Another Misstep in U.S.-China Tech Security Policy

On Jan. 23, the Wall Street Journal reported that the Trump administration has pushed out two key officials at the Commerce Department’s Bureau of Industry and Security (BIS)—specifically, in its Office of Information and Communications Technology and Services (ICTS). The Journal rightfully called the departures “the latest dismissals of key personnel working on national security issues tied to Beijing.”

Certainly, the office in question may be less known outside of technology and national security circles. But the impact of its work to date—and the potential impact of its work in the future, if the office were to be appropriately staffed, resourced, and operated—is significant. Its sidelining is also the latest in a series of regulatory- and staffing-focused changes since January 2025 that have either shut down or effectively undermined the U.S. government’s ability to bolster national security protections for the technology supply chain.

This piece outlines the history of the ICTS office, its authorities, and its key actions to date. It then argues that the recent personnel moves must be contextualized within broader U.S. shifts in the past year. These include rollbacks of key cybersecurity regulations, staffing cuts at other technology- and national security-focused agencies, and the U.S. government’s expressed willingness to let certain national security and regulatory authorities sit on a shelf. In total, these decisions represent the collective weakening of a regulatory apparatus configured to address critical national security risks to the U.S. technology ecosystem—with effects that, in many cases, will be difficult to quickly unravel or sufficiently mitigate.

A Brief History of Commerce’s ICTS Office

In May 2019, President Trump signed Executive Order 13873, which focused on foreign countries exploiting the technology supply chain to harm the United States. Just that month, Russian President Vladimir Putin signed the so-called sovereign internet law, designed (at least in theory) to give Russia the ability to isolate the internet within its borders from the rest of the world, with the click of a button. United Kingdom Prime Minister Theresa May fired Gavin Williamson, the then-British defense secretary, for allegedly leaking sensitive information from a U.K. National Security Council meeting regarding Chinese telecommunications company Huawei and the security considerations around the company supplying equipment for the 5G networks based in the U.K. Meanwhile, that same month, Reuters broke a story on Australia’s considerable concerns about Huawei dating back to at least 2018, drawing attention to “how 5G could be exploited for spying and to sabotage critical infrastructure.” These prominent national and international events pointed to the construction, provision, and potential compromise of different technological supply chain components, from an effort to further cement control over physical and digital internet infrastructure to fears about backdoors in telecom equipment.

Drawing on the International Emergency Economic Powers Act (IEEPA)—a law enabling the president to address “unusual and extraordinary threats” to security, and which underpins many U.S. government technology and national security powers—the new executive order was, on paper, aimed right at these types of concerns. Here, it said:

[F]oreign adversaries are increasingly creating and exploiting vulnerabilities in information and communications technology and services, which store and communicate vast amounts of sensitive information, facilitate the digital economy, and support critical infrastructure and vital emergency services, in order to commit malicious cyber-enabled actions, including economic and industrial espionage against the United States and its people.

It continued:

the unrestricted acquisition or use in the United States of information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries augments the ability of foreign adversaries to create and exploit vulnerabilities in information and communications technology or services, with potentially catastrophic effects, and thereby constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.

These threats exist not just with specific technologies, the order said, but with technologies as a class as well—in other words, entire tech categories. For instance, rather than targeting only the latest-version Huawei router with whatever specifications, the program could target something like all Chinese-made routers in the United States.

The order then specified a program to deal with these risks. Led by the Commerce Department, it established an interagency program to examine future acquisitions, imports, transfers, installations, deals involving, or uses of any information and communications technology or service that could pose risks. (“Future” is important here, as the Commerce Department was not tasked with looking backward at past events.) Alongside Commerce, the interagency group is composed of the Departments of State, Defense, Justice, and Homeland Security, the U.S. trade representative, the director of national intelligence, the head of the General Services Administration, and the chair of the Federal Communications Commission (FCC). Other department and agency heads, as appropriate, could be involved as well.

The order specified that technologies must fit two criteria to fall under the ICTS program’s remit. First, the transaction must involve an information and communications technology or service designed, manufactured, or supplied by companies owned by, controlled by, or subject to the jurisdiction or direction of a “foreign adversary”—and people controlled by or subject to their jurisdiction, too. Second, the transaction in question must:

1. [Pose] an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States;
2. [Pose] an undue risk of catastrophic effects on the security or resiliency of the United States critical infrastructure or the digital economy of the United States; or
3. Otherwise [pose] an unacceptable risk to the national security of the United States or the security and safety of United States persons.

