-maker, it raises a host of difficult questions: Should the company be given access to everything that the decision-maker consults in making her decision? If so, how do you give them access? Do you grant their lawyer a one-day “read in”? What if there is a subsequent court challenge? Will the court be comfortable basing its review on classified information?
In the Kaspersky case, the government decided not to rely on classified information at all.
So attorneys for the Department of Homeland Security gave Kaspersky’s attorneys the same exact evidence they had presented to the acting secretary: a binder of several hundred pages of documents containing nonclassified information. In the 90-day period, the company submitted its own voluminous package of documents and made an oral presentation to the Department of Homeland Security. At the conclusion of the 90-day period, the acting secretary read all the materials presented by Kaspersky, along with further analysis from her lawyers, and issued a final determination—that federal agencies must remove Kaspersky products from all of their systems and replace them.
China-Made Telecom Equipment: Rip and Replace
Amid the Kaspersky matter, there was also growing concern that U.S. telecommunications service providers were using switches made by the Chinese company Huawei (and, to a lesser extent, switches made by another China-based company, ZTE). In 2018, Congress used its control over government procurement to force the telecom carriers to abandon Huawei and ZTE products. In the National Defense Authorization Act (NDAA) for fiscal year 2019, Congress banned all federal agencies from procuring any equipment, system, or service that used Huawei or ZTE telecommunications equipment or services. The law also banned federal agencies from entering into contracts with any entity that used any service that used Huawei or ZTE equipment or services. In effect, this prohibited all government contractors from using telecommunications equipment or services that used equipment from the proscribed entities— with the ultimate aim of forcing private telecommunications entities to stop using Huawei and ZTE equipment.
The focus on telecommunications network equipment built from there. In November 2019, the Federal Communications Commission (FCC) adopted an order designating Huawei and ZTE as companies that posed a national security risk to communications networks or the communications supply chain. The FCC prohibited telecommunications companies from using Universal Service Funds—a federal subsidy program—to purchase Huawei and/or ZTE equipment.
In 2020, the issue moved back to Congress, which adopted the Secure and Trusted Communications Networks Act. The legislation codified the FCC’s ban on use of Universal Service Funds to buy Huawei or ZTE equipment. Moreover, it required the FCC to establish a program to reimburse carriers for the cost of ripping out and replacing any Huawei or ZTE switches in their networks. And, moving beyond the particular focus on Huawei and ZTE to establish a generalizable process, the law required the FCC to develop and maintain a list of other communications equipment and services deemed to pose an unacceptable risk to the national security of the United States or the security and safety of U.S. persons.
Then, in May 2019, President Trump entered the field with Executive Order 13873. It prohibited “any acquisition, importation, transfer, installation, dealing in, or use of” any information and communications technology or service where the secretary of commerce determined that the transaction posed a threat to information and communications services in the U.S. or to U.S. national security. Initially, the executive order was seen in the press as aimed at Huawei and ZTE, but it was never actually used against them. Still, Executive Order 13873 remains in place today, and when President Biden issued his order on sensitive data, he invoked the national emergency declared by Trump in Executive Order 13873.
The Courts Defer to Congress and the President
Upon being banned by the Department of Homeland Security’s BOD (in addition to a parallel provision in the 2018 NDAA), Kaspersky sued. The company argued that the NDAA provision was an unconstitutional bill of attainder, a device used by sovereigns in Britain to punish particular people by act of Parliament outside the criminal justice system.
But the courts ruled that the Kaspersky ban was not a punishment. Rather, it was a purchasing decision about the kinds of software that will best provide security for the government’s information technology. After reviewing the government’s unclassified information about threats posed by Russian actors, the U.S. Court of Appeals for the D.C. Circuit wrote that given the “not insignificant probability that Kaspersky’s products could have compromised federal systems and the magnitude of the harm such an intrusion could have wrought,” the NDAA ban represents a “reasonable and balanced response.” The court concluded: “Viewed in context, section 1634 [the NDAA ban] ‘has the earmarks of a rather conventional response’ to a security risk: remove the risk.”
