A number of highly publicized recent cases have underscored the risk to private parties in mergers and acquisitions (M&A) and investment transactions that the Committee on Foreign Investment in the United States, or CFIUS, may block the transaction on national security grounds. Worse for the parties, if they fail to receive CFIUS approval prior to closing the transaction, CFIUS has jurisdiction in perpetuity to retroactively review the transaction.

Despite these costs – along with the timing and cost burdens to transaction parties who proactively seek CFIUS approval – CFIUS plays a vital role in the national security of the United States, especially in a geopolitical climate in which economic statecraft is contested. In fact, while the role CFIUS currently plays is important, giving CFIUS broader authority to share the information it gathers – and to gather certain other key information – could allow CFIUS to further promote US economic security.

CFIUS and its successes

CFIUS’s authority was expanded in an act of overwhelming bipartisan agreement in 2018. Responding to China’s state-backed enterprise model and military-civil fusion policy, as well as Russian cyberattacks on private US companies, Congress rightly recognized the private sector as fertile grounds for malicious actors to attack US national security.

Current CFIUS policy is successful in a number of ways: 

• CFIUS addresses the unique risks associated with foreign ownership of US businesses. Other regulatory regimes, while not without their flaws, generally succeed in controlling foreign access to the most sensitive technologies US businesses produce and in preventing commercial transactions with bad actors. CFIUS, however, addresses risks far broader than access to a particular piece of technology. The committee is well positioned to prevent the transfer of deeper know-how about technology, production processes, supply chains, and distribution channels—information that is at risk of being transferred to a hostile actor when a company itself, rather than its product, is being acquired. Critically, this knowledge is core to a company’s—and a country’s—technological leadership. Addressing the risk of divulging this know-how is CFIUS’s primary role, and CFIUS is well calibrated to accomplish the mission.

• The committee’s process provides it unique visibility into current industry trends and technological developments, which in turn provides the US government a valuable understanding of the national security risks involving the private sector. The basic function of a CFIUS review is to gather information about a US business, its strategy, and how it fits into the broader sectoral landscape. If collected skillfully, this information, derived from hundreds of transactions each year, provides the US government visibility into how technologies from most sectors are developing and attracting investment. It also provides the US government with up-to-date information about corporate security—the relative effectiveness of corporate best practices, and where companies have failed to implement meaningful security policies.

• CFIUS plays a valuable and growing role in economic statecraft. China’s approach to economic diplomacy—via state-funded acquisitions, its Belt and Road infrastructure projects and its reactionary import policies when criticized abroad—demonstrates how the country treats economic activity as a  tactic to enhance its hard power. As part of the 2018 CFIUS reforms, the committee wisely began promoting the implementation of CFIUS-like reviews in foreign countries by offering more lenient treatment for investments originating in these countries. Policymakers recognized that if the United States alone clamped down on Chinese acquisitions in the semiconductor space for instance, that investment activity would redirect to Europe. Meanwhile, CFIUS-like processes are emerging or being updated across Europe, Canada, and Australia; these will counter the government-dominated investment model from China, while also eventually minimizing burdens to cross-border investment among allied nations.

Making the most of CFIUS

These successes reflect a thoughtful balance between CFIUS’s dual mandate to protect national security while maintaining a free and open investment environment in the US. And with minor tweaks to current CFIUS operations, coupled with thoughtful changes to broader national security policy, the committee can become a multiplier of the United States’ work to counteract hostile actions against the private sector.

Even so, it is tempting to question whether the committee’s transaction-by-transaction review of national security issues misses the forest for the trees. For example, while CFIUS may force the divestiture of a handful of software applications previously acquired by Chinese investors, it neglects to address US national security concerns that remain when Chinese companies are still free to directly offer apps to US consumers and routinely amass data on the users.

Here is it crucial to acknowledge that by its very structure and purpose, CFIUS does not address the full spectrum of risks in the private sector, nor should it. Providing a thirteen-agency panel with broader authorities to regulate the private sector absent a triggering investment would risk overregulating the private sector.

