Voglio sapere a riguardo di…

khammond on DSKJM1Z7X2PROD with RULES

4910

Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations
partially closing down critical networks or functions at key times. These types of attacks are known as denial of service attacks. Such attacks could cause widespread problems, such as if they occur during periods of crisis, or they could be used selectively by targeting individual corporations or important infrastructure elements or functions.
They could also be masked to make the source of the disruption difficult to attribute and, therefore, difficult to trace and stop.
These risks are not necessarily confined to infrastructure environments.
They could, for example, be present in the use of cloud services, as well as in the widespread use of some consumer devices, networked surveillance cameras, drones, or interconnection via the internet of computing devices embedded in everyday objects, enabling them to send and receive data. For example, applications apps, which may be downloaded from app stores or web browsers by a user to a mobile device, may automatically capture vast swaths of sensitive personal data from its users, including internet and other network activity information such as location data and browsing and search histories. This data exfiltration supported by U.S. web data hosting and storage serversthreatens to allow foreign adversaries to exploit Americans personal and proprietary information by allowing a foreign adversary to track the locations of Americans, build dossiers of sensitive personal data for blackmail, and conduct corporate espionage from inside the borders of the United States.
Multiple reported cybersecurity incidents in the United States and among major allies in 2020 illustrate the potential risk in permitting unrestricted access to U.S. ICTS supply chains, such as:
In July 2020, two Chinese hackers working with the Chinese Ministry of State Security were indicted by the U.S. Department of Justice for conducting a global computer intrusion campaign targeting U.S.
intellectual property and confidential business information, including COVID19 vaccine research;
German officials announced that a Russian hacking group associated with the Federal Security Bureau had compromised the networks of energy, water, and power companies in Germany by exploiting ICTS supply chains; and Japans Defense Ministry announced it was investigating a large-scale cyber attack against Mitsubishi Electric that could have compromised details of new state-of-the-art missile designs.

VerDate Sep<11>2014

16:33 Jan 17, 2021

Jkt 253001

See, e.g., Center for Strategic &
International Studies, Significant Cyber Incidents 2020, available at https www.csis.org/programs/
technology-policy-program/significantcyber-incidents.
Consequently, the President has determined that the unrestricted acquisition or use of ICTS that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.
Executive Order 13873 of May 15, 2019, Securing the Information and Communications Technology and Services Supply Chain 84 FR 22689
Executive Order, was issued pursuant to the Presidents authority under the Constitution and the laws of the United States, including the International Emergency Economic Powers Act 50
U.S.C. 1701 et seq. IEEPA, the National Emergencies Act 50 U.S.C.
1601 et seq., and section 301 of Title 3, United States Code. IEEPA and the Executive Order grant the Secretary of Commerce Secretary the authority to prohibit any acquisition, importation, transfer, installation, dealing in, or use of any ICTS an ICTS Transaction by any person, or with respect to any property, subject to United States jurisdiction, when such ICTS
Transaction involves any property in which a foreign country or national has any interest, and the Secretary, in consultation with other agency heads the Secretary of the Treasury, the Secretary of State, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the United States Trade Representative, the Director of National Intelligence, the Administrator of General Services, the Chairman of the Federal Communications Commission, and the heads of any other executive departments and agencies as the Secretary determines is appropriate determines that the ICTS Transaction:
1 Involves ICTS designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary; and 2 poses an undue or unacceptable risk. Executive Order, Section 1a. The Executive Order further provides the Secretary with the authority to prohibit such an ICTS
Transaction or design or negotiate measures to mitigate concerns about an ICTS Transactions impact on national security. Executive Order, Section 1b.

PO 00000

Frm 00034

Fmt 4700

Sfmt 4700

On November 27, 2019, the Department of Commerce Department published a proposed rule to implement the terms of the Executive Order. 84 FR
65316. The proposed rule set forth processes for 1 how the Secretary would evaluate and assess transactions involving ICTS to determine whether they pose an undue risk of sabotage to or subversion of the ICTS supply chain, or an unacceptable risk to the national security of the United States or the security and safety of U.S. persons; 2
how the Secretary would notify parties to transactions under review of the Secretarys decision regarding the ICTS
Transaction, including whether the Secretary would prohibit or mitigate the transaction; and 3 how parties to transactions reviewed by the Secretary could comment on the Secretarys preliminary decisions. The proposed rule also provided that the Secretary could act without complying with the proposed procedures where required by national security. Finally, the Secretary would establish penalties for violations of mitigation agreements, the regulations, or the Executive Order.
In addition to seeking general public comment, the Department requested comments from the public on five specific questions: 1 Whether the Secretary should consider categorical exclusions or whether there are classes of persons whose use of ICTS cannot violate the Executive Order; 2 whether there are categories of uses or of risks that are always capable of being reliably and adequately mitigated; 3 how the Secretary should monitor and enforce any mitigation agreements applied to a transaction; 4 how the terms, transaction, dealing in, and use of should be clarified in the rule; and 5 whether the Department should add record-keeping requirements for information related to transactions.
In response to requests for additional time in which to comment on the proposed rule, the Department extended the initial comment period from December 27, 2019, until January 10, 2020. 84 FR 70445. As reflected herein, the Department has carefully considered and addressed the publics comments in promulgating this rule.
Nonetheless, because several commenters requested that the Department provide for an additional round of public comment, and in an effort to continue the Departments work to protect the national security while reducing the regulatory impact on the public, the Department is taking further public comment on the rule. However, mindful of the urgent need of the United States to address national security concerns related to ICTS Transactions,
E:FRFM19JAR1.SGM

19JAR1