Huawei also went to court, also on the bill of attainder theory, as well as claims based on the Due Process Clause of the Fifth Amendment and separation of powers. The federal district judge’s ruling in this case was based largely on the D.C. Court of Appeals’s ruling in Kaspersky; the judge found that the issue in the Huawei case was that of an information security question rather than a question of Congress singling out a specific company and punishing it. The ban, the court concluded, was adequately tailored to the government’s goal of protecting the networks of federal agencies and contractors from the threat of cyberattacks and espionage by the Chinese government.
The deference that the courts have shown to Congress and the executive branch regarding controls on the ability of foreign entities to offer services or products in the U.S. has not been limited just to products and services that federal agencies purchase for their own use: In 2022, the U.S. Court of Appeals for the D.C. Circuit upheld the FCC’s decision to revoke the authorization of a China-controlled entity to provide any telecommunications services in the U.S. The court expressed no doubt about the FCC’s authority to consider national security, law enforcement, and foreign policy concerns in granting or revoking authorizations to operate in the U.S.
TikTok: A Winding Path, Still Without a Destination
In August 2020, President Trump issued two orders aimed at removing TikTok from Americans’ mobile phones. One order was based on the International Emergency Economic Powers Act (IEEPA). The other was based on the Defense Production Act, which is administered by the Committee on Foreign Investment in the United States (CFIUS).
Before the Trump IEEPA order on TikTok (and a companion order on WeChat) could be enforced, in 2021, President Biden repealed them and ordered a comprehensive review of connected apps. However, President Biden left President Trump’s second order under CFIUS in place, requiring TikTok’s China-based parent company to divest itself from the TikTok app. For three years, negotiations dragged on over an alternative to forced sale. These negotiations focused on a proposal by TikTok, called Project Texas, to move its data storage to Texas and shield it from Chinese access while still allowing the Chinese parent to own TikTok.
Last summer, Congress became impatient and passed a statute mandating the sale of TikTok by its Chinese parent. TikTok challenged the law in the D.C. Court of Appeals and raised the same bill of attainder argument advanced by Kaspersky. Writing for a unanimous panel, Judge Douglas Ginsburg, who had been on the Kaspersky panel, rejected the bill of attainder and other arguments, just as the Kaspersky and Huawei decisions did. The case then went to the Supreme Court. There, TikTok did not advance the Bill of Attainder claim—it only argued that the statute violated its First Amendment rights. The Supreme Court unanimously rejected the challenge.
Interestingly, in a concurrence, Justice Neil Gorsuch raised an issue that the Department of Homeland Security had confronted when considering the Kaspersky BOD: Should such decisions be made on the basis of classified information? “I am pleased,” Gorsuch wrote, “that the Court declines to consider the classified evidence the government has submitted to us but shielded from petitioners and their counsel.” Efforts to inject secret evidence into judicial proceedings, Gorsuch said, “present obvious constitutional concerns.” He went on to quote a landmark due process case for the proposition that, usually, “the evidence used to prove the Government’s case must be disclosed to the individual so that he has an opportunity to show that it is untrue.” The justice’s warning to the government was clear: Do not try to ban products or services based on classified evidence.
However, the Supreme Court was not the end of the road for TikTok. Shortly before the Supreme Court’s ruling, TikTok’s CEO met with then President-elect Trump at his Mar-a-Lago residence. On Jan. 20, soon after taking the oath of office, President Trump ordered the Justice Department not to enforce the statute. In April, he extended that shield, and in May he said he would consider giving the company a further extension on its protection. At present, TikTok remains in the app stores and part of the U.S. digital ecosystem. Its saga suggests that, despite bipartisan support and the backing of the courts, it may be difficult for the U.S. to ban specific products that are in widespread personal usage, especially ones that have garnered the admiration of a media-focused president. Whether TikTok is one of a kind in that regard remains to be seen.
Replicable Frameworks and Their Fora
Emerging from these controversies is a set of frameworks and fora in the executive branch for addressing more systematically the geopolitical risks associated with globalized information and communications technology and services. In January 2021, in the final days of the first Trump administration, the Department of Commerce adopted a rule setting forth procedures for implementing President Trump’s 2019 Executive Order 13873, whereby the secretary of commerce can designate information and communication technology products as posing an unacceptable risk to the national security of the U.S. or the security and safety of U.S. persons. That rule was invoked for the first time by the Biden administration, when the Commerce Department issued a determination essentially banning Kaspersky from operating in the United States. Likewise, the FCC has used the process created under the Secure and Trusted Communications Networks Act to add Kaspersky AV software to its list of products posing a threat to U.S. national security.
