Foreign tech investment rules are a balancing act
- By Derek B. Johnson
- Apr 30, 2019
The Justice and Treasury Departments are piloting a program to expands foreign investment reviews to U.S. companies that produce critical technologies.
In an April 24 speech at the National Conference on CFIUS (Committee on Foreign Investment in the United States), Deputy Assistant Attorney General Adam Hickey praised legislative and regulatory reforms to the CFIUS process last year designed to expand review of foreign technology investments and connected them to the government's recent hard-line position on Chinese-fueled economic espionage and theft of trade secrets.
Hickey said that 90 percent of the economic espionage cases pursued by DOJ since 2011 involve China. Additionally, he claimed that since China's government released a 10-year innovation plan in 2015 that lays out a blueprint for dominating critical technology and manufacturing industries by 2025, DOJ has charged Chinese individuals and entities for stealing trade secrets in eight out of the 10 strategic manufacturing sectors listed in the plan.
"These techniques -- covertly recruiting assets, hacking into networks -- are not themselves shocking in the context of traditional espionage, the targeting of one government's secrets by another," said Hickey. "But this is not traditional: the concerted effort and resources of a determined nation-state target our private sector."
When DOJ indicted the U.S. branch of Chinese telecom giant Huawei in January for theft of trade secrets and wire fraud related to a 2014 incident involving T-Mobile technology, it referenced evidence of an internal announcement from the company's Chinese branch offering "monthly bonuses to the employees who provided the most valuable stolen information."
That program allegedly forced Huawei's U.S. branch to respond with an email to its own employees noting that "Here in the U.S.A. we do not condone nor engage in such activities" and that doing so would be "expressly prohibited by [Huawei USA] company polices."
U.S. officials believe such incentives are rampant among Chinese companies and encouraged by the Chinese government. In December 2018, DOJ announced the creation of "The China Initiative," a coordinated strategy for prioritizing indictments and prosecutions of Chinese trade theft cases.
Another pathway to obtaining U.S. technology industry trade secrets is to buy or invest in the companies that make them, and U.S. officials have made increasing use of CFIUS authorities in recent years to block investment by foreign companies and governments in the American tech sector.
Last year, Congress passed the Foreign Investment Risk Review Modernization Act of 2018, a law that substantially reformed CFIUS that requires mandatory declaration and review for foreign investment deals in U.S. companies that operate in critical technology areas. While permanent rules will be put in place by 2020, the Department of Treasury issued interim rules in October 2018 establishing a pilot program to implement the portion dealing with critical technologies, citing "evolving threats to U.S. national security arising from certain foreign investments in U.S. businesses in particular industries [that] require immediate attention."
The Treasury pilot program is relying on six-digit North American Industry Classification System (NAIC) codes to determine which companies would fall under the scope for mandatory review. Those areas include parts and components for guided missiles and other weapons, computer storage device manufacturing, nanotechnology research and development, semiconductor manufacturing and others. It also lowered the threshold for declaration to all investments, not just deals where the foreign party would gain a majority stake.
However, David Ribner, counsel for O'Melveny and Myers, a legal firm that offers guidance to both foreign investors and U.S. companies on CFIUS-related matters, told FCW those codes were not developed with foreign investment review in mind.
"To be honest, the codes were not designed for the purposes of CFIUS, " Ribner said. "And they're in some ways very broadly written but in other ways they can be very narrowly interpreted, so I think there needs to be greater clarity ultimately in the final regulations as to how to determine whether a U.S. business is within scope of the pilot program rules."
The Foreign Investment Risk Review Modernization Act also extends mandatory declaration to companies that deal with critical infrastructure and those that handle personally identifiable information (PII). This too creates a definition problem that Treasury and other federal agencies must grapple with when scoping the rules.
"Almost any consumer oriented company in the United States is going to have personal identifier information in some form," said Ribner. "Whether you're a grocery store or an online retailer, everyone is going to have [it], so the real question is at what point is an acquisition of a U.S. company with personal identifier information one in which that raises national security concerns and what does that mean for investment policy if most U.S. businesses have that information?"
In September 2018, a bipartisan group of Congress members led by then-House Financial Services Committee Chair Jeb Hensarling (R-Texas) advised Treasury Secretary Steve Mnuchin to enforce the rules around PII and critical infrastructure narrowly and focus on countries like Russia and China so as not to discourage all overseas investment in U.S. businesses.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at firstname.lastname@example.org, or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.