Will 2023 Be an Inflection Point in National Security Regulation?

Will 2023 Be an Inflection Point in National Security Regulation?

February 17, 2023, Covington Alert

On the heels of Russia’s invasion of Ukraine, pandemic-induced supply chain disruptions, and U.S.-China tensions over Taiwan, 2022 accelerated a sweeping effort within the U.S. government to make national security considerations—especially with respect to China—a key feature of new and existing regulatory processes. This trend toward broader national security regulation, designed to help maintain U.S. strategic advantage, has support from both Republicans and Democrats, including from the Biden Administration. National Security Advisor Jake Sullivan’s remarks in September 2022 capture the tone shift in Washington: “…[W]e have to revisit the longstanding premise of maintaining ‘relative’ advantages over competitors in certain key technologies…That is not the strategic environment we are in today…[w]e must maintain as large of a lead as possible.”

This environment produced important legislative and regulatory developments in 2022, including the CHIPS and Science Act (Covington alert), first-ever Enforcement and Penalty Guidelines promulgated by the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) (Covington alert), President Biden’s Executive Order on CFIUS (Covington alert), new restrictions under U.S. export control authorities targeting China (Covington alert), and proposals for a new regime to review outbound investments by U.S. businesses (Covington alert). The common thread among these developments is the U.S. government’s continuing appetite to use both existing and new regulatory authorities to address identified national security risks, especially where perceived risks relate to China.

With a Republican majority in the U.S. House of Representatives riding the tailwinds of this bipartisan consensus, 2023 is looking like a pivotal moment for national security regulation—expanding beyond the use of traditional authorities such as trade controls and CFIUS, into additional regulatory domains touching upon data, communications, antitrust, and possibly more. In parallel, the U.S. focus on national security continues to gain purchase abroad, with foreign direct investment (“FDI”) regimes maturing in tandem with CFIUS, and outbound investment screening gaining traction, for example, in the European Union (“EU”). It is crucial for businesses to be aware of these developments and to approach U.S. regulatory processes with a sensitivity towards the shifting national security undercurrents described in greater detail below.

Outlook for CFIUS & Outbound Investment Screening—Potential Stress in the System

CFIUS will face increased stress as an institution owing to a combination of factors, including an increased caseload, a policy push on enforcement (discussed below), and the drain of additional policy initiatives, including outbound investment (discussed below). The prospect of Congressional investigations of the Biden Administration almost certainly will further exacerbate the pressures on the Committee. While we anticipate that CFIUS will continue to process in a timely manner transactions that do not raise complex national security considerations, the stress in the system may make resolving complex cases even more challenging and, in turn, places an even greater premium on thorough—and early—planning by transaction parties.

Since enactment of the Foreign Investment Risk Review Modernization Act (“FIRRMA”) in 2018, we have seen a steady increase in overall activity from CFIUS, backed by dramatic increases in staff and expanded funding. As we observed in the Committee’s Annual Report to Congress released in August 2022 (Covington alert), CFIUS’s heavy caseload continues to grow, with a record-setting 164 declarations and 272 notices reviewed in 2021. Based on Covington’s internal estimates, CFIUS caseload last year appears to have surpassed even 2021’s record, with at least 280 notices filed in 2022. This is particularly striking given the concomitant decline in U.S. merger and acquisition (“M&A”) activity of as much as 43 percent during the same period, and a reported 56 percent contraction in global M&A in the fourth quarter.

