Some companies unsatisfied with new cyber rules to protect the federal communications supply chain
February 13, 2020 11:01 am
8 min read
Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
There’s proposed federal rules for protecting cybersecurity in the communications supply chain. Well, not everyone in the industry is happy with them. One group calls the proposed rule fundamentally flawed. For more, the Federal Drive with Tom Temin spoke with John Miller, senior vice president of policy at the technology trade association ITI.
John Miller: Thanks very much. I’m glad that you mentioned the supply chain executive order and the subsequent rule-making. Just to kind of level set on what that is, this traces back to May 15, 2019, executive order on securing the information and communications technology and services supply chain on, and just this past November or December, the Commerce Department issued a notice of proposed rule-making on how to implement that executive order. I guess at the top line, one of the things that is most concerning about the rule-making itself is that, is really the broad scope. Because, as written, it potentially captures all information and communications technology and services transactions between a US Company and a company with a nexus to any foreign country.
Tom Temin: Yeah, tell us what specifically it would impose on your member companies.
John Miller: I think it’s fair to say that there’s a lot of ambiguity in exactly what it would impose on the companies because as written, it is, you know, as well as being extremely broad, it is somewhat vague as to how it would actually be implemented. And I’ll just give you an example. You know, our companies are all global companies doing business all over the world. And if we look at the executive order as kind of establishing a funnel, it is the broadest possible funnel, as the rule-making currently exists because it does literally capture every potential transaction that involves our companies. If there’s any nexus to a foreign country, it’s actually worth noting that this is even broader than the executive order itself, which, of course, requires there to be both, one, a designated foreign adversary being involved in the transaction, and number two, there being some type of identifiable national security risk or risk to critical infrastructure security.
Tom Temin: And so one of the questions is who are the specific foreign adversaries?
John Miller: The executive order itself tees up the potential for either countries or persons or entities to be designated as foreign adversaries and depending on how those designations are arrived at, it could clearly have different an varying implications for companies doing business in the global economy and with global supply chains. In our comments on the rule-making, we did suggest that the Commerce Department, number one, establish a set of criteria to define how foreign adversaries will be designated and to focus on entities or persons as opposed to entire countries, as that sort of approach is actually more consistent with the overarching tenor of the rule, which is to look at transactions on effect specific, risk-based, technology-neutral and country-agnostic approach. I will also say, one of the issues with the rule-making and this goes back to your initial question is that there isn’t any indication of which direction the Commerce Department will go in designating foreign adversaries. And if we think about again, if we think about this entire process as a funnel, one of the easiest ways to narrow that funnel would be to designate foreign adversaries on the front end, so companies would know which transactions they needed to be concerned about, and which they, frankly, didn’t.
Tom Temin: We’re speaking with John Miller, senior vice president of policy and senior counsel at the Information Technology Industry Council, the ITI. There’s a couple of questions that come up. First of all, in the case of transactions, isn’t there a technological criterion there also, because if you are doing business with, say China — just to bring them up, the big whale here in the room — and you’re buying a really high-end type of network switch for a client, that’s one thing. But if you’re buying 10,000 feet of copper cabling as part of the deal from China, that’s sort of a horse of a different color.
John Miller: I think it’s fair to say, and I mentioned the kind of fact-specific approach. If we’re taking a risk-based approach and that’s something that we at ITI support, you know it’s really important not only to look at risks that are related, for instance, to certain technology partners within companies or conducting transactions, but whether or not the technology products or services themselves rise to the level of something that might create that sort of national security risk that the executive order is trying to get at. So yeah, you’re right, you know all ICTS, if you will — information communications technology service — is not created equal in that regard. And it is very well the case that there are some transactions that no matter who the parties are, they just may not rise to the level of concern that the executive order is trying to address.
Tom Temin: And from a simple rule-making standpoint, reading your comments and there’s 16 pages of them, you are frequently referring to the vagueness of it or undefined terms. And it’s pretty hard to comment with facts if you don’t know what precisely they’re talking about. So it sounds like you’re objecting to the rule-making, I guess, methodology or approach itself before you can even respond to what it is they would like to do here with the rule.
John Miller: Well, thanks. I mean, well, in terms of the approach — and just to be clear, you know, we at ITI and the tech sector broadly take very seriously the national security risks that the government is trying to get at with the both executive order and the rule-making. You know, I think from our perspective we support support those goals because and particularly as they relate to a supply chain in a global, secure global supply chain, because we consider that as absolutely essential to advancing national security. At the same time, US technological competitiveness and leadership is also a part of that equation. So when we look at a rule that from an approach standpoint, there is a lot to commend, I think, the Commerce Department on. I mentioned a few different times that the fact-specific, risk-based, technology-neutral approach. I think that that aligns well with basic risk management principles that companies have advocated for a long time. But the vagueness comes in, and you might even consider this, a lot of these concerns along the lines of due process concerns, the vagueness comes in because many of the terms are not defined. And as I said, the funnel is extremely wide as the rule has been written. So from a company standpoint, it is very difficult to even go about figuring out how to comply if you don’t know which transactions may or may not be subject to review. So I think that is where the questions arise, and that’s why we’re doing all we can to help narrow and focus the rule, you know, both through our comments and working with the Commerce Department and other U. S. government stakeholders.
Tom Temin: And a final question: This might be obvious, but you mentioned that your members tend to be global companies, and as these big telecom manufacturers, they are global, and I haven’t seen anything in the rule specifically — maybe I overlooked it — that says that they’re talking about transactions for installations and sales that happened in the United States. So it could be, what if one of the member companies say is headquartered here, but is doing a job for Switzerland somewhere, and would the rule apply to what you do overseas that had nothing to do with United States?
John Miller: I think that’s a fair question. It does — the rule itself, and the executive order, it does deal with any transactions that, you know, have, especially involving a US company and who’s doing business with a foreign company, those transactions, of course, you would think should have a nexus to the U.S. and to US jurisdiction. It’s candidly not entirely clear, even in that regard, where the lines begin and end with the executive order as it’s currently written. And that’s one of the reasons why we do think that scope needs to be focused, specifically on addressing those national security objectives that are underlying the rule. Because, as you suggest, if there’s a, you know, there’s a transaction that is occurring and that really is only dealing with property in a place like Switzerland, what is the tangible nexus to a national security risk in such a transaction? And it’s a good example of the type of thing that needs to be clarified, that we’re making progress.
Tom Temin: Any response yet from Commerce?
John Miller: The Commerce Department is doing the best job that they can with what was, to implement what was, you know, itself a very broad and broadly-scoped executive order. The Commerce Department traditionally has a very good working relationship with industry. In fact, that’s one of their main tasks is to protect and promote US commercial interests. And they have, you know, been open to working with us, and I expect that they will continue to be so as the next iteration of the rule-making progresses.
Tom Temin: John Miller is senior vice president of policy and senior counsel at the Information Technology Industry Council. Thanks so much for joining me.
John Miller: Thank you.
Tom Temin: We’ll post this interview along with a link to more information and the counsel’s comments at www.federalnewsnetwork.com/FederalDrive. Subscribe to the Federal Drive at Apple Podcasts or Podcastone.