The 2020 President attempt to restrict TikTok with an executive order based on the 1977 International Emergency Economic Powers Act failed in court as the law was not built for today’s digital landscape of today. A new bipartisan Senate bill from Senators Thune and Warner attempts to modernize that law with Congressional oversight, define set of countries where it is applicable (China, Russia, Iran, Cuba, North Korea and Venezuela), and establish a risk-based process to deal with foreign-adversary technology using the Department of Commerce’s existing tools. The Senators explain that one-off Congressional efforts to protect Americans and national security by target individual companies like Russia’s Kasperky Lab or China’s Huawei and ZTE don’t scale in a world with systemic foreign threats in which adversarial state actors are integrated within techno-national enterprises. The bill would allow the Commerce Department to expand the list of countries but cannot be applied to individual users of technologies. Congress would retain the authority to override any potential decision.
Momentum at all levels of US government is building to tackle cybersecurity vulnerabilities. At the federal level, Congress has banned TikTok on federal government devices, and a bipartisan group of senators is pushing to ban the platform entirely. States are waking up, too. As China Tech Threat has documented in a February report, five states have laws or restrictions governing state contracts with Chinese entities such as Lexmark and Lenovo, with at least 11 additional states currently considering legislation. Many governors and state legislators have done so out of frustration that federal authorities have failed to close loopholes that allow the Pentagon and other federal agencies to buy products from untrustworthy Chinese companies.
Still, America is saturated with thousands of Information and Communications Technology (ICT) products and services produced by entities owned and affiliated with the Chinese government and other rogue nations. The techno-omnipresence can facilitate intrusion by Chinese government actors. Under China’s National Intelligence Law and practice, any Chinese company must share data with Beijing with no recourse to decline that request. As a result, any American health, financial, or personal data that touches a Chinese product is potentially bound to be exploited by the same government which has committed genocide against the Uyghurs, threatened Taiwan, and helped Russia in its unprovoked assault on Ukraine.
The Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act introduced by Sen. John Thune (R-South Dakota) and Mark Warner (D-Virginia) would be a great first step in closing the many gaps that exist at the federal level at keeping risky ICT out of the U.S. According to Thune’s office, the bill would “establish a risk-based process, tailored to the rapidly changing technology and threat environment, by directing the U.S. Department of Commerce to identify and mitigate foreign threats to information and communications technology products and services.” It would also “prioritize evaluation of information communications and technology products used in critical infrastructure.”
The RESTRICT Act – currently boasting twenty-five bipartisan sponsors – is farsighted in realizing that conducting assessments, hearings, and lawmaking for every single suspicious product and service (i.e. every piece of ICT equipment produced by China) is impossible. The bill rightly calls for a systematic, comprehensive, risk-based approach. Even if Congress can come to terms on TikTok, for example, the flood of adversarial technology from China and other adversaries will not stop. The U.S. government needs to have blanket authorities for addressing Chinese tech threats. A whack-a-mole approach targeting specific companies is almost totally useless, since Chinese companies are crafty at changing their names, business structures, and listings to dodge restrictions. The fact that the White House has applauded the legislation reflects a common sense, bipartisan need to do more to stop dangerous Chinese ICT from penetrating the U.S.
The RESTRICT Act is also smartly written broadly, so that it could encompass the whole range of business activities that ICT companies engage in. ChinaMobile and ChinaTelecom, for instance, are prohibited from operations telecommunications networks in the U.S. by the FCC, they can still offer cloud services. The RESTRICT Act prevents businesses in adversarial nations from finding ways around the bill and continue operating in the U.S.
Contrary what many critics claim, the United States is still an exceedingly permissive environment for Chinese tech threats. There is no lawful authority to block all Chinese tech, or even to block some Chinese companies arbitrarily. Indeed, any restriction requires herculean exercise of bureaucracy and even then, laws can be challenged, lessened, and overturned. For years the federal government has suffered from an incoherent patchwork of policies that have mostly tried and failed to prevent the intrusion of dangerous Chinese tech companies. The RESTRICT Act is the bill we should have had in place 10 years ago.
Roslyn Layton is a technology researcher and the Senior Vice President of Strand Consult.