Commerce ICTS Rule Is Too Broad, Must Be Narrowed, Commenters Say
Industry voices were united in telling the Commerce Department that its Information and Communications Technology and Services rule (see 2102190033) is so broad that it is practically unworkable and that it must narrow the scope of the rule. Many trade groups also said the rule should be put on hold until the pre-clearance or licensing process is established. In 18 comments, from trade groups, broader business groups and others, industry told the government that if there isn't either a carve-out or segmentation in how different imports are treated, compliance will be expensive, or even catastrophic, if pre-clearance reviews can't be done quickly.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
The Information Technology Industry Council wrote that "given the underlying breadth of the Executive Order and associated rule on which the license process seeks to build, there is a resultant lack of clarity regarding which entities, products, services and transactions are in fact in scope for potential review by Commerce, making it challenging to provide meaningful responses to the questions" about how to design a licensing system.
Multiple industry groups said a 120-day time frame, proposed by Commerce, is too long, and that most licenses should be approved within 30 days to not snarl supply chains. "There should be a presumption of approval and a safe harbor for the transaction if Commerce does not affirmatively issue an additional request for information within 30 calendar days," ITI said.
The group also said Commerce should be allowed to publish the names of vendors that have been approved or denied a license, but the U.S. buyer that sought the license should not be revealed. "Commerce should also consider establishing a 'trusted importer' program .... Commerce should consider participation in the [Customs-Trade Partnership Against Terrorism] program and the company’s compliance record for the purposes of participation in the 'trusted importer' program. Trusted Importers should receive blanket authorizations for relevant import transactions for at least 3 years." On the question of renewing licenses, ITI said, there's no need for a time limit at all.
IBM wrote, "This rule remains massively broad in scope, was adopted after disregarding input from industry, and is entirely unclear in defining what information and communications technology and services constitute an unacceptable national security risk.
"Moreover, given the enormous number of transactions that would be covered by the rule, it simply will not be administrable. The Department itself acknowledges in its Regulatory Impact Analysis & Final Regulatory Flexibility Analysis that the rule will cost U.S. industry billions of dollars to implement...."
"The BIS licensing regime, while not perfect, at least provides more certainty as it identifies (i) a targeted group of products that could pose a national security risk, and (ii) through its Entity List, specific entities that pose a national security concern. The current ICTS rule is so broad, that virtually any ICTS transaction involving a named foreign adversary -- to include not only the country, but also a company subject to that country’s jurisdiction and/or a national of that country -- could be subject to the rule."
The Competitive Carriers Association said that the breadth of the covered ICTS transactions is so sweeping that Commerce cannot review them all for national security risk, and it needs to do additional work to differentiate between routine, low-risk transactions and those that present risks.
The association said Commerce should create a safe list of approved vendors, though those that were not approved could also sell, knowing that Commerce could review their transactions. The association also said any pre-clearance system should not cover extraterritorial sales. ITI and other commenters said pre-clearance has to be voluntary. "A mandatory or compulsory process will grind commerce to a halt resulting in severe disruption to the economy," ITI said.
The Telecommunications Industry Association "supports the creation of a Trusted Vendor list that would remove ICT transactions from the IFR’s jurisdiction altogether," the group wrote. "This list or certification could take the form of a simplified application and approval process for lower-risk companies, as well as established trusted ICT companies that have been building secure networks in the U.S. for decades. This list would not need to be permanent and could require Trusted Vendors to re-apply to retain this status."
The National Association of Manufacturers said Commerce should start with an assumption it will approve ICTS licenses. "General licenses can be used to permit what Commerce determines to be low-risk transactions, such as those with allied nations, intra company transfers, low risk products such as handsets and parts or components, such as casings, that are not able to be corrupted and therefore do not present a national security risk," the group wrote.
CTIA said the review period should be 60 days long, and there should be an appeal process with fixed timelines. Renewals should be allowed where nothing material has changed, the cell phone trade group said.
The U.S. Chamber of Commerce questioned the premise of Commerce's question about whether it should issue decisions more quickly, and thus, have more denials, or "would the inconvenience of a longer timeframe for review be outweighed by the potential for a greater number of licenses or pre-clearances being issued?"
"Based on the Department’s expected staffing for the Rule, the Chamber contends this question offers a false choice -- the Department will have neither the resources nor expertise to deliver decisions on a shorter timeframe for fewer transactions because the question assumes all transactions are the same," the Chamber wrote. "The Chamber contends that some transactions will be more complex than others and will therefore require more time to review than other -- potentially more straightforward -- transactions. The Department should consider a review of its human and financial resources to ensure that the Department will be in a position to discharge its responsibilities under the Rule -- or narrowing the scope of reviewable transactions to achieve a similar goal."
The law firm Crowe and Dunlevy commented on behalf of an unnamed electronics manufacturer and distributor for data storage equipment, asking that Commerce should publish red flags so businesses can self-evaluate risk to see if they even need pre-clearance. "Commenter stresses the need for a simple voluntary notification process for low risk ICTS Transactions, which should include a one-page notice/application form that discloses information sufficient to meet the national security goals of the ICTS rule." The company said cables and nonlogic components, what it called passive technologies, either shouldn't be in the scope of review, or should have less rigorous licensing.
IBM said that intra company transactions "and other transactions involving ICTS products that meet certain objective security benchmarks, such as globally accepted cybersecurity standards," should be given safe harbor and carved out from review.