EO Stresses Cybersec, Data Protection in Foreign Deal Review

Foreign investment into the United States will undergo additional scrutiny for its implications to cybersecurity and data protection under an executive order signed by President Joe Biden.

See Also: Live Panel | The Impact of Digital Transformation on Operational Technology

The order directs the multi-agency committee tasked with reviewing transactions for their national security implications when deals are financed by international sources to consider whether their execution would directly or indirectly raise the risk of digital intrusions or surveillance.

Cybersecurity and data protection already are factors studied by the Committee on Foreign Investment in the United States. A CFIUS review is technically voluntary but deals that haven’t gone through the process are subject to unwinding by the president.

The executive order sends “a public message to the private sector – in a way the committee’s day-to-day work often can’t – about what are some factors that we as an administration are very focused on,” a senior administration official told reporters during a Wednesday afternoon call.

The Biden administration says the order is not directed toward Chinese investment although attitudes toward Chinese technology have hardened across recent presidential administrations (see: Global Open Internet Under Chinese Threat, US Lawmakers Hear). The order calls for the committee to especially direct attention to deals involving cutting-edge technologies the U.S. identifies as vital for economic and national security as well as targets of Chinese acquisition. The technologies include microelectronics, artificial intelligence, biotechnology, quantum computing, advanced clean energy, and climate adaptation technologies.

“Strengthening our supply chains and protecting against foreign threats enhances our national security,” said Treasury Secretary Janet Yellen, who chairs CFIUS.

The executive order highlights that the review committee isn’t just concerned with the potential security risks of the direct investor but also its ties to third parties that also may pose a risk.

“This is something that I think is now well understood in CFIUS circles, but from time to time you will have companies that enter into the CFIUS process and not fully recognize that CFIUS is not only looking at the company itself, but its relationships,” said Aimen Mir, who headed the CFIUS career staff and is now a partner with Freshfields Bruckhaus Deringer.

The committee looks at the sensitivity of data and also at the quantity collected by the technology company under review, Mir told Information Security Media Group.

The order indicates that the U.S. government would be concerned about a transaction exposing information such as genetic makeup to a foreign power. The committee might also raise red flags for transactions involving the data of a broad swath of the populace. That data “may allow you to generate information about the individuals’ life or identify trends that may raise more concerns,” he said.

A trend in CFIUS review has been a lowering of the risk threshold when it comes to transactions involving Chinese entities, Mir said. U.S. policy has shifted away from the belief that welcoming Chinese investment will lead Beijing into adopting international norms. “Toward the end of the Obama administration and certainly through the Trump administration, there was a lot less appetite to assuming risk” associated with Chinese investment, he said.