In the ensuing months, the Commerce Department initiated a rule-making process to develop regulations based on the executive order. It set out to designate “foreign adversary” countries, defined in the order as “any foreign government or foreign non-government person engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons.” The January 2021 interim final rule for the program settled on six of those countries: China (including Hong Kong), Cuba, Iran, North Korea, Russia, and Venezuela. It also spelled out categories of “sensitive personal data” the program was particularly concerned about, including financial data indicating someone’s distress or hardship, data in consumer reports, mental health data, nonpublic electronic communications, certain kinds of geolocation data (it did not elaborate further), and biometric data.

Two of the most important points of the ICTS program were its gap-plugging and its breadth. While the U.S. government already had authorities and programs to look at scenarios such as a foreign investor putting money into a U.S. company with the intent to siphon its intellectual property (e.g., handled by the Committee on Foreign Investment in the United States, or CFIUS), a U.S. company unwittingly selling advanced dual-use technology to a foreign adversary’s front company (e.g., handled by export controls), or a foreign adversary-controlled telecommunications company attempting to operate infrastructure in the United States (e.g., handled by Team Telecom), it lacked the authority to prevent U.S. adversaries from funneling a wide variety of technologies into the country that they could use for espionage or disruption. The ICTS program, by potentially covering everything from routers and connected devices to AI models and cybersecurity software, provided a tool to address this gap.

This leads to the second point: The ICTS program was also based on a sweeping scope of power. It could apply to a wide range of technologies and services. It could be used not just to restrict how some non-U.S. businesses operate in the United States but to expel them completely from the market by making and issuing a determination that their information and communication technology products or services posed an undue risk to national security. Notably, the ICTS program can issue restrictions on entire classes of technologies—for example, not just a specific version of a specific Russian company’s connected vehicle component but all connected vehicles of a certain category coming from Russia writ large. This gives the ICTS program a level of breadth and depth unlike programs focused more on particular transactions (e.g., CFIUS) or matters (e.g., Team Telecom). The BIS’s Entity List, for its part, is based on an authority to control exports, re-exports, and transfers of certain covered items to non-U.S. entities, but its scope of potentially covered transactions is smaller than the remit given to the ICTS program.

Where the ICTS Office Was Headed

The ICTS office has used its authorities only twice to date. First, it issued a notice in June 2024 effectively banning U.S. entities and individuals from using the Russian cybersecurity company Kaspersky. This was a commonsense decision given the close relationship that the Russian intelligence services have with many cybersecurity companies in Russia as well as the U.S. federal government’s decision back in 2017 to ban Kaspersky on its own systems. Many news reports have alleged over the years that Kaspersky cooperates actively with Russian intelligence to spy on systems around the world, including in the United States. The Office of the Director of National Intelligence itself said in an unclassified advisory it released in September 2023 that former Russian intelligence officers employed by Kaspersky Labs, which include “a number of its executives,” continue to “use their positions and access to maintain cooperation and share identifying client data with current [Russian intelligence services] officers.”

Second, it issued a rule in January 2025 restricting the import and sale of certain connected vehicles and related hardware and software tied to China or Russia when the vehicles weigh under 10,001 pounds. The rule went into effect in March 2025 with a two-phase rollout. For model year 2027 and later, connected vehicle manufacturers owned by, controlled by, or subject to the jurisdiction or direction of China or Russia are prohibited from selling connected vehicles and vehicles using their covered software. For model year 2030 and later (or Jan. 1, 2029, for non-model-year components), companies owned by, controlled by, or subject to the jurisdiction or direction of China or Russia cannot import vehicle connectivity system hardware into the United States. As then-Secretary of Commerce Gina Raimondo noted:

Cars today aren’t just steel on wheels—they’re computers. They have cameras, microphones, GPS tracking, and other technologies that are connected to the internet. Through this rule, the Commerce Department is taking a necessary step to safeguard U.S. national security and protect Americans’ privacy by keeping foreign adversaries from manipulating these technologies to access sensitive or personal information.

Beyond that, the ICTS office had yet to issue any other decisions.