The Committee’s burgeoning caseload in and of itself inevitably strains its resources, but this burden is rendered even more acute by several other trends occurring in parallel, including:

• Enhanced Scrutiny in Individual Transactions, Particularly Responding to Russia’s invasion of Ukraine and Tensions with China. The general level of scrutiny in CFIUS reviews has intensified, with information requests expanding both in volume and aperture, probing more frequently into business operations and relationships in China and Russia, as well as into general national security risks that may be inherent in the target U.S. business. Consistent with the Executive Order (“EO”) issued in September 2022 and recent remarks from senior Administration officials, the Committee is also applying even more scrutiny and resources on issues such as supply chain resiliency, data sets possessed or accessible by business, and technology leadership. We have also observed a rising incidence of CFIUS requiring mitigation measures as a condition of approval in cases where mitigation might not have been the obvious landing point in the past. The number of withdrawn and refiled notices has also increased significantly, suggesting that CFIUS now is taking longer to negotiate mitigation agreements with parties—a trend that is consistent with our own observations.
• Committee Focus on Enforcement and Penalties. As we previously reported (Covington alert), the Committee’s Enforcement and Penalty Guidelines released in October 2022 make clear that CFIUS will take a more aggressive and coordinated approach to enforcement of mitigation agreements and non-notified transactions in 2023. While, as we said, we do not expect this to be open hunting for civil money penalties, there is clear evidence of greater resources and attention being paid to enforcement and monitoring—and that inevitably will also lead to more senior-level attention on specific enforcement matters.
• Further Policy-Related Initiatives, Especially on Outbound Legislation. We also continue to see momentum, both in the White House and Congress, toward a new outbound investment review process (colloquially, a “reverse-CFIUS”) to screen certain foreign-bound investment by U.S. persons. The Consolidated Appropriations Act, 2023 (“Omnibus Bill”), signed into law by President Biden on December 29, 2022, requires the Departments of Commerce and Treasury to prepare a report setting out the details of a new outbound investment review regime. While the text of the Omnibus Bill itself does not expressly reference outbound investment, explanatory statements released by the conference committee contain provisions directing each of the Departments of Commerce and Treasury to “consider its role in the establishment of a program to address the national security threats emanating from outbound investments … in certain sectors that are critical for U.S. national security.” Both Commerce and Treasury must submit a report within 60 days after the enactment of the bill (i.e., by February 27, 2023), and Treasury is required specifically to identify resources “required over the next three years” to establish and implement an outbound investment screening program. While the bill provides no additional insight into the scope of a new potential outbound regime, the inclusion of a short-fuse report requirement in the Omnibus Bill signals enduring (and energetic) support for some form of outbound investment screening in the near future.
     
  Even if Congress ultimately fails to pass legislation establishing an outbound investment regime, recent reports indicate a forthcoming EO from the White House that would design a new outbound regime, including a combination of investment restrictions and notification requirements, focusing on semiconductors, artificial intelligence, and quantum technology. Deputy Attorney General Lisa Monaco’s recent remarks on “disruptive technologies” also referenced “outbound investment” as a key, emerging focus of the U.S. government, further suggesting that Administration action was likely. The final scope and timing of an EO remains to be seen, but this is yet another area where the government’s resources (particularly more senior resources) on investment screening—resources that formerly were the exclusive domain of CFIUS and related processes, such as the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (better known as “Team Telecom”)—will continue to spend time, making individual transactions or enforcement matters compete for that time.
• Scrutiny from Congress and the China Select Committee. Meanwhile, we expect increasing domestic scrutiny, including in the form of Congressional investigations, to further exacerbate pressures on the Committee. The feedback loop between Congressional pressure and recent media focus, for instance, on Chinese real estate investments in North Dakota and elsewhere, has created a constrictive environment for CFIUS that exposes the Committee’s processes to political stress and, in turn, could trigger a chilling effect.
     
  Central to this new normal will be the Republican majority in the House of Representatives. Earlier this year, the House formally established the new “Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party,” (“Select Committee”) with a bipartisan vote of 365-65 (Covington alert). The Select Committee will be heavily focused on oversight and investigations and is expected to scrutinize, among other things, U.S. businesses operating in China, businesses in China on which the United States is perceived to depend, and other areas where Congress sees opportunities for private industry to bolster America’s competitive position against China.
     
