Voglio sapere a riguardo di…

khammond on DSKJM1Z7X2PROD with RULES

4920

Federal Register / Vol. 86, No. 11 / Tuesday, January 19, 2021 / Rules and Regulations
if not most, of U.S. industry. Moreover, ICTS accounts for a large part of the U.S.
economy. Accordingly, if vulnerabilities in the ICTS supply chaincomposed of hardware, software, and managed services from third-party vendors, suppliers, service providers, and contractorsare exploited, the consequences can affect all users of that technology or service, potentially causing serious harm to critical infrastructure, U.S. Government operations, and disrupting the United States and the global economy. These harms are already occurring. As noted in Executive Order 13873, foreign adversaries are increasingly creating and exploiting vulnerabilities in information and communications technology and services, which store and communicate vast amounts of sensitive information, facilitate the digital economy, and support critical infrastructure and vital emergency services.
U.S. entities purchasing and incorporating ICTS equipment and using ICTS services, such as network management or data storage, provided by foreign adversaries can create multiple opportunities for foreign adversaries to exploit potential vulnerabilities in the ICTS. That, in turn, could cause direct and indirect harm to both the immediate targets of the adverse action and to the United States as a whole. Incorporation of a foreign adversarys software, equipment, and products into domestic ICTS
networks, as well as the use of use of foreign cloud, network management, or other services, greatly increases the risk that potential vulnerabilities may be introduced, or that they may be present without being detected. These potential vulnerabilities are often categorized under the general concepts of threats to privacy, data integrity, and denial of service.
Some foreign actors are known to exploit the sale or lease of software and hardware to introduce vulnerabilities that can allow them to steal critical intellectual property, research results e.g., health data, or government or financial information from users of the software or hardware. Such vulnerabilities can be introduced at the network, cloud service or individual product data, allow traffic monitoring or surveillance, and may be resistant to detection by private purchasers or telecommunications carriers. Once detected, the existence of such vulnerabilities may be extremely costly or impossible to remediate.
Vulnerabilities to data integrity can be created by including an adversarys hardware and software into U.S.
networks and systems. This
VerDate Sep<11>2014

16:33 Jan 17, 2021

Jkt 253001

incorporated hardware and software could then pose opportunities to add or remove important information, modify files or data streams, slow down, or otherwise modify the normal transmission or availability of data across U.S. networks. Such capabilities could be exercised in areas as diverse as financial market communications, satellite communications or control, or other sensitive consumer information.
Privileged access to market movement and trends, or other manipulation, could disrupt and harm the operation of major exchanges.
A foreign adversary could also effectively deny access to critical services by exploiting vulnerabilities provided by the incorporation of hardware and software into U.S.
environments, fully or partially shutting down critical networks or functions at key times. These types of attacks are known as denial of service attacks. Such attacks could cause widespread problems, such as if they occur during periods of crisis, or they could be used selectively by targeting individual corporations, infrastructure elements, or other important infrastructure functions.
They could also be masked to make the source of the disruption difficult to attribute, and therefore be difficult to trace and terminate.
Such risks can be substantially increased by incorporating the software and equipment from unreliable adversaries into the U.S.
telecommunications infrastructure.
However, these risks are not necessarily confined to infrastructure environments.
They could, for example, be present in the use of cloud services, as well as in the widespread use of some consumer devices, networked surveillance cameras, drones, or interconnection via the internet of computing devices embedded in everyday objects, enabling them to send and receive data.
The number of attacks by foreign adversaries on the ICTS supply chain are known to be increasing. The associated costs are borne by the U.S.
Government as well as private industry.
Given the ubiquity of ICTS in the modern economy and especially in critical infrastructure, the benefits of preventing significant disruptions or harms to the ICTS supply chain that could cause incalculable costs to U.S.
firms, consumers, and the U.S.
Government, would be very high.
This rule provides a process through which serious disruptions to the United States telecommunications infrastructure can be avoided or ameliorated. The rule provides the means of bringing to bear the information and analytical resources of
PO 00000

Frm 00044

Fmt 4700

Sfmt 4700

the U.S. government to address ICTS
supply chain issues before they arise, and which may be beyond the means of individual telecommunications carriers or other U.S. ICTS purchasers or users to address on their own. As noted above, the costs associated with the potential attacks, loss of service, or disruption to the ICTS supply chain are not known at this time, and are in actuality unknowable due to the generally clandestine nature of the attacks and the fact that they may or may not occur. However, by deterring, preventing, or mitigating these attacks, this rule will provide the United States with substantial, though unknowable, economic benefits as well as benefits to the national security of the United States.
C. Regulatory Flexibility Analysis The Department has examined the economic implications of this final rule on small entities as required by the Regulatory Flexibility Act RFA. The RFA requires an agency to describe the impact of a rule on small entities by providing a regulatory flexibility analysis. The Department published an initial regulatory flexibility analysis in the proposed rule issued on November 27, 2019 84 FR 65316 and has posted a final regulatory flexibility analysis FRFA as part of the RIA see ADDRESSES. This final rule is likely to have a significant economic impact on a substantial number of small entities. A
summary of the FRFA follows.
A Statement of the Significant Issues Raised by Public Comments or by the Chief Counsel for Advocacy of the Small Business Administration in Response to the IRFA, a Statement of the Assessment of the Agency of Such Issues, and a Statement of Any Changes Made in the Proposed Rule as a Result of Such Comments Many commenters discussed the possibility that this rule could present significant economic costs. For example, one commenter stated that Commerces proposed rules would result in an extremely broad and unprecedented increase in regulatory jurisdiction over private ICT transactions. The notice of proposed rulemaking thus marks a watershed regulatory moment for companies in or adjacent to the ICT
marketwhich is to say, virtually every company in United Statesgiven the governments newfound stance that it can determine key terms of what ICT
companies can buy, sell, or use. As a result, this proceeding and the rules that result from it inescapably will impose additional costs on ICT companies, such as the increased practical needeven
E:FRFM19JAR1.SGM

19JAR1