INSIGHT: What Global Companies Need to Know About U.S. National Security Policy

U.S. national security officials are raising alarms about the risks of operating in the current international digital economy—and becoming increasingly activist in countering security threats that could exploit it.

The Trump administration has taken dramatic steps that effectively blacklist Chinese technology giant Huawei, such that American companies need to obtain U.S. government permission before conducting business with it. The Department of Homeland Security and Congress expelled the global antivirus firm Kaspersky Labs (headquartered in Russia) from all U.S. federal government IT networks due to national security concerns. The secretive Committee on Foreign Investment in the United States (CFIUS), which reviews foreign investment into the U.S., has stepped up enforcement by, among other things, reviewing completed deals that were not initially brought to its attention.

Neither the Executive Branch nor Congress are showing any signs of slowing down. The FBI the week of Nov. 25 publicly stated that the mobile application FaceApp and similar products designed in Russia are potential counterintelligence threats. The Department of Commerce recently announced proposed regulations that would create a broad new review process, with similarities to CFIUS, for any information and communications technology and services transactions subject to U.S. jurisdiction that might pose national security risks. And Congress is considering legislation that would ban the use of federal funds to buy subway cars and buses from Chinese state-owned enterprises.

Some view these as measures to address isolated threats or dismiss them as temporary excesses of the present administration. The reality is a much more substantive, nonpartisan policy shift.

Public Safety, National Security Now Part of Commercial Decisions

Driven by sober security concerns about China and other nations, the U.S. government is retooling our federal regulatory apparatus to incorporate public safety and national security into commercial decisions—and will go beyond dialogue to start bringing other countries along in the process.

Two recently enacted security laws—dealing with cross-border security agency access to digital evidence and foreign investment reviews—offer a blueprint of the likely long-term U.S. government approach internationally. In each instance, the U.S. government first updated domestic legal standards to better protect security interests and then provided incentives for other nations to subscribe to those standards.

Even if only partially successful, this emerging U.S. government approach illustrates that national security interests will increasingly be a significant factor in global commerce.

CLOUD Act Addresses Data in Multinational Companies

The digital evidence law, The Clarifying Lawful Overseas Use of Data Act (CLOUD Act), addresses a concern emblematic of the international digital economy: multinational communications companies with large footprints in several countries store data across the globe, giving rise to conflicting or ambiguous legal obligations and commercial expectations.

Thus, a terrorist incident or major cyber crime might occur in one country where a company has significant business operations and access to digital evidence about the suspected perpetrator, but the actual data might be stored elsewhere, raising different evidentiary requirements for retrieval, implicating foreign market sensitivities, and delaying national security investigations.

The CLOUD Act requires companies subject to U.S. legal jurisdiction to turn over data within their control in response to lawful requests by U.S. officials (or to contest the request in federal court), regardless of where that data may be stored. The clear message of the legislation is that U.S. safety and security interests must trump multinational business norms or foreign legal regimes.

But this unilateral stick also has a multilateral carrot. If a foreign government agrees to meet certain legal standards (as certified by the attorney general) and enters into a bilateral executive agreement with the United States, under the CLOUD Act security officials of that foreign government can make specific data requests about non-U.S. persons in their jurisdiction directly to U.S. technology companies.

Although still early, this two-step approach of enacting domestic legal changes followed by providing incentives for foreign countries to support them, appears likely to succeed. For example, the United Kingdom recently adopted oversight mechanisms consistent with CLOUD Act requirements and signed the first bilateral executive agreement, between the U.S. Attorney General and U.K. Home Minister earlier this fall. The Department of Justice has also announced that it is in the midst of negotiating similar agreements with the European Union and Australia. The revised U.S. framework for access to digital evidence is poised to set the standard for international access as well.

Expanding CFIUS Jurisdiction

Similarly, Congress last year overwhelmingly expanded U.S. government security reviews of foreign investment into U.S. businesses, conducted by CFIUS, to include new sets of companies holding sensitive personal data or critical technologies. CFIUS has not only expanded in jurisdiction but also has become more aggressive in its enforcement, including by proactively reviewing closed transactions (sometimes closed months or years prior) of which it was not notified.

As with the CLOUD Act, the revised U.S. foreign investment regime clearly places a heightened focus on security. This domestic legal update likewise includes measures to garner international support: Regulations proposed by the Treasury Department, which are not yet final, include a provision that would grant exemptions from certain reviews to a subset of vetted investors from countries that coordinate with CFIUS and maintain a robust foreign investment review process.

As a result, foreign countries now have incentives to both assist CFIUS in its expanded security reviews in the U.S. as well as mount independent security reviews of transactions in their home countries.

In today’s economy, successful companies understand that they need global acquisitions, supply chains, talent pools, research and, of course, marketplaces. They also must keep ahead of the technological curve to create products, decrease logistical costs, improve collaboration, and better predict markets.

But while this international, digital economy holds immense opportunity, it also creates unprecedented risks. Companies that understand and account for these risks in their strategy and operations will not only be able to navigate a growing web of security regulations, but will also be more protected and ultimately better positioned for long-term success.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Sumon Dantiki is a partner with King & Spalding LLP in Washington, D.C. He formerly served as senior counselor to the director of the Federal Bureau of Investigation and in other cyber and national security roles with the FBI and Department of Justice.