  The Select Committee has no legislative authority to act on any policy measures; its primary function is hortatory, shaping both public opinion and guiding standing committees (and possibly the Executive Branch) regarding policies that should be pursued to address “the Chinese Communist Party’s economic, technological, and security progress and its competition with the United States.” The Select Committee's unique contribution is its ability to address perceived risks from China through a “whole of government” approach, unlike other committees which are limited in their respective jurisdictions. Although the Select Committee has yet to formally announce its investigative agenda, Republican leadership has indicated that the Select Committee will focus on a range of national security issues, including outbound investment, cybersecurity, intellectual property, healthcare supply chains, oil and gas, and even renewable energy, targeting President Biden’s clean tech initiatives that involve collaboration with China. Overall support for the Select Committee’s agenda remains notably bipartisan, with a Democrat serving as the panel’s ranking member.

  We are expecting that the Select Committee, which has subpoena power, will have an active investigative agenda, and that companies across a range of industries with interests in China may receive written inquiries from or be asked to testify at hearings by the Select Committee. In particular, we are expecting the Select Committee to focus on issues such as (i) outbound investment screening, (ii) Chinese participation in U.S. supply chains, including, for example, in industries related to energy transition, (iii) perceived gaps in CFIUS’s authorities, including with respect to greenfield investments and real estate transactions, and (iv) areas of U.S. dependency on China, including, for example, active pharmaceutical ingredients (“APIs”) and rare earth elements, among others.

Global FDI, UK NSI, and Outbound Screening

Globally, the regulatory environment for investors reflects some broadly similar themes overall, manifesting a shared sensitivity among national governments regarding the potential impact of investment on the security of domestic industries, critical infrastructure, and technology. Within just the past few years, countries including Australia, New Zealand, and India have meaningfully updated their FDI regimes, adding greater scope for scrutiny of national security considerations; Canada has recently announced further reforms within the same trend for later in 2023.

Since the adoption of the EU FDI Regulation in 2019 (the “FDI Regulation,” EU 2019/452), the rapid introduction and expansion of foreign investment screening regimes has been a conspicuous development in Europe. The FDI Regulation established procedural standards, furnished guidance on areas of national security interest, and created an EU-wide cooperation mechanism, although powers to review and, where necessary, control FDI largely remain at the national level with member states. By the end of 2023, all but one or two EU member states are expected to have national FDI regimes. These national FDI regimes currently demonstrate varying degrees of maturity and modes of implementation (discussed here); that said, a degree of common interest in Chinese investment is apparent with, for example, Italian and German regulators making notable decisions to block certain transactions by Chinese investors, particularly in areas of critical technology.

Importantly, during 2023, the European Commission will also gain adjacent and potentially overlapping competence to review inbound investment via the EU Foreign Subsidies Regulation (the “FSR Regulation,” EU 2022/2560; discussed here). The FSR Regulation will have effect from July 12, 2023, while mandatory filing requirements in turn will apply from September 12, 2023 (both of which were confirmed in implementing measures published on February 6, 2023). In other initiatives, the EU is also considering its own CHIPS legislation among its strategic priorities and, during 2021, updated its export controls laws (discussed here), which indirectly impacts the scope of some FDI filing requirements. As in the United States, various regulatory touchpoints now exist in Europe for the exploration of national security considerations.

