Originally published by the Journal of Commerce in March 2019
On the trade with China front this week, the news is Huawei Technologies Co, of China sued the U.S. government regarding provisions in the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (“NDAA”). The timing of the lawsuit is drawing interest as is its very existence. in the face of the other legal actions involving the company and its executives. The basis for the lawsuit is Section 889 which bars the purchase of Huawei and ZTE technology. The relevant provision reads:
(a)(1) The head of an executive agency may not— (A) procure or obtain or extend or renew a contract to procure or obtain any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system; or [emphasis added]
(B) enter into a contract (or extend or renew a contract) with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.
(f)(3) The term “covered telecommunications equipment or services” means any of the following: [emphasis added]
(A) Telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of such entities).
(B) For the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes, video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities).
And extends to any telecommunications or video surveillance services provided by these entities or using such equipment, along with similar equipment from an entity that the Secretary of Defense, the Director of the National Intelligence and/or the Director of the Federal Bureau of Investigation together reasonably believe to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country.
The outright prohibition in Section 889 takes effect one year from date of enactment with certain contract provisions taking effect in the second year. A waiver provision is included. The language of the law also calls out the following federal entities: Federal Communications Commission, Department of Agriculture, Department of Homeland Security, Small Business Administration, and Department of Commerce which are to “prioritize available funding and technical support” to assist organizations to obtain replacement equipment and services in a way that ensures communications continue.
As the general press has noted, Huawei filed suit in the Eastern District of Texas where its American company is headquartered. The basis of the lawsuit is claims that 889 violates the U.S. Constitution and bars Huawai and (as it calls it – one other entity) from doing business with the U.S. government, with no opportunity for Huawei to defend the claims made against it or what will be deemed its affiliates and subsidiaries. Of course, Huawai’s concern is that it is being blacklisted at time when decisions are being made about the next generation of telecommunications equipment, called 5G.
It is equally important to keep in mind there are two other provisions in the NDAA which are drawing attention – 1654 and 1655.
Section 1654 deals with “Identification of Countries of Concern Regarding Cybersecurity” and requires within 180 days of enactment the creation by the Secretary of Defense of a list of countries that pose a cybersecurity risk to the U.S. defense and national security systems and infrastructure. The list is to reflect the level of threat posed by each country and the following factors are to be considered:
(1) A foreign government’s activities that pose force protection or cybersecurity risk to the personnel, financial systems, critical infrastructure, or information systems of the United States or coalition forces.
(2) A foreign government’s willingness and record of providing financing, logistics, training or intelligence to other persons, countries or entities posing a force protection or cybersecurity risk to the personnel, financial systems, critical infrastructure, or information systems of the United States or coalition forces.
(3) A foreign government’s engagement in foreign intelligence activities against the United States for the purpose of undermining United States national security.
(4) A foreign government’s knowing participation in transnational organized crime or criminal activity.
(5) A foreign government’s cyber activities and operations to affect the supply chain of the United States Government.
(6) A foreign government’s use of cyber means to unlawfully or inappropriately obtain intellectual property from the United States Government or United States persons.
(b) Updates.—The Secretary shall continuously update and maintain the list under subsection (a) to preempt obsolescence.
(c) Report to Congress.—Not later than one year after the date of the enactment of this Act, the Secretary shall submit to the appropriate committees of Congress the list created pursuant to subsection (a) and any accompanying analysis that contributed to the creation of the list
Section 1655 addresses: “Mitigation of Risks to National Security Posed by Providers of Information Technology Products and Services Who Have Obligations to Foreign Governments.” It calls for the Department of Defense to not use any product, service, or system relating to information or operational technology, cybersecurity, an industrial control system, or weapons system unless the supplier discloses to the Secretary of Defense the following within the prior five years or at any time after enactment
(1) A foreign government has been permitted to review the code of a non-commercial product, system, or service developed for the Department, or whether there is any obligation to allow a foreign person or government to review the code as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government.
(2) The person allowed a foreign government (see Section 1654) to review the source code of a product, system, or service that the Department is using or intends to use, or is obligated to allow a foreign person or government to review the source code as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government.
(3) Without any time limit, whether or not the person holds or has sought a license pursuant to the Export Administration Regulations under subchapter C of chapter VII of title 15, Code of Federal Regulations, the International Traffic in Arms Regulations under subchapter M of chapter I of title 22, Code of Federal Regulations, or successor regulations, for information technology products, components, software, or services that contain code custom-developed for the non-commercial product, system, or service the Department is using or intends to use.
The law also includes provisions for the establishment of a registry containing the information disclosed pursuant to 1655(a) and a means to make that information available to agencies conducting procurement. A report on at least a yearly basis is also mandated, along with a disclosure process and the use of the information disclosed for national security actions, as warranted.
The actions by Huawei are seen as an attempt to change the dynamics of the case pending against it and its CFO Wanzhuo Meng. She, of course, continues to face extradition proceedings in Canada arising out of the criminal indictment of Huawei for conducting business through American banking channels by way of processes seeking to mask its sales to Iran in violation of U.S. economic sanctions law.