Still, there was some indication of the office’s potential, future enforcement directions. The BIS, in which the ICTS office sits, released a “technology prioritization” table in 2024, highlighting three tracks of priorities for the program. Track I technologies have inherent vulnerabilities and a lack of mature and widely adopted cybersecurity standards. Track II technologies are derived from the then-National Standards Strategy and the then-Critical and Emerging Technologies List and are prioritized based on tech maturity, commercialization, and foreign adversary investment. And Track III technologies are those under review based on executive order and Commerce Department directives.

Based on the table, high-priority enforcement areas included satellite access points, mobile network hardware, advanced and networked sensors, energy generation and storage, autonomous systems and robotics, semiconductors and microprocessors, infrastructure as a service, advanced cloud services, and connected vehicles. Clearly, at least the last of these materialized, given that the office issued the prioritization table in 2024 and then finalized its connected vehicle rule in January 2025.

Personnel Cutbacks in Broader Context

The ICTS office dismissals should be contextualized within the broader cutbacks to the U.S. government’s national security and technology toolkit in the past year.

Despite portraying China as a national security—including a cyber espionage—threat, the FCC has rolled back a number of cybersecurity regulations for the telecommunications sector—meaning that U.S. telecommunications companies have fewer baseline protections they must implement to operate in the country. Although many national security and defense experts have articulated the risks of selling H20 and then H200 chips made by Nvidia to China, the White House continues to flip-flop on its export control position and curtail important export controls that limit the chips’ sale to Chinese state-connected actors.

Meanwhile, the administration’s changes to the foreign investment review process are, as one former national security official put it, both “clarifying and confounding,” in theory attempting to fast-track reviews of non-U.S. investments in the United States that don’t have ties to China, but in reality providing “little hope of effective implementation.” Widespread workforce reductions have devastated the Cybersecurity and Infrastructure Security Agency (CISA), which plays a key role in many of these regulatory processes, and the Department of Justice’s Data Security Program, on which I worked, has no clear direction for enforcement, either, amid wider cutbacks to the Justice Department’s National Security Division (in which the Data Security Program is one of many different programs and functions).

The rapidly shifting global threat environment does not pause just because the U.S. government has decided to intentionally weaken its own national security and technology regulatory apparatus, with no apparent strategy, logic, or foresight whatsoever. The U.S.’s foreign adversaries continue to engage in cyber espionage, inject (also known as “preposition”) malware in U.S. critical infrastructure (so that it can be activated later), and carry out a wide range of activities to steal U.S. technology and data, infiltrate U.S. tech supply chains, and much more. As technology supply chains continue to become more interconnected and interdependent, these risks will only grow—as will the complexity of identifying, assessing, and mitigating them.

Certainly, the ICTS office was not meant to address all foreign threats related to technology. It does not issue cybersecurity standards for U.S. critical infrastructure providers to protect themselves from nation-state cyber intrusions (and should not be doing so), for example. It does not (and should not) decide how U.S. businesses must conduct their supply chain due diligence writ large, either. But the ICTS office was intended to help protect U.S. tech supply chains from many of these national security risks, including via the expulsion of foreign adversary-controlled technologies from American systems, the restriction of companies in the U.S. market whose technologies in certain categories could be used for espionage or potential disruption, and the evaluation of transactions in infrastructure as a service, autonomous systems, networked sensors, and other technologies not already covered by programs such as CFIUS, Team Telecom, and export controls.

There is no clear path for where the U.S. government will head next, because it is increasingly difficult to predict how and where these decisions to effectively shut down offices and programs will unfold. But if past efforts to “rip and replace” adversary-controlled technologies from the United States are any indication, these measures are costly, time intensive, and complicated, to the point where they require tremendous amounts of funding and logistical planning to have a chance at carrying them out successfully. And on that last point, many reasonable observers would argue that the U.S. government has not been successful in its rip-and-replace efforts, because years into the program, many U.S. telecoms, especially in rural areas, were still using equipment from Huawei and ZTE in their networks.

Whether the current administration or a future one decides to reinvest in programs such as the ICTS office, it will not be easy to reach back into U.S. tech supply chains and simply undo the damage. By then, it is likely that more adversarial technology will have already buried itself into the U.S. tech supply chains, with hooks that are difficult to quickly pull out.