The United Kingdom (the “UK,” outside the EU since December 31, 2020) has undergone a significant change to its investment landscape with the enactment of the National Security and Investment Act 2021 (the “NSIA”; discussed here). Despite a quieter M&A market in 2022, the newly formed Investment Security Unit (the “ISU”) is expected to have fielded a significant number of NSIA filings. To date, the Secretary of State for Business, Enterprise and Industrial Strategy (the “Business Secretary”) has issued 13 final orders prohibiting or conditioning investments based on these filings and other NSIA interventions. Of these, eight orders concern Chinese investors, while others concern investors from Russia, the United States, Australia, the Middle East, and the UK. The UK government appears keen to demonstrate both that the country remains open to investment (having also publicly cleared several transactions for lack of national security concern) and that it is committed to acting decisively when transactions involve “sensitive” targets, regardless of investor origin. In this politically charged environment, oversight of NSIA decision-making is also developing in tandem, including, through public interventions from the Chair of Parliament’s Foreign Affairs Committee and other politicians who continue to show interest in steering the implementation of the NSIA to the extent possible. Following a reshuffle of governmental responsibilities, the ISU is also expected to be relocated to the UK Cabinet Office in the near future, and NSIA decision-making powers will be reassigned from the Business Secretary to the Cabinet Office Minister.

To date, the ISU and the UK Secretary of State have been careful to distinguish between economic orders—made in the context of an NSIA review but separately and on an agreed basis—and NSIA orders that are more specifically underpinned by national security findings. Nevertheless, in a trend we have observed across the global FDI landscape, the concept of national security nexus is very much still being defined and appears likely to remain in flux for some time to come. This requires thoughtful navigation by investors in their interactions with various regulators, through an overarching strategy as well as catering for local differences.

Simultaneously, outbound investment screening proposals have cropped up elsewhere. For instance, the EU’s 2023 work program includes a reference to a potential EU outbound investment screening regime. On page 8, the document states that “we will examine whether additional tools are necessary in respect of outbound strategic investments controls.” The German Ministry of Foreign Affairs first presented the idea of introducing new powers for an outbound investment regime in early November 2022, and the German Ministry for Economic Affairs and Climate Action (“BMWK”) has further explained that it intends to discuss the screening of outbound investments within the EU and with other partners. While the future of an outbound screening regime in the EU remains far from decided, the broader project of outbound scrutiny, especially with respect to China-bound investments, has gained champions in Washington and abroad. Against the backdrop of geopolitical tensions in 2022, a potential multilateral effort to implement certain limited outbound screening could help address the concern that a unilateral U.S. regime might create a disproportionate regulatory burden for U.S. parties.

Expanding Scope of National Security: Impact on Other Regulatory Regimes

Amid regulatory developments in the EU, what makes the environment in 2023 especially notable is the appetite within the U.S. government—across both major political parties, both houses of Congress, and the Executive Branch—to stretch national security regulation beyond the more traditional national security domains, into adjacent regulatory landscapes touching on data, communications, and antitrust.

• ICTS. For the past few years the U.S. government has increasingly become concerned with the ability of foreign adversaries to expropriate U.S. technologies, intellectual property, or sensitive government or commercial information, including through the implementation or exploitation of Information and Communications Technology and Services (“ICTS”) vulnerabilities. Reflecting this concern, President Trump signed Executive Order 13873 (the “ICTS EO”) in 2019, which granted the Department of Commerce (“Commerce”) authority to implement a regime to review and prohibit certain transactions for purposes of securing the United States’s ICTS supply chain. Notably, “transactions” is broad in definition, and can mean an acquisition, importation, transfer, installation, dealing in, or use of ICTS, including ongoing activities such as updates or repairs. Reflecting the bi-partisan consensus around this issue, Commerce under President Biden issued an Interim Final Rule in 2021 implementing the ICTS EO (the “ICTS Rule”) (Covington alert).
    
  On the heels of the ICTS Rule, Commerce also issued a press release noting that it had issued multiple subpoenas to Chinese companies that provide ICTS in the United States, for purposes of “investigating whether the transactions involving these companies meet the criteria set forth in the [ICTS EO].” The press release further indicated that these types of investigations where a high priority for the Biden Administration, noting “[t]he Administration is firmly committed to taking a whole-of-government approach to ensure that untrusted companies cannot misappropriate and misuse data and ensuring that U.S. technology does not support China’s or other actors’ malign activities.” Despite these initial steps indicating that Commerce would be prioritizing ICTS investigations, however, there is no further public record indicating the completion of investigations or enforcement under the ICTS Rule.
       