Moreover, the emergency declared by President Trump in Executive Order 13873 served as the basis for both the rule of Biden’s Commerce Department on connected vehicles and the Biden Justice Department rule on sensitive data. Notably, the latter targets neither specific companies nor specific products. Instead, it regulates classes of data.
Another example of a forum that will systematically deal with these issues is the Federal Acquisition Security Council (FASC). The FASC was created by the Federal Acquisition Supply Chain Security Act of 2018 in response to the Kaspersky controversy. The FASC is an interagency body chaired by the Office of Management and Budget that seeks to deal with geopolitical data security threats posed by particular companies or products by establishing contracting rules governing all federal agencies. The FASC can investigate assertions that particular products and/or companies pose information security risks to federal infrastructure, and, if the FASC members agree, can issue orders requiring federal agencies to remove those products from information systems. To date, the FASC has focused on establishing its processes, a painstaking effort to ensure that technical details of various products and services are fully understood and that companies have the opportunity to present their case before procurement actions are taken. It is likely that in the upcoming months the FASC will announce some concrete actions.
Despite all that, particularly controversial companies still will likely be singled out. However, perhaps influenced by the TikTok saga, there may be a growing appetite in Congress for dealing with geopolitical security threats within systematic frameworks. The tension between quick one-offs and more systematic approaches is now playing out over calls to ban China-made routers. The concern has focused specifically on routers made by TP-Link, but so far Congress is urging use of existing authorities rather than passing TikTok-type bans. On April 28, the House passed the ROUTERS Act, which would direct the secretary of commerce to study the national security risks posed by routers and modems, presumably as a prelude to exercising the authority under Executive Order 13873 and the Commerce Department rule that was used to ban Kaspersky products. And on May 14, members of Congress wrote to the commerce secretary expressly urging him to use the authority under the executive order to prohibit future sales of TP-Link networking equipment in the United States.
What Does the Future Hold?
There are several important lessons for companies across a wide range of sectors. First, there is continuity between administrations on these points; the restrictions emerging in U.S. law are based on a broad consensus across both political parties. Unlike almost all other areas of policy, there is a clear continuity between the Trump 45, Biden, and Trump 47 administrations on these issues. Therefore, it is likely that restrictions, especially on engagement with Chinese-owned, -operated, or -affiliated companies, will continue to expand.
Second, Congress and the executive branch are likely to tag-team future developments, with the two branches sequentially pursuing initiatives that reinforce each other.
Third, the courts are unlikely to intervene. In each of the three focal cases discussed in this article—Kaspersky, Huawei, and TikTok—the courts refused to overturn restrictions or outright bans.
And fourth, the geopolitical risks of globalized technology products and services will be highlighted. New tools arriving on the market are better illuminating supply chains (for example, by using AI to develop a comprehensive catalog of all software and hardware in a company’s supply chain or by creating platforms that permit company executives to easily see all components in the supply chain, permitting them to make decisions and create decision tools such as risk registers). Meanwhile, the tariff wars will likely have the indirect side-effect of drawing greater attention to supply chain issues. As a result, there might be a greater number of actions against specific companies, products, or services as government agencies and companies become more aware of who and what is in the domestic ecosystem.
It’s nearly impossible to completely eliminate all touch points with countries of concern. Therefore, companies must develop policies, practices, and tools to illuminate these touch points, determine their inherent risk, and then mitigate them where practicable. The new Justice Department sensitive data rule is instructive. Some transactions are banned outright (data brokerage), but many are permitted subject to a set of repeatable, auditable risk mitigation requirements defined by the Cybersecurity and Infrastructure Security Agency.
In any event, it is clear that America has entered a new era of technology and data governance where geopolitical risks play a prominent role. Appreciating the history of recent court rulings and the context behind new federal rules will permit lawyers and their corporate clients to project how supply chain restrictions are likely to impact them in the coming months and evolve in coming years. Knowing this history can guide decision-making around governance structures, litigation strategies, and corporate policies.
– Daniel Sutherland, Jim Dempsey, Published courtesy of Lawfare.
