As a result, the number of U.S. businesses with potentially export-controlled products has skyrocketed. The current export controls on Russia run the gamut from advanced petroleum extraction machinery components to tobacco refuse (another product identified as a so-called “luxury good,” presumably due to its use in cigarettes) and everything in between. Virtually any good used in semiconductor manufacturing and destined for China, down to the smallest purpose-built gasket, could be subject to stringent licensing provisions if it is intended for use in a factory making certain advanced semiconductors. Moreover, even if a U.S. business’s immediate customer is not in Russia or China, it might still be liable for export control violations if it should have known its products were destined for such restricted end users. Accordingly, lawyers with clients who make any sales overseas should have their eye on the recent, and almost certainly ongoing, expansion of export controls.
Export Controls Are Critical to Mergers and Acquisitions with an International Nexus
Beyond their role in counseling clients who send goods and technology overseas, export control specialists have always had a role to play in the buying and selling of companies. Traditional diligence of companies with overseas touchpoints has long necessitated a review of which products are being sent to which foreign countries, and who is using them when they get there. The importance of that role has escalated as the U.S. export control agencies have increasingly taken an interest in software and technology over the last three decades. But fundamentally, the role of an export control lawyer in the diligence process has remained stable: confirm that a company is not sending controlled items to locations or end users that are prohibited from receiving them.
Increasingly, however, export control specialists are called on to play a role in reviewing acquisitions of U.S. companies by foreign investors. Recent updates to CFIUS’s regulations have built on and used export control regulations as a basis for CFIUS’s control, which means that evaluating regulatory risks for deals involving foreign parties will necessarily involve an export control analysis. CFIUS has jurisdiction to review acquisitions or investments by foreign parties that might implicate U.S. national security concerns. As a proxy for identifying transactions where such concerns might be present, CFIUS “piggybacks” on the U.S. export control system. Effectively, CFIUS does not want foreign entities using mergers and acquisitions as a backdoor around export control restrictions. Accordingly, in cases where a license would be required to export technology to the acquirer’s home country, a CFIUS filing may be mandatory and the parties may need to receive approval before the transaction can be consummated. This requirement has been particularly salient for companies with in-house software that incorporates encryption functionality; such products are generally eligible for a license exception with minimal effort, though if the software is offered as a SaaS product or used internally, the company would have had no reason to apply for an exemption prior to engagement with the CFIUS process. Accordingly, deal lawyers need to involve export control specialists from an early stage to identify and classify potential export-controlled items and technology, or risk potentially catastrophic consequences (up to and including mandated divestment).
Using the Export Control System in Novel Areas
The U.S. has also begun using the export control system to address new national security concerns. In 2023, the U.S. Department of Treasury released its long-awaited plans to begin regulating certain outbound investments; those plans were followed up with a more concrete proposed rulemaking this summer. Known colloquially as “outbound CFIUS,” the proposed regulations identified certain overseas investment categories that could have adverse impacts on U.S. national security, such as investments in artificial intelligence or supercomputing resources in China. As the traditional CFIUS regulations have done, in order to identify specific investments that might reasonably cause national security concerns, Treasury made use of the classifications already in place within the Commerce Control List (the primary list of dual-use items subject to export controls), specifically with respect to semiconductors. Though the proposed rules remain subject to public comment for now, the proposed scheme means that for certain categories of foreign investments, U.S. individuals and entities may need to conduct an export control classification of the products of the investment target, regardless of the fact that the goods themselves may never enter (much less be exported from) the U.S.
Similarly, the office that traditionally enforces most U.S. export controls is also expanding its regulatory purview. The Department of Commerce’s Bureau of Industry and Security (BIS) has traditionally been charged with licensing and enforcing the dual-use export control system (that is, export controls for items that are not strictly military-related), as well as anti-boycott laws. Recently, however, it has added the Office of Information and Communications Technology and Services (ICTS), whose remit stretches beyond businesses and persons who might typically think of themselves as exporters or even engaged in international commerce.
ICTS’s most recent regulatory action puts the new office’s reach in stark relief. On June 20, 2024, ICTS issued a “final decision” determining that cybersecurity and anti-virus software sold by the Russian-based company Kaspersky posed an “undue and unacceptable risk to U.S. national security.” As a practical matter, this final decision bans Kaspersky from selling its popular anti-virus software or providing services to all customers in the United States and set off a scramble among U.S. chief information security officers to transition to a nonbanned alternative. This was the first time ICTS used authority granted to it under an executive order meant to help secure U.S. supply chains, and the office targeted software used widely by both individuals and businesses. The Kaspersky final decision may provide a blueprint for the office’s future actions and illustrates the need for businesses with connections to vet their overseas touchpoints — even those as seemingly mundane as anti-virus software — with an eye toward potential national security risks. As the expansion of traditional export controls over the past five years demonstrates, companies with connections to Russia and China should be particularly vigilant for future ICTS actions.
Even clients who perceive themselves to be running a purely domestic business may have a need to become familiar with ICTS. In January 2024, ICTS issued a notice of proposed rulemaking that put providers of what the notice called “Infrastructure as a Service (IaaS)” that they may have to begin conducting enhanced diligence into certain customers. IaaS products include cloud services and other businesses that provide computing resources to customers. There has been a persistent concern that foreign persons — and particularly Chinese entities — could attempt to circumvent the recent semiconductor and advanced computing-related export controls by simply paying to access the same resources provided by U.S. suppliers. So, for instance, instead of acquiring an advanced U.S.-origin computer chip, a company could pay to access the capabilities of the chip via the cloud and a domestic U.S. company. Moreover, news reports from this spring indicate that ICTS is considering similar measures with respect to providers of artificial intelligence models. These initial forays into information technology service regulation are undoubtedly focused on a specialized high end; however, as with traditional export controls, which have expanded from rocket motors to wedding dresses, it is not a stretch to envision ICTS controls expanding to more run-of-the-mill services in the future. While ICTS’s plans for regulating such service providers are in a preliminary stage, it is quite likely that the final implementation will build on the export control infrastructure already in place within BIS more broadly.
In recent years, export controls have expanded beyond their previously limited reach and begun to impact an ever-increasing slice of American commerce. The U.S. government has increased the sheer number of products subject to some form of control but has also begun using the export control infrastructure to combat a growing list of national security threats. And, though primarily the realm of regulatory agencies, because of the significant deference given in matters of national security, export control regulations are unlikely to be impacted by the fall of Chevron. Accordingly, attorneys across a growing list of practice areas and specialties will need to have at least a passing familiarity with the structures and mechanisms of export controls in order to effectively serve their clients.