Inside Cybersecurity

October 3, 2022

Daily News

Biden officials say ‘CFIUS’ executive order focuses transaction reviews on cyber, supply chain and emerging technology

By Charlie Mitchell / September 16, 2022

An executive order on reviews of foreign investments in U.S. companies and infrastructure will help sharpen the focus on cybersecurity, supply chain and emerging technologies, according to Biden administration officials, who described the new EO as an update and enhancement of the so-called CFIUS review process rather than an expansion of regulatory authority.

President Biden on Thursday signed an executive order flagging cybersecurity, personal data security and other issues as key priorities for the Committee on Foreign Investment in the United States as it reviews transactions involving “foreign persons, particularly those from competitor or adversarial nations,” interested in investing in the United States.

Norma Krayem, chair of the cybersecurity practice at Van Scoyoc Associates and a former senior official at the departments of State, Commerce, and Transportation, said, “This EO sharpens the focus on cyber risks, sending a clear signal to the private sector and around the world. Ownership and control issues have always been critical to understanding national security risk, but the EO also goes farther, it delineates that the term ‘control’ could also be exerted for an individual, rather than just a percentage of investment.”

She said, “It also very clearly states that CFIUS must evaluate incremental changes and investment in a particular sector, which brings a very useful holistic approach which is critical.”

According to Krayem, “The EO also hones in on cyber risk and the national security value of data security, along with key sectors like manufacturing, critical minerals and technology. The CFIUS process has always incorporated a wide variety of tools and a broader lens on evaluating national security risk, and while the acquisition of strategic data has always been a tool used by nation states, it has become weaponized over time. This helps focus on protecting key sectors that may not have historically been viewed as ‘at risk’ from foreign investment in the past as well.”

Cyberspace Solarium Commission leader Mark Montgomery said the EO is consistent with the commission’s recommendation on strengthening CFIUS. He noted, “The President's fiscal 2023 budget has a proposed 25 percent increase in funding for CFIUS and this EO expands the purview of their investment reviews -- both are good news.”

Montgomery, a senior director at the Foundation for Defense of Democracies, said, “This is a thoughtful and much needed move by the Biden administration.”

J. Philip Ludvigson, a partner at King & Spaulding who once helped lead the Treasury Department’s CFIUS office, said, “For the first time since CFIUS was established nearly five decades ago, this Order directs the Committee to consider certain national security factors. CFIUS has recently beefed up its pursuit of deals that have not been voluntarily filed with the Committee. Businesses should not be surprised if Treasury comes knocking to learn more about investments that may pose a risk to the country.”

First EO to set CFIUS priorities

CFIUS was established in 1975 and this is the first executive order designed to set priorities and goals for its reviews. It is chaired by the Treasury Department and includes the departments of Justice, Homeland Security, Commerce, Defense, State, and Energy, the Office of the U.S. Trade Representative and other offices including OMB.

“The executive order centers the review of foreign investments within Biden-Harris administration priorities, including supply chain resilience, protecting American sensitive data, and maintaining America’s technological leadership, ultimately ensuring that our national security tools are deployed in mutually reinforcing ways,” a senior administration official, speaking on background, told reporters on Wednesday.

“And I think this is sending a very clear message, a public message, to the private sector -- in a way the committee’s day-to-day work often can’t -- about what are some factors that we as an administration are very focused on,” the official said.

Further, the official said, “I think we are making clear again, both to the committee and to the corporate community and the public as a whole, as well as foreign governments, allies, and partners around the world, this is how we are incorporating concerns that we have about a set of issues [and using] CFIUS as a tool that is integrated in a suite of other tools to protect our national security.”

Another administration official explained, “The executive order elaborates on two existing statutory factors: technological leadership, hereby specifically enumerating a handful of priority emerging and critical technologies, like semiconductors, quantum technologies, biotechnology, and artificial intelligence, as well as supply chain considerations, here acknowledging what we’ve learned from the past few years and the administration’s related efforts to address the need for resilience of key supply chains, both inside and outside of the defense industrial base.”

The official said the EO “identifies three additional factors for the committee to consider,” including “aggregate industry investment trends, so acknowledging here that a series of transactions over time can increase systemic vulnerability, potentially resulting in a particular covered transaction giving rise to national security risk.”

“Second,” the official said, “the importance of reviewing transactions with an eye toward cybersecurity capabilities of the foreign investor and cybersecurity practices of the domestic entity. And third, risks relating to American sensitive data, providing clarification and a signal to industry that technological and big data advances undermine the concepts of the identified or anonymized data.”

A third senior official said, “By highlighting and sharpening the committee’s focus on these evolving and emerging risks, the executive order will help guide the committee and should also help businesses and investors better identify early on national security risks arising from transactions to help them determine whether to file with CFIUS.”

This official said, “And just for the avoidance of any doubt or confusion, I want to emphasize the executive order does not expand or limit the legal authorities or jurisdiction of CFIUS, which remains broadly focused on assessing and mitigating any national security risks arising from covered transactions.” – Charlie Mitchell (