The latest legislative atrocity to emerge from Washington comes from Senators Mark Warner (D-VA) and John Thune (R-SD), who have rounded up 10 other senators on both sides of the aisle to introduce a law called Restricting the Emergence of Security Threats that Risk Information and Communications Technology – the RESTRICT Act. The only good thing about this law is that for once, the cute acronym attached to the bill is an honest one. This law is all about restricting – if not choking off entirely –trade in information and communications technology.
Assumptions of the Law
The bill is based on a set of unwarranted assumptions that need to be exposed. First, it assumes that no one knows how to do cybersecurity, so technology can only be secured by keeping it out of the market entirely. Second, it assumes that all information and communication technologies are capable of bringing down the nation, there is no need to distinguish among them. Third, it assumes that owners of an ICT product or service headquartered in a country deemed an adversary poses a serious national security risk simply by virtue of the nationality of its owners; there is no need to consider behavior. Finally, it assumes that the bureaucrats in Commerce and the DNI are capable of accurately identifying these threats before they happen, a kind of precautionary principle for ICT.
Based on these questionable assumptions, the Secretary of Commerce is given sweeping powers to review any transaction, made at any time, in any segment of ICT if it involves Chinese owners. Targeted firms need not have done anything illegal or harmful. Instead, they are subject to a subjective and largely unreviewable ex ante determination that their presence in the market poses an “undue or unacceptable risk” to national security or to the safety and security of U.S. persons. Let me emphasize that: designation does not require proof of any specific harmful actions; it is entirely prospective and conjectural, it pertains to what someone thinks could happen or might happen. And the Commerce Secretary is not charged with making any determination about the value or benefit that the service might provide to American users.
No transparency, no due process, no accountability
Designations of undue risk are made in secret. The Secretary is not required to publish an explanation for the designation. The Administrative Procedures Act is waived – there is no due process. The Freedom of Information Act is waived – there is no transparency. The actions and findings of the President and the Secretary under the Act are not subject to administrative review or judicial review in any Federal court. An aggrieved party may apply for review by filing a petition in the United States Court of Appeals for the District of Columbia Circuit. But the law enjoins the court from reversing any action taken by the Secretary or the President unless the petitioner “demonstrates that the action is unconstitutional or in patent violation of a clear and mandatory statutory command.” So there is no appeal regarding their designation as a risk, only appeals of actions that could be deemed unconstitutional or illegal.
One can only wonder – if the threats posed by ICT imports are so dire, why does the Government need to shield the reasoning and evidence behind its decisions from any scrutiny? What is the justification for that? Wouldn’t the cause of national security be advanced by spreading knowledge of potential risks and being transparent about the reasoning behind them? This is one of the problems inherent in stretching “national security” claims so deeply into civilian territory. Normal legal protections and basic forms of accountability are discarded so we can pretend we are in a constant state of life-threatening emergency.
The law applies to what it calls an “ICTS Covered Holding Entity,” which it defines as “Any entity that owns, controls, or manages information and communications technology products or services; has 1 million or more active users or has sold 1 million or more products; and is subject to the jurisdiction of, or organized under the laws of, a foreign adversary. It is clear that the law was meant to enable a TikTok ban, but it generalizes the conditions that would justify a ban to all ICT. And the fact that the same people who want to ban TikTok are writing this law provides a good clue as to what kind of products and services will be deemed a national security risk, even when the case is utterly flimsy, as it is in the case of TikTok. Anything Chinese will do.
In effect, the law would penalize or eject private businesses because of risks posed by their government, under the assumption that they are passive tools of the government.
How Risks are Defined
What does the bill mean by “undue or unacceptable risk? It enumerates four criteria. The technology could be used for:
- Sabotage or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology products and services in the United States;
- Catastrophic effects on the security or resilience of the critical infrastructure or digital economy of the United States;
- Interfering in, or altering the result or reported result of a Federal election, as determined in coordination with the Attorney General, the Director of National Intelligence, the Secretary of Treasury, and the Federal Election Commission; or
- Coercive or criminal activities … that are designed to undermine democratic processes and institutions or steer policy and regulatory decisions in favor of the strategic objectives of a foreign adversary
That actually seems like a pretty good set of benchmarks for defining national security threats. There are two major problems, however. First, there is an additional criterion:
- Otherwise poses an undue or unacceptable risk to the national security of the United States or the safety of United States persons.”
That last criterion is a tautological blank check. It means, literally, that any ICT product or service can be deemed an undue or unacceptable risk because…it poses an undue or unacceptable risk. Given the lack of any review, transparency or due process, Commerce can do whatever they like. The second problem is that the risk assessment is entirely conjectural. It refers only to what is possible, not to what has happened or is likely to happen. That is, there need be no demonstration or evidence that the product is being used for sabotage, subversion, etc., only that it might be. And that can be true of virtually any ICT.
This is not how you do cybersecurity
In their PR materials touting the bill, the Senators mention Huawei, TikTok, and Kaspersky as symptoms of the cybersecurity problems they are trying to solve. But as a matter of fact, no sabotage, no espionage, no compromise of critical infrastructure, no undermining of democratic processes has ever been attributed to any of those entities. By the same token, dozens of acts of sabotage, espionage, and influence operations have been done by adversarial agents using networks, devices, and software that were domestically owned. There is simply no reliable correlation between serious cybersecurity incidents and foreign-owned entities participating in U.S. markets.
Why are we running the CCP playbook?
Whether it is Donald Trump’s 2020 attempt to ban foreign apps or the new RESTRICT Act, U.S. responses to China are imitating the methods and goals of the Chinese Communist Party. This is self-defeating. American pre-eminence in ICT markets is based on a globalized division of labor, free flows of capital, and competitive, open markets. Instead of playing to those strengths, we are imitating the Chinese Great Firewall (Trump‘s app bans), imitating Chinese data localization measures (Project Texas) and now, imitating China’s Cybersecurity Act. We are also imitating Chinese rule of law: the RESTRICT Act gives sweeping arbitrary powers to the U.S. Secretary of Commerce and the President to decide whether any foreign entity poses a risk, and then systematically insulates those powers from accountability, due process, transparency and judicial review. It’s as if the legislators are trying to recreate the Cyberspace Administration of China on Connecticut Avenue.