Still, policy changes may also help expand CFIUS’s value for the US government. The information CFIUS gathers, the analysis it performs, and the solutions it devises as it reviews hundreds of transactions each year should be available to policymakers and other regulators for purposes beyond CFIUS’s mandate. This detailed context about each sector should be used to promote best practices relating to the specific security threats facing each industry and, where warranted, informed regulatory requirements. The mere act of sharing more broadly the issues CFIUS grapples with may help demonstrate where current security policies are lacking. For example, the forced divestiture of Grindr and the ongoing saga around TikTok, as well as China’s far-reaching attempts to collect DNA data on U.S. persons, have revealed the dire need for federalized data privacy and data security standards.

With CFIUS better able to share its information with other policymakers, it could also ask for additional information from parties:

• Their assessment of the industry in which the US business operates. In connection with an investment transaction, both the US business and the investor have performed extensive analysis of the US business and its potential to perform in its industry. This includes such information as the technologies that are being adopted at the business, the roadmaps that lie ahead for future products, the products and industries that are supplanting outdated technologies, and more. This would be useful to help policymakers understand broader industry trends and predict where national security threats may emerge.

• Significant suppliers to the US business. By routinely inquiring about the key suppliers of a US business, CFIUS can identify weaknesses in the supply chain of critical technologies and assist the United States in developing a response. The recently reported shortages of microchips, in part due to export bans to foreign producers, underscores the complexity of global supply chains.

• Information about any recent cybersecurity incident that the US business or the foreign investor has encountered. A routine request relating to every incident, its cause, effect, and mitigation would be valuable for CFIUS to spot trends in malicious activity and help to inform other federal efforts, such as the Department of Homeland Security’s Cyber Information Sharing and Collaboration Program.

• Workforce capabilities in the relevant sector. In evaluating the labor market, it is helpful for CFIUS to understand the skills that competitive US businesses desire in their recruits and whether the skills are available in the local and national workforce. An industry without access to necessary expertise will cease to innovate, undermining US technological leadership. This is a particularly pressing problem in the government contracting space, where workers require both relevant skills and US government security clearances. Early warning of a skills shortage in vital sectors may spur other departments of the federal government to draw up solutions for the national workforce.

In developing national security strategies, policymakers must prioritize addressing private sector risks—and they should use CFIUS to help accomplish that. Private sector risks are unique beasts because in many cases, the federal government lacks clear authority to mandate change—setting aside entirely whether it would be wise to do so. And in any event, where a solution to a national security risk in the private sector is identified, the government must rely on private actors to implement the solution, including in instances in which the economic incentives to the private actors do not exist. CFIUS is already doing the groundwork to evaluate and respond to threats to the private sector, including in the way it partners with the private sector to address identified risks—but its case-by-case approach is not a substitute for comprehensive policy.

Furthermore, as a core part of CFIUS’s mandate is to protect US technological leadership, the committee should work with federal groups like the various advanced research project administrations to require verifiable security standards when providing research grants to the private sector, non-profits, or universities. Recipients of these grants are often the target of overseas investment—and almost certainly malicious actors as well—and CFIUS has deep experience in articulating verifiable security standards that would help protect grant recipients’ next generation technologies.

Finally, given its access to current information about a broad range of sectors of the US economy and its unique understanding of private sector national security risks, CFIUS should be used to help policymakers analyze and more clearly articulate the concept of “economic security,” as well as how economic security merges with, and is distinct from, national security. Judicial and legislative deference to the executive branch on “national security” issues enabled the Trump administration to assert national security as the justification for everything from the targeted killing of a high-ranking member of a foreign state to the administration’s attempts to place tariffs on European automobiles and remove liability protections for social media companies for user content. Surely these actions are not of a kind, and distinctions among these rationales are necessary to prevent a bloated “national security” concept from exempting otherwise “economic” executive initiatives from transparent democratic processes.

In no free economy can the government extinguish all national security risks attached to the private sector. But CFIUS brings together a broad swath of federal government expertise and may help improve our national security footing in  key sectors of the US economy. If the threats China and Russia pose to the United States demonstrate that the meaning of national security has expanded to encompass the private sector, CFIUS is uniquely positioned to contribute to that response. Wise use of CFIUS can significantly strengthen US national security defenses.

John Kabealo is the founder of Kabealo Law, a firm that specializes in advising clients on CFIUS issues.