  We believe the apparent lack of movement by Commerce on ICTS investigations was at least in large part due to resource constraints. However, the White House’s 2023 Budget includes specific funding for ICTS enforcement, and we accordingly may see an uptick in enforcement activity by Commerce. Specifically, the White House noted that Commerce was granted a $36 million budget increase “to review ICT transactions that pose an undue risk to the United States, and an enforcement program to deter and mitigate foreign malicious cyber-enabled activities.” We also understand that Commerce has now specified that the Bureau of Industry and Security (“BIS”), which among other duties is responsible for enforcement of the Export Administration Regulations (“EAR”), will take the lead on implementing and enforcing the ICTS Rule.
      
  With BIS taking the lead, and funding dedicated to investigations and enforcement, we expect that Commerce may be able to not only advance its on-going investigations, but also potentially start casting a wider net with respect to the ICTS transactions it scrutinizes. In parallel, and given the broad bi-partisan support to address ICTS supply chain risk, we cannot rule out the possibility that Congress may look to draft and pass legislation establishing a permanent regime dedicated to the review of ICTS transactions. Given the ever-increasing appetite across government to secure the ICTS supply chain, and our expectation that at a minimum Commerce will increase its activity in 2023, it will be important that both foreign and U.S. companies follow the developments related to the ICTS Rule, as it may ultimately implicate not only the ability of certain foreign companies from selling or licensing certain ICTS in the United States, but also the U.S. counter-parties that are acquiring such ICTS.

• Potential Related New EO on Protecting Sensitive Personal Data. Separate but related to the U.S. government’s concerns around the exploitation of ICTS vulnerabilities is the focus on protecting U.S. sensitive data from foreign collection and exploitation, including data associated with users of software applications. While President Biden suspended the Executive Orders signed by President Trump that sought to address this issue through targeting two specific applications—WeChat and TikTok—he also signed Executive Order 14034 (the “Connected Software EO”) in June 2021 that broadly focused on protecting sensitive data of U.S. persons through the scrutiny of transactions with foreign adversaries that involve connected software applications. In December 2021, Commerce issued an Advanced Notice of Proposed Rulemaking indicating it would amend the ICTS Rule to also capture transactions involving connected software applications, and in turn Commerce planned to leverage the authority under the ICTS Rule to also review and potentially prohibit transactions involving connected software applications. Likely due to the same resource constraints that appear to have limited investigations and enforcement under the ICTS Rule generally, however, Commerce to date has taken no further action to formally amend the ICTS Rule.
    
  Reports then started circulating last year that the White House was considering signing yet another EO that would give the Department of Justice (“DOJ”) certain authority in connection with the review of transactions involving data of U.S. persons (the “Sensitive Data EO”). One Reuters report suggested that DOJ would actively monitor compliance with certain prohibitions, mitigation measures, or measures, as determined by Commerce and also pursue enforcement actions as required, thus indicating that both Commerce and DOJ together may be involved in scrutinizing transactions involving U.S. sensitive data going forward.
     
  We expect that Commerce’s delay in formally amending the ICTS Rule to include connected software applications, and general inaction to enforce the ICTS Rule to date, may have motivated the rumored Sensitive Data EO more than any net new national security concerns. Indeed, the same substantive national security concerns cited in connection with the Sensitive Data EO—namely concerns with China’s access to U.S. personal data and the need to limit that—were also cited in connection with the Connected Software EO and are shared across the U.S. national security community. The question in 2023 then will be whether as part of its likely increase in implementing and enforcing the ICTS Rule more generally, Commerce will also take further action with respect to the Connected Software EO or whether the White House or even Congress will seek to take separate action to push for faster implementation of a regime that will address transactions involving sensitive data of U.S. persons.

