Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

September 2019
Congress crafts a process designed to deal with alleged dangers of foreign-made products. 
By Lee Sutherland
OVER THE LAST FEW YEARS, there has been growing discussion of the potential threat posed by foreign-made products to the security of the United States. Most recently, Huawei Technologies Company and ZTE Corporation, major Chinese technology companies that provide everything from smartphones to equipment for 5G infrastructure, have come under scrutiny. Both are subject to Chinese laws that their critics say require them to assist the Chinese government. And the fear is that after their products are embedded in U.S. networks and infrastructure, someday the Chinese government may demand that they provide it with backdoor access.
     The companies have defended themselves, most notably through the public comments of Huawei’s founder and CEO, Ren Zhengfei, who has pledged to operate independently, free from his country’s government. But both companies have found their ability to do business in the United States severely hampered by the actions of Congress and the Trump administration. This year’s National Defense Authorization Act (NDAA) blocked executive agency heads from procuring “any equipment, system, or service that uses covered telecommunications equipment,” which included equipment from Huawei and ZTE. (The Trump administration has since temporarily delayed the ban, and at this writing, its future is uncertain.)
     Huawei also took another step to defend its practices. In response to the NDAA, it sued the U.S. government, claiming that the NDAA unconstitutionally singled out the company.
     This wasn’t the first time that the U.S. cracked down on foreign companies out of fear that they were under the thumb of their governments. In 2017 the secretary of the Department of Homeland Security (DHS), in response to concerns about the Russian government’s influence over cybersecurity company Kaspersky Lab, and the potential repercussions if the company had access to U.S. government computer systems, issued a Binding Operational Directive laying out a plan of action for the removal of Kaspersky’s anti-virus products from all federal executive branch departments and agencies. The 2018 NDAA followed, and it banned the use of all Kaspersky Lab products across the executive branch, including by the Department of Defense (DoD). Kaspersky Labs had also defended itself and sued the government, but the government’s actions to protect its networks were upheld by the D.C. Circuit Court of Appeals.
     It was in this context that in 2018 Congress passed H.R. 7327, called the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure (SECURE) Technology Act, which required the DHS to establish a security vulnerability disclosure policy. One of the most important features of the new law was that Title II created the Federal Acquisition Security Council.

How the Council Works
The council is designed to provide an interagency process through which the government can address potential security threats posed by foreign-made products. The council will include representatives from seven executive branch agencies: DHS, DoD, the Office of Management and Budget (OMB), the General Services Administration (GSA), the Office of the Director of National Intelligence (ODNI), the Department of Justice (DOJ) and the Department of Commerce (DOC). The agency heads will designate a lead representative from their agencies to the council who has “expertise in supply chain risk management, acquisitions, or information and communications technology.” The OMB director will designate a senior-level OMB official to serve as the council chairperson.
     Among its functions, the council will recommend supply chain risk management standards, guidelines and practices for executive branch agencies, and will establish criteria for sharing information on supply chain risks between executive agencies and other entities.
     Most significantly, it has the authority to issue recommendations to executive agencies on the exclusion of certain products from procurement action or removal of the products from information systems. The recommendations will include the risk assessment supporting the recommendation, information regarding the scope of the recommended exclusion or removal, and a description of the actions necessary to implement the exclusion or removal. These recommendations will be reviewed by the secretaries of DHS and DoD and the director of National Intelligence, who may issue exclusion or removal orders to civilian, defense and intelligence community systems.
     In addition, the statute requires that the council provide the source of the product to be excluded or removed with notice that the recommendation has been made, and supply them with information on any mitigation steps that they can take. The statute further provides that the company has 30 days after receipt of the notice to “submit information and argument in opposition to the recommendation.” After an exclusion or removal order has been issued, the company has 60 days to file a petition for judicial review in the D.C. Circuit.

Why the Council Is Important
The establishment of the council has long-term implications for how the government addresses the national security threat from supply chain products and, therefore, how the private sector addresses these issues as well. 
     First, its procedures allow for precision in securing government networks. As noted, it can forward recommendations to DHS, DoD and ODNI, which have the discretion to decide whether to issue exclusion and removal orders. This process avoids overly broad government-wide bans of foreign products and allows for targeted exclusion and removal from the networks most at risk from these products. Requiring the council to provide affected companies notification of recommendations, along with potential mitigation steps they may take to address the alleged security issues, allows for greater transparency and interaction between the government and the private sector on supply chain threats, and provides avenues to address national security concerns short of formal removal and exclusion orders. 
     Second, this new process more effectively insulates the securing of information networks from political interference. In Huawei’s suit against the U.S. government, the company cites statements made by U.S. senators to support its argument that Congress is singling out the company in an attempt to punish it. The new process is supposed to prevent this possibility by creating a rigorous, disciplined forum for assessing security risks posed by a particular company. If the council is successful, Congress will no longer have to pass legislation singling out specific companies; instead, federal agencies will have a way to adjudicate security concerns on a case-by-case basis.
     Additionally, there have been fears that the security issues with Huawei’s products could be bargained away in a trade deal with China. A nearly identical situation took place when President Trump, after negotiations with the Chinese government, instructed his Commerce Department last year to lift its ban of ZTE and accept a $1 billion fine. Trump has even said that he “may or may not” and ZTE include Huawei and ZTE in a trade deal with China. This commingling of politics, intelligence and security is an unhealthy process. While the creation of this new council will not eliminate political interference, it can substantially decrease it. 
     Some critics have raised concerns about the act’s use of undefined and broad terms in spelling out the council’s authority, and have pointed out that the 30-day notice of the recommended exclusion or removal order is a short time for a company to respond. There have also been questions about how much of the process surrounding the recommendations will be made public.
     But in general, the council seems to have met with a warm reception. Even Huawei has applauded its creation. In a legal brief filed in a Federal Communications Commission proceeding, Huawei stated that the council “reflects a singular and refreshing change of method by Congress.” 

Lee Sutherland is a second-year law student at The George Washington University Law School. Before starting law school, he worked as an analyst in the Cyber Mission Center of the Department of Homeland Security’s Office of Intelligence and Analysis.