HR-7208-119
Referred to the Subcommittee on Cybersecurity and Infrastructure Protection.
Sponsored by Dan Crenshaw (R-TX)
What it does
This bill would direct the Secretary of Commerce, in coordination with other federal officials, to submit a report to Congress within 270 days assessing national security risks posed by foreign adversary-controlled applications that can remotely control high-wattage Internet-connected devices (such as EV chargers, smart air conditioners, and water heaters). The report would include recommendations for mitigation measures, which may include restrictions on federal procurement of such devices, certification or labeling requirements, and application of existing supply chain security rules to IoT devices. The bill would also codify into statute Executive Order 13873, which established a framework for securing the U.S. information and communications technology and services supply chain.
Who benefits
U.S. electric grid operators and utilities that would gain a clearer federal risk assessment. Domestic appliance manufacturers who could gain competitive advantage if foreign-made smart appliances face new restrictions. National security agencies seeking a statutory basis for supply chain oversight. Consumers broadly, if grid vulnerabilities are identified and addressed before an attack occurs. U.S. IoT security firms and cybersecurity contractors who may benefit from expanded certification or labeling programs. Academic researchers whose work on "MaDIoT" attacks is cited in the bill's findings.
Who is hurt
Companies with ties to foreign adversary nations — particularly Chinese appliance manufacturers — that could face procurement restrictions or new compliance burdens. U.S. retailers and importers who sell foreign-made smart appliances and could face supply chain disruptions. Consumers who may face higher prices or reduced product choices if foreign-made devices are restricted. Federal agencies that would bear administrative costs of implementing any resulting certification or labeling programs. Small domestic importers with limited resources to navigate new compliance requirements.
Supporters argue
Supporters argue that foreign adversary-controlled companies already control more than 25% of the major appliance market in the United States, and that peer-reviewed research from Princeton, Georgia Tech, and UC Santa Cruz has documented the feasibility of coordinated demand-manipulation attacks capable of causing large-scale blackouts. They contend that China's 2017 Cybersecurity Law legally compels Chinese companies to grant state authorities access to customer data and device controls, making the risk structural rather than hypothetical, and that codifying Executive Order 13873 into statute provides a durable, court-tested legal foundation for supply chain security that cannot be reversed by a future executive order alone.
Opponents argue
Opponents argue that the bill's findings rely heavily on theoretical academic models rather than documented real-world attacks, and that the broad definition of "covered entity" — including any company "subject to the influence" of a foreign adversary — could sweep in companies with only indirect foreign ties, creating legal uncertainty and potential trade disputes. They contend that the bill's recommendations, if enacted, could restrict consumer choice and raise appliance prices without a demonstrated proportionate security benefit, and that existing authorities under the Defense Production Act and ICTS supply chain rules already give the executive branch ample tools to address these risks without new legislation.
Constitutional context
Congress's authority to regulate foreign commerce and protect critical infrastructure rests on the Commerce Clause (Art. I, §8, cl. 3). The bill's codification of Executive Order 13873 raises agency authority questions: post-Loper Bright v. Raimondo (2024), any regulations implementing the report's recommendations would face independent judicial scrutiny rather than deference, meaning the statutory language authorizing agency action would need to be precise and clear to survive challenge.
Checks and balances
The executive branch (Secretary of Commerce) gains a statutory mandate and reporting obligation, while Congress retains oversight through the committee review process; any future regulatory action flowing from the report's recommendations would be subject to independent judicial review under post-Loper Bright standards.
Historical precedent
The CHIPS Act (2022) and the TikTok divestiture law (2024) similarly targeted foreign adversary influence over U.S. technology infrastructure, establishing precedent for Congress restricting or conditioning foreign-controlled technology in sensitive sectors.