Biden’s Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries
Published on June 9, 2021, President Biden’s Executive Order on Protecting America’s Sensitive Data from Foreign Adversaries is the latest Executive Order seeking to strengthen national security by improving public and private sector capabilities and practices relating to cybersecurity and supply chain risks. As explained in a previous article, the first such Executive Order addressed five main areas. The latest Executive Order focuses primarily on protecting against risks “associated with connected software applications that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.” However, unlike prior Executive Orders on the topic, it expands the scope of threat actors to be addressed in future to include those “persons who engage in serious human rights abuse,” noting, “If persons who own, control, or manage connected software applications engage in serious human rights abuse or otherwise facilitate such abuse, the United States may impose consequences on those persons in action separate from this order.”
Initially, the Order directs the Secretary of Commerce to consult with, inter alia, the Secretaries of State, Defense, Health and Human Services, and Homeland Security, as well as the Attorney General and Director of National Intelligence. Such consultation will inform the Secretary of Commerce’s provision of a report, by October 7, 2021, with recommendations to address threats from the “unrestricted sale of, transfer of, or access to United States persons’ sensitive data . . . by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.” To this end, the Director of National Intelligence must furnish threat assessments and the Secretary of Homeland Security must furnish vulnerability assessments.
As used in this Executive Order, “foreign adversary” refers to a foreign government or non-government individual or entity “engaged in a long-term pattern or serious instances of conduct significantly adverse” to US national security or public safety. It is not clear from the terms of the order who will determine or how they will be determine that an entity constitutes a foreign adversary.
Crucially, the Secretary of Commerce, in consultation with other agency heads, must provide a report by December 6, 2021 recommending additional measures to address the risks associated with “connected software applications that are designed, developed, manufactured or supplied by persons owned or controlled by, or subject to the jurisdiction of, a foreign adversary.”
As relevant here, “connected software application” broadly describes any software or software programs that are “designed to be used on an end-point computing device and includes [the ability to collect, process, or transmit data via the Internet] as an integral functionality.”
The Secretary of Commerce is also charged with continuing to monitor and evaluate connected software application transactions, which transactions may pose undue risks to (1) information and communications technology or services in the US, meaning “hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including transmission, storage, and display,” (2) critical infrastructure or digital economy in the US, or (3) national security or public safety.
The Executive Order revokes three orders issued during the Trump Administration addressing threats posed by TikTok, WeChat, and applications and other software developed or controlled by Chinese companies. In particular, it repeals (1) Executive Order 13942, Addressing the Threat Posed by TikTok, and Taking Additional Steps To Address the National Emergency With Respect to the Information and Communications Technology and Services Supply Chain; (2) Executive Order 13943, Addressing the Threat Posed by WeChat, and Taking Additional Steps To Address the National Emergency With Respect to the Information and Communications Technology and Services Supply Chain; and (3) Executive Order 13971, Addressing the Threat Posed by Applications and Other Software Developed or Controlled by Chinese Companies.
Likely Impacts of Executive Order
The Executive Order raises a number of potential challenges for the government and contractor community. In particular, the Order’s coverage, while broad, lacks adequate definition regarding its scope — what will fall within the scope of a “connected software application” and which persons or entities will be covered.
The Order would cover what appears to be an Internet of Things (IoT) in its description, yet it does not provide examples of the kinds of connections, software and applications that will be the subject of the Order’s prohibitions. Indeed, the Executive Order raises many questions by its revocation of the Trump Administration’s executive orders to address problems identified with applications such as TikTok and WeChat, which were determined to pose security risks because of their collection and use of data. The Executive Order, in the wake of the President’s June 3, 2021 Executive Order, expanding the ban on Communist Chinese Military-Industrial Complex Companies (CCMCs) due to these security threats, indicates that more time is needed to understand precisely what the President is targeting as harmful.
For example, TikTok, a Chinese social media platform, was the subject of a class action lawsuit, alleging that it is “taking children’s personal information, including phone numbers, videos, exact location and biometric data, without sufficient warning, transparency or the necessary consent required by law, and without children or parents knowing what is being done with that information.” It has been reported that the company is seeking to settle this litigation. In 2019 the FTC also issued a record fine of $5.7 million against TikTok for its mishandling of children’s data. WeChat also has been the subject of lawsuits for improper censoring and surveillance. Although serious concerns have been raised by these two companies and there is pending litigation against and on behalf of WeChat, in February 2021, the Biden Administration Justice Department requested suspension of both actions while it assessed its policy to determine whether “the regulatory purpose of protecting the security of Americans and their data continues to warrant the identified prohibitions.” Given stated concerns in the Executive Order about applications that are being used to improperly collect and share data, the lifting of the prior executive orders against TikTok and WeChat and suspension of litigation at the request of the Justice Department muddies the water regarding which entities or applications are being targeted by the Order.
The Executive Order defines its scope as one that will go after “foreign adversaries.” This is defined as a “foreign government or foreign non-government person engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons.” This again is a broad statement that will require clearer definition.
In the short term, the Order tasks the Director of the Office of Management and Budget and heads of Executive departments and agencies with taking steps to rescind the orders, rules, and regulations on those impacted by the rescinded Exeuctive Order. At the same time, the Order tasks the Secretary of Commerce in conjunction with the Secretaries of Defense and Homeland Security, Attorney General, and others with preparing a report in the next 120 days with recommendations to protect against the harm of unrestricted sale, transfer or access to Personally Identifiable Information (PII) and Personal Health Information (PHI), as well as large repositories of data “by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.”
In the interim, contractors, grantees, and others would be wise to assess the software and connected software applications that they use and access in performance of their federal projects to determine their origin and provisions for the protection of data from improper use, transfer or storage. Stay tuned for the reports required by the Executive Order and for further actions to protect the security of information and systems.