Cybersecurity Concerns Prompt Move to Strengthen National Security Review of Foreign Investments


Keeping the U.S. safe from terrorist attacks most likely comes to mind when thinking of national security.  Foreign investments, and corporate mergers and acquisitions may not. But if a proposed investment or merger results in control of businesses by a foreign entity, that may raise national security concerns. That is very much the case for a company that provides crucial cybersecurity technologies for the U.S. government or companies that may be targeted for control by a foreign entity.

The Committee on Foreign Investment in the U.S. (CFIUS) is an inter-agency committee in charge of conducting national security reviews of foreign investments into the U.S. The Treasury Department chairs the committee and its members include the Departments of Homeland Security, Justice, Defense, Commerce, State, Energy, and others.

Sens. John Cornyn (R-Texas), Dianne Feinstein (D-Calif.), and Richard Burr (R-N.C.) think that the CFIUS review process should be stronger. The lawmakers recently introduced the Foreign Investment Risk Review Modernization Act (FIRRMA), which seeks to throw a larger net to capture more transactions and make sure critical technology and cybersecurity are sufficiently covered.

According to Alexis Early, international regulation and compliance group attorney at Steptoe & Johnson LLP in Washington, the bill would require parties to file a five-page declaration with CFIUS if their deal involves a U.S. “critical technology company” or “critical infrastructure company.” Although these terms would need to be further defined if the bill passes, “they could potentially cover a broad swath of Silicon Valley technology companies if they seek foreign investment,” Early told Bloomberg Law. 

Under the bill, factors that CFIUS must consider during reviews include whether the covered transaction “is likely to have the effect of creating any new cybersecurity vulnerabilities” or exacerbate existing cybersecurity vulnerabilities.

FIRRMA also considers whether the transactions would allow foreign entities to engage in “malicious cyber-enabled activities.” It seeks to “guard against investments that could result in foreign governments gaining significant new cyber capabilities that could be maliciously deployed against the U.S., such as targeting elections,” Early said.

The CFIUS review process is crucial for “proactively identifying and mitigating foreign efforts to acquire critical U.S. technology and know-how through investment,” Burr said in a statement.

Original bipartisan co-sponsors of the bill include Senators Marco Rubio (R-Fla.), Amy Klobuchar (D-Minn.), John Barrasso (R-Wyo.), Gary Peters (D-Mich.), James Lankford (R-Okla.), Joe Manchin (D-W.Va.), and Tim Scott (R-S.C.). Rep. Robert Pittenger (R-N.C.) introduced a companion bill in the house.

National security concerns over certain transactions also apply to U.S. exports. In a video interview with Bloomberg Law, Brian Egan, national security partner at Steptoe in Washington, and Early said that President Donald Trump signed the Countering America’s Adversaries Through Sanctions Act, which requires U.S. companies exporting certain technology to Russia to obtain government permission to do so.