While the media focuses on US policy restricting Huawei, the Chinese-military backed provider of telecommunications equipment, the company is not the only security threat from China. Data—what, how, and where it is generated, processed, and stored—is arguably the greater concern. While federal policy has long recognized the importance of data, implementing up to date data protection is always a work in progress. The bipartisan Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) increased the resources and responsibility of CFIUS (Committee on Foreign Investment in the United States), the body comprised of nine cabinet-level Executive Branch agencies charged with reviewing the national security aspects of foreign direct investment. As I describe in a new whitepaper co-authored the bill’s architect Congressman Robert Pittenger, CFIUS has stepped up to protect Americans’ information privacy and security. With FIRRMA, Congress requires foreign investment in strategic US businesses to be reviewed for its cybersecurity and privacy implications. The CFIUS of the past approved multiple acquisitions of strategic US technology by companies owned by Chinese government, including Lenovo, which through its US acquisitions, has become a leading collector of US data, which is now at risk to purview by the Chinese government. Congress has ensured that the CFIUS of today does not make the same mistakes and has already blocked or unwound mergers that threaten Americans’ data privacy and security.
The Bureau of Economic Analysis reports that more than two-thirds of the total foreign investment in the US comes from European investors; perhaps less than 5 percent of foreign investment comes from investors from adversarial states. As such, the jurisdiction of CFIUS is necessarily and appropriately limited. However in recent years, Chinese investment in the US has increased significantly, driven in part by China’s strategy of techno-nationalism, including acquiring top foreign brands and shaping them into Chinese players. Hence China’s interest in assets from IBM, Motorola, and other US firms.
The New and Improved CFIUS
The most recent report of CFIUS to Congress shows FIRRMA’s effect. The number of investigations has more than doubled, and withdrawal notices have tripled since the last report. CFIUS has blocked and unwound transactions that endanger Americans’ privacy and security, notably in 2018 by blocking the purchase of MoneyGram by Alibaba’s Ant Financial. Given that Alibaba feeds its customer data to the Chinese government to calculate social credit scores, there was a similar concern of this happening to Americans’ data.
In 2019 CFIUS forced the divestiture of Chinese interests from PatientsLikeMe (patient-network and research platform in which people with similar diseases connect online) and Grindr (gay dating app which collected geolocation and HIV status). In 2020 Beijing Shiji Information Technology was required to divest its interest in StayNTouch, Inc. a U.S. company providing mobile technology and property-management systems for hotels.
Recently CFIUS opened an investigation into the short-video app TikTok, developed by the American Musical.ly and subsequently acquired by China’s ByteDance, which collects extensive data like user location, name, age, and IP address. The parties failed to inform CFIUS of the 2018 transaction, but it clearly triggered CFIUS review. US Senators on both sides of the aisle have raised concerns about TikTok, including chilling reports of the Chinese government censoring TikTok videos which had discussions of human rights protests in Tiananmen Square, Tibet, Hong Kong, and Taiwan. TikTok has repeatedly denied that the Chinese government exercises control over the firm, but employee interviews and leaks describe how content is routinely censored based upon political subject and any reference to China’s General Secretary Xi Jingping.
Lenovo: The one that got away
Indeed, using FIRRMA’s stricter standards for privacy and security, earlier approved deals which involved Chinese government investment would likely not be approved today, such as the multi-billion dollar acquisition of IBM’s laptop and server divisions by Lenovo, which the bipartisan Congressional United States China Commission (USCC) described as one of China’s national tech champions on the order of Huawei. CFIUS’ mitigation of Lenovo’s 2014 acquisition was minimal, requiring only that IBM maintain the servers in the Navy’s weapons systems and Air Force GPS until 2019. Five years hence, IBM and Lenovo have moved on; taxpayers must foot the $378 million bill to rip and replace the Air Force servers, among other costs. The CFIUS of 2014 apparently neither imagined or simply ignored the fact that sensitive data exists outside the military installations.
Congress and the Departments of Defense and Homeland Security vehemently opposed the Lenovo acquisitions and channeled their ire into a long-overdue reform of CFIUS’ process and standard. Rep. Pittenger noted how General Electric and IBM worked aggressively, but ultimately unsuccessfully, to defeat FIRRMA. Both companies have a history of extensive sales of high-tech, military-applicable capabilities to China. Through joint ventures between GE and Aviation Industry Corporation (AVIC), China developed an enhanced capability to produce high-performance aircraft cockpit controls, displays, communications and navigation systems for warplanes. AVIC is one the companies featured on the US Department of Defense just-released list of China’s military-linked companies. Like GE, IBM systematically transferred dual-use, high-end computing technology to China, giving it a quantum leap in high performance computing, microprocessing, software, servers, and cloud technologies.
Higher Standards for Privacy and Cybersecurity
That CFIUS requires privacy and cybersecurity review is necessitated further by China’s recent Internet Security and Intelligence laws regulating how Chinese firms treat data on Chinese information technology. The rules that apply to any Chinese-made technology anywhere, assert sovereignty over cyberspace, and authority over all data. Though there is debate as to how strictly these laws are interpreted and implemented, it is not inconceivable that the Chinese government could compel a Chinese firm to collect, process, and/or transfer American user data to China. Because such activity is indetectable from regular network operations, it nearly impossible to mitigate the risk by using a Chinese-government owned firm’s product or service. Emmanuel Pernot-Leplay, PhD in comparative data protection law from Shanghai Jiao Tong University observes, “Governments worry less about what Chinese law says than what China’s government can actually do.”
As such, it’s the job of CFIUS to consider what China’s government can actually do. The US spends almost one trillion dollars annually in defense, protecting people and property, and preventing attack. We assume that US actors won’t willingly empower adversaries through mergers, especially as there are many buyers in allied countries. However, CFIUS proves that some US actors will prioritize profit over users’ privacy and security. Congress has ensured that CFIUS will step up to protect Americans’ data privacy and security when firms don’t.