On June 9, 2021, President Joseph Biden issued an Executive Order (E.O.) to further address the threat posed to the U.S. information and communications technology and services (ICTS) supply chain declared in Executive Order 13873 (the “Telecom Supply Chain E.O.”; see Update of May 16, 2019). The June 9, 2021 E.O. also revoked and replaced three E.O.s aimed to prohibit transactions with TikTok, WeChat and eight other communications and financial technology software applications (see Update of August 7, 2020). According to a brief statement from the White House, the new E.O. “directs the use of a criteria-based decision framework and rigorous, evidence-based analysis to address the risks posed by ICTS transactions involving software applications that are designed, developed, manufactured, or supplied by persons that are owned or controlled by, or subject to the jurisdiction of a foreign adversary, including the People’s Republic of China, that may present an undue or unacceptable risk to the national security of the United States and the American people.”
The new E.O. seeks to continue to protect sensitive personal data and directs the Department of Commerce (Commerce) to evaluate foreign adversary-connected software applications and to take action as necessary. The E.O. continues to apply the criteria established in E.O. 13873 but notes other potential indicators of risk:
ownership, control, or management by persons that support a foreign adversary’s military, intelligence, or proliferation activities; use of the connected software application to conduct surveillance that enables espionage, including through a foreign adversary’s access to sensitive or confidential government or business information, or sensitive personal data; ownership, control, or management of connected software applications by persons subject to coercion or cooption by a foreign adversary; ownership, control, or management of connected software applications by persons involved in malicious cyber activities; a lack of thorough and reliable third-party auditing of connected software applications; the scope and sensitivity of the data collected; the number and sensitivity of the users of the connected software application; and the extent to which identified risks have been or can be addressed by independently verifiable measures.
Commerce is also directed to consult with other federal government departments and agencies in preparing a report with recommendations “to protect against harm from the unrestricted sale of, transfer of, or access to United States persons’ sensitive data, including personally identifiable information, personal health information, and genetic information, and harm from access to large data repositories by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.” This report is due in 120 days (i.e., October 7, 2021). Commerce has further been directed to make any additional recommendations for executive and legislative branch actions to address ICTS risks involving foreign adversaries no later than December 6, 2021.