The Biden administration issued new instructions and deadlines Wednesday for the departments of Commerce, Homeland Security and the Director of National Intelligence in accordance with an executive order from the previous administration on transactions involving information and communications technology and foreign adversaries.
The order from former President Donald Trump—Executive Order 13873—bars U.S. entities from entering into relationships with such entities under the authority of the International Emergency Economic Powers Act and other national security laws. Interim final rules implementing the order took effect March 22, and the Commerce Department announced in April that it has already issued a subpoena to an unnamed Chinese company under the order.
Commerce was responsible for crafting the rules—following coordination with other agencies— under the order and received scathing comments from the industry on its original proposal. Critics argued the broad scope of the transactions that would be applicable and the department’s use of a case-by-case approach for assessing entities would make the rules practically impossible to comply with.
The interim final rule, issued Jan. 19, incorporates some feedback from commenters. It now includes a list of countries—China, Iran, Russia and North Korea, but also Cuba and Venezuela— that the department considers foreign adversaries for the purposes of the order, for example. But it also notes, in response to commenters, “By retaining broad authority across industries, the Department will be better able to mitigate identified risks.”
China was also the target of three other orders Trump made just before leaving office. Those aimed to kick TikTok, WeChat, and other companies out of the U.S. market, resulting in lawsuits against the government.
A new executive order the Biden administration issued Wednesday revokes Trump’s last-minute orders and any rules agencies put in place to implement them but maintains the state of emergency established under Executive Order 13873, and increases the focus on connected software applications.
“I have determined that additional consideration must be given in addressing the national emergency declared in Executive Order 13873 … including the threat posed by certain connected software applications designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary,” Biden wrote in a letter to congressional leaders.
The new order defines connected software applications as “software, a software program, or a group of software programs, that is designed to be used on an end-point computing device and includes as an integral functionality, the ability to collect, process, or transmit data via the Internet.” And it directs the Commerce secretary to evaluate transactions involving such applications on a “continuous basis.”
“Based on the evaluation, the Secretary of Commerce shall take appropriate action in accordance with Executive Order 13873 and its implementing regulations” reads the Biden order.
Commerce must also—again, in collaboration with the attorney general and other agency heads—report to the assistant to the president and national security adviser with recommendations to protect against harm from the unrestricted sale of, transfer of, or access to United States persons’ sensitive data within 120 days, and additional executive and legislative actions to address the risk associated with connected software applications that are “designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary” within 180 days.
The Office of the Director of National Intelligence and the Department of Homeland Security have 60 days to submit assessments of threats and vulnerabilities, respectively, to inform the reports from Commerce.