This week, U.S. Sen. Marco Rubio, R-Fla., and U.S. Rep. Mike Gallagher, R-Wis., sent a letter to U.S. Sec. of Commerce Gina Raimondo cautioning her “against approving half measures, like Project Texas, that do not fully address the security threat posed by TikTok.”
Rubio and Gallagher also requested communications between the Commerce Department and outside parties, including TikTok, to shed light on how these concerning changes came to be.
“The U.S. Department of Commerce recently issued a Final Rule that amends the Securing the Information and Communications Technology Supply Chain (ICTS) rules to lay the groundwork for TikTok’s sham mitigation proposal, ‘Project Texas.’ TikTok falsely claims that ‘Project Texas’ would allow it to safely operate in the U.S. by working with a trusted third party, Oracle, to secure U.S. user data and monitor TikTok’s algorithm,” Rubio’s office noted.
The letter is below.
Dear Secretary Raimondo,
We write to express our concerns, and request information, about the Commerce Department’s seeming efforts to lay the groundwork for TikTok’s sham mitigation proposal, “Project Texas.” TikTok claims that “Project Texas” would allow it to safely operate in the U.S. by working with a trusted third party, Oracle, to secure U.S. user data and monitor TikTok’s algorithm. However, dangerous “connected software applications” like TikTok cannot safely operate in the U.S. while controlled by a foreign adversary. This threat cannot be mitigated. We are concerned that the Commerce Department disagrees.
Our concerns stem from changes to the language in the Department’s Final Rule, published on June 16, 2023, which amends the “Securing the Information and Communications Technology Supply Chain” (ICTS) rules. ICTS authorities are vital to safeguarding the U.S. homeland. The Department’s changes to the language in the Final Rule from the proposed rule suggest the Commerce Department may use the ICTS authority to authorize TikTok to implement “Project Texas,” and to authorize other “connected software applications” that pose national security threats to implement similar “mitigation” agreements. Authorizing TikTok’s sham mitigation proposal would be devastating to American national security, not only because TikTok is itself a threat, but also because it would set a precedent for other dangerous People’s Republic of China (PRC)-controlled “connected software applications” to establish themselves in the U.S. under smokescreen safety measures like that of “Project Texas.”
In the proposed rule, the Secretary was to review ICTS transactions—ranging from PRC company ByteDance’s initial acquisition of the precursors to TikTok, to specific contracts TikTok and other tech companies engage in—to determine if they posed an “undue or unacceptable risk” under several criteria, including “The extent to which identified risks have been or can be addressed by independently verifiable measures.” This language was not improvised but was taken directly from President Biden’s Executive Order. However, the Final Rule changed this language to “The extent to which identified risks have been or can be mitigated using measures that can be verified by independent third parties.” The explanation for this change in language was that it was “more precise.”
This change raised two red flags for us. First, the change in verb from “addressed” to “mitigated” is alarming, given that “mitigation” is a term of art from Committee on Foreign Investment in the United States (CFIUS) law that refers to transaction restrictions short of an outright prohibition. “Project Texas” is the most famous example of an attempted “mitigation” agreement. Second, the change from “independently verifiable measure” to “can be verified by independent third parties” is worrying. The old language suggests that any independent entity could verify that concerns had been addressed, whereas the new language seems to imply one or a small number of specific third parties will be responsible for monitoring. This new language sounds like Oracle’s proposed role in “Project Texas.”
We were pleased to see that the Department edited “subject to coercion or cooption by a foreign adversary” to “subject to the jurisdiction or direction of a foreign adversary,” because the latter term is broader. However, clarifying that the ICTS authorities cover a broad range of entities is not helpful if they are used to enable “Project Texas”-style solutions, rather than bans.
We agree with President Biden that “the increased use in the United States of certain connected software applications designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary…includ[ing] the People’s Republic of China, among others, continues to threaten the national security, foreign policy, and economy of the United States.” TikTok is, of course, Exhibit A of such a “connected software application,” so we were pleased with the Commerce Department’s Notice of Proposed Rulemaking in November 2021 to add “connected software applications” to the type of transactions covered by ICTS authorities. At the time, it seemed like the Commerce Department may have been considering using ICTS to take action against TikTok.
Since then, numerous senior members of the Biden Administration have expressed their concerns with the national security threat posed by TikTok, and the Biden Administration has reportedly determined, as we have long maintained, that TikTok’s proposed “Project Texas” solution was insufficient. However, the Final Rule published on June 16 has renewed our concerns that the Commerce Department and the Biden Administration more generally is actually considering “Project Texas.”
We request the following documents from the Commerce Department by June 30, 2023 at close of business:
1. All communications internally within the Commerce Department and with governmental and nongovernmental persons regarding the decision to change the language in the proposed rule and E.O. 14034 from “The extent to which identified risks have been or can be addressed by independently verifiable measures” to “The extent to which identified risks have been or can be mitigated using measures that can be verified by independent third parties.”
2. All communications that the Commerce Department or any member of staff has had with TikTok, ByteDance, or any investor in, employee of, or lobbyist for TikTok or ByteDance about the possibility of using ICTS legal authorities to impose restrictions on TikTok.
3. All communications between members of the Commerce Department and other federal agencies regarding using ICTS legal authorities to impose restrictions on TikTok.
4. All communications between members of the Commerce Department and third-party companies regarding using ICTS legal authorities to impose restrictions on TikTok.
The national-security threat posed by TikTok cannot be mitigated, and we urge you to abandon any course of action that stops short of fully addressing that threat. As members of Congress, we take seriously our responsibility to oversee the executive branch and defend the American people from dangerous CCP-controlled technology. We have introduced legislation in Congress, the ANTI-SOCIAL CCP Act (H.R. 1081; S. 347), which would accomplish this goal by blocking all commercial transactions of social-media companies, such as TikTok, that are owned, controlled, or influenced by adversary countries, sufficient to prevent their commercial operation in the U.S.
Furthermore, the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party has broad authority to “investigate and submit policy recommendations on the status of the Chinese Communist Party’s economic, technological, and security progress and its competition with the United States” under H. Res. 11. Protecting the U.S. information and communications technology supply chain from dangerous CCP-controlled technology falls clearly within the Select Committee’s jurisdiction.
Thank you for considering this vitally important national security issue
Author
