CFIUS cares about your data: Evolutions in national security

CFIUS cares about your data: Evolutions in national security

By Nathan Fisher, Managing Director, StoneTurn

We have come a long way from, “data is the new oil.” Data, in fact, may be a more precious asset than that.

In recent years, data privacy has become a concern of paramount importance. Individuals, businesses, and governments are interconnected like never before through the exchange of digital information. But for all the benefits the availability of data may offer, we should be equally concerned with understanding who has access to this data and how it is being used.

Regulators and government bodies, including the Committee on Foreign Investment in the United States (CFIUS), are assessing such risks. But these risks are not simple, especially as data and technology continue to evolve at an increasingly rapid pace.

The Data Dilemma

Data has evolved from being a mere byproduct of user activity into a strategic asset valued for the insight it can offer into personal information, intellectual property (IP), and discreet business information. In the most extreme cases, data may reveal sensitive, or even classified, national security information. These risks drive concerns about the unauthorized access and misuse of data.

As individuals and institutions entrust their data to others, they should demand appropriate handling and protection of that information. These expectations are reflected and endorsed in the rapidly evolving landscape of international, jurisdictional, and industry privacy regulations. Even if not currently subject to legal requirements, forward-thinking organizations are wise to recognize that responsible stewardship of data fosters customer trust and strengthens brand reputation, while also mitigating the risks of potential data breaches.

Where CFIUS is Concerned

Predating the new-age attention to data privacy, CFIUS was first established in 1975 and empowered with authority to review (and potentially block or otherwise mitigate) foreign investments into the US for potential risk to national security interests. As global commerce and technology have evolved through the years, so has CFIUS’ interpretation of national security vulnerabilities. Consequently, CFIUS has seen an expansion in its authority and jurisdiction and is increasingly focusing its attention on the digital realm. This year the President issued an executive order requiring CFIUS, among other things, to maintain a laser focus on the security of US citizen data.

Per its own annual report for calendar year 2022, CFIUS reviewed a record number of covered transactions. [1] Of the total number of notices received, the majority of transaction parties were categorized as coming from what CFIUS defines as the “Finance, Information, and Services” sector. This sector includes, among others: publishing industries; telecommunications; data processing, hosting, and related services; professional, scientific, and technical services; and hospitals. When viewed against historical records, a visible trend emerges demonstrating the CFIUS pivot to increased focus on transactions involving technology companies and entities with access to sensitive user data.

In short: CFIUS has recognized the value and risk of data and its potential to affect social, political, and economic influence, and the Committee is not sitting idly by—they are taking action.

Convergence: Where National Security Meets Data Privacy

This convergence of data privacy and national security represents a critical juncture in the modern information age. Foreign adversaries (geopolitical, economic, military, etc.) now recognize data as a strategic resource. Consequently, the US government has placed increased emphasis on ensuring US persons information and other sensitive data is appropriately safeguarded. In July 2023, the White House published the National Cybersecurity Strategy Implementation Plan, providing a roadmap to achieving enhanced national cybersecurity defenses and providing guidance to external partners on the capabilities of Federal agencies in incident response and recovery. [2] Additionally, in early August 2023 the White House also announced new commitments to strengthen cybersecurity protections for America’s public schools. [3]

While these initiatives are well-intended, the effort is made more difficult by the lack of federally mandated or universal framework standards. Both information security and data privacy programs borrow from a number of similar but competing standards and industry authorities, such as National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), General Data Protection Regulation (GDPR), and California Consumer Privacy Act (CCPA).

These inconsistencies across differing jurisdictions complicate CFIUS’ efforts to determine and prescribe appropriate safeguards and mitigations to covered transactions. While CFIUS is dedicated to protecting national security interests, it must be equally committed to enabling economic growth and innovation when able.

The Path Forward

To be successful in this charge, CFIUS must pursue greater collaboration with private sector, government, and technology experts in establishing expectations and standards to be applied consistently in the interest of national security. Each member agency that comprises CFIUS may play a role in this process – particularly the Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA) which has been charged with leading the defense of our nation’s cyber and critical infrastructure interests.

Key elements in this effort that DHS and CISA can lead include:

1. Transparency: Encourage a more transparent definition of national security interests and threats. This would enable transaction parties to more effectively conduct appropriate due diligence reviews and better assess themselves and the transaction for risks to data privacy and other national security interests.
2. Establish a Framework: Define the minimum expected standards for data governance. Given CFIUS’ mandate concerning transactions involving foreign entities, the standards endorsed by CISA should be sophisticated enough to be recognized and accepted by those international jurisdictions with stringent requirements.
3. Technical Controls: Prescribe hardware and software solutions to safeguard information against unauthorized access and misuse. Mandating security solutions such as encryption, firewalls, multi-factor authentication (MFA), and the practice of least privilege serve to decrease the likelihood of a breach and mitigate the risk posed by such an event.

Conclusion

Regard for data privacy is now deeply entwined in the CFIUS and broader national security mission. As technology offers unprecedented opportunities in innovation and global investment, it also poses significant risk which drives the critical need to protect sensitive data from compromise and misuse—whether that’s in the corporate ecosystem, or targeting data-rich institutions, such as academia or research organizations.

CFIUS must strike a balance enabling growth and economic development while protecting national security interests, including the sensitive information of U.S. businesses and people. That balance can best be achieved by inviting businesses and technology leaders to the table in defining the path forward. DHS and CISA can best represent CFIUS in this collaborative effort by offering guidance to the public and private sectors on appropriate information security standards, suitable for protecting corporate and national security interests alike. Steps taken now to clarify and strengthen will reinforce tomorrow’s national security posture.

[1] Treasury Releases CFIUS Annual Report for 2022 | U.S. Department of the Treasury

[2] https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/13/fact-sheet-biden-harrisadministration-publishes-thenational-cybersecurity-strategyimplementation-plan/

[3] https://www.whitehouse.gov/briefing-room/statements-releases/2023/08/07/biden-harris-administration-launches-new-efforts-to-strengthen-americas-k-12-schools-cybersecurity/