• Tying Antitrust Considerations to National Security. At the end of 2022, a version of the Foreign Merger Subsidy Disclosure Act became law as part of the 2023 Omnibus Bill. The legislation requires parties filing merger notifications under the Clayton Act to now disclose subsidies from certain “foreign entities of concern” including China, where “subsidies” can take the form of “direct subsidies, grants, loans, loan guarantees, tax concessions, preferential government procurement policies, or government ownership or control.” The provision specifically highlights the role of Chinese foreign subsidies with explicit references to Made in China 2025 and its anti-competitive consequences.
    
  Importantly, the Federal Trade Commission (“FTC”) must also consult with CFIUS, DOJ, Commerce, the International Trade Commission, and the Office of the United States Trade Representative to determine the form and content of such notice that would enable the FTC and the DOJ Antitrust Division to determine whether these subsidies are in violation of antitrust regulations, i.e., whether subsidies have a distorting effect on competition. The requirement for reporting these subsidies will not take effect until the FTC promulgates rules for providing notice after the required consultation with other agencies. While it remains to be seen how enforcers will apply this provision, not to mention how long the accompanying rulemaking process will take, there will be an additional disclosure component to the merger review process and another opportunity for antitrust regulators to receive advice from their national security counterparts.

• Increased National Security Scrutiny in Telecommunications Services. The Federal Communications Commission (“FCC”) has also focused on expanding national security scrutiny within its processes. Most recently, FCC Chair Jessica Rosenworcel announced that she expects to circulate a proposal that will authorize the FCC, in coordination with Team Telecom, to periodically evaluate the foreign ownership of FCC licensees in light of national security considerations (Covington blog).
  
  Although Chairwoman Rosenworcel made her proposal in the context of Section 214 licensees for interstate and international telecom services, it is not clear whether her proposal will be limited to these types of licensees or whether it will extend to other types of licensees such as wireless and subsea cable licensees. It also is not clear whether the proposal will be in the form of a Notice of Proposed Rulemaking or Notice of Inquiry, which could affect the timing of any new rules.
  
  Currently, foreign ownership review occurs only when FCC licenses are first sought, or when transfers of control or assignments occur. The perceived shortcomings of this approach arose in connection with the FCC’s review of the China state-owned enterprise 214 licensees, which were specifically referenced in Rosenworcel’s speech. Because most of those licensees did not have a transaction or license application before the FCC, the FCC had to undergo additional processes to initiate and conduct those reviews and, ultimately, commence license revocation proceedings.
  
  While the scope of the new FCC proposal remains unclear, this development is notable because it could affect an existing licensee’s ability to bring on foreign investors that do not otherwise trigger a transfer of control. It also could subject licensees to evolving thinking by national security agencies about which owners/investors trigger national security concerns, as the agencies will be able to act on that evolving thinking more quickly. When applied only to investments by Russian or Chinese investors, the impact of this change may be modest because most FCC licensees are aware that investors from those countries can trigger considerable scrutiny. That said, it is possible that over time the gaze of the FCC, and of the supporting national security agencies, may broaden to investors from more benign jurisdictions.
  
  Another notable development has been the FCC’s use of its authority over electronic equipment to achieve national security goals. In November 2022, the FCC effectively banned certain Chinese telecom and video surveillance devices from the U.S. market—demonstrating the power of its authority over virtually all electronics equipment, which until this decision had been exercised only to address technical, scientific, and engineering concerns. With Congressional backing, the FCC now has established itself as a potent vehicle for excluding products from the U.S. market on national security concerns (Covington blog).

Together, these developments portend greater impetus in the ongoing push to make competition with China, among other national security considerations, a top priority across U.S. legislation and various regulatory processes in the year to come. In turn, a coordinated approach to U.S. regulatory processes that integrates expertise in these dynamics will be critical to navigating the current climate.

If you have any questions concerning the material discussed in this client alert, please contact the members of our CFIUS, FDI, and Antitrust practices.