How International Acquisitions Can Become a Cybercrime Frontier

Disrupting digital threats on the federal level relies on more inventive, modernized tactics to support a stronger U.S. cybersecurity posture, with agencies like the Federal Bureau of Investigation and Treasury Department collaborating to evaluate virtual threats to national security. 

Agency leadership from the FBI, Treasury, and more spoke during an Aspen Institute event on Wednesday on the U.S.’s current strategies to tackle cybersecurity as a national security matter––a provision mandated by President Joe Biden’s recent National Cyber Strategy. 

Treasury’s Committee on Foreign Investment in the United States is screening foreign investments and international corporate acquisitions and mergers to ensure the safe transfer of technology and absence of malwares entering and exiting the U.S.

“So the way we think about it is: What is this foreign business or person buying? What do we know about that foreign person or business? What are they buying? What do we care about the technology or business that they're buying?” explained Paul Rosen, Treasury’s assistant secretary for investment security. “And so we're putting those things together—what is the impact on national security—and so we do that assessment.”

Working within CFIUS, Rosen said that following the outcome of an official assessment, the Treasury or the president can block a potentially dangerous transaction. One area Treasury and CFIUS are focusing on in particular is what types of U.S. data could be exposed in an international business transaction. 

“In our digital world and our digital economy, data has sort of transformed everything that we do, creating a whole host of conveniences in everyday life, but it also presents a series of national security risks and concerns,” he said. “One of the areas where…we plug in on national security risks as it relates to data and cybersecurity, for example, is thinking about that U.S. business acquisition: How much data is in that US business? Do we care about that data? Is it U.S. persons’ sensitive information? Is it sensitive source code?”

A worst-case scenario for an acquisition or sale is if sensitive data within a given U.S. product or business can be used for foreign espionage against the U.S. 

Here, other agencies, including the FBI, step in to add additional review to these transactions.

“I think we're working hand in hand both with CFIUS and OFAC [Office of Foreign Assets Control] over at Treasury to provide information that can lead to the enhanced reviews or sanctions on these entities,” said Cynthia Kaiser, the deputy assistant director of the Cyber Division at the FBI. “We're trying to point out…when a company is involved in say a joint venture, what kind of cybersecurity risks they take on.”

Kaiser provided an example where China mandated that specific software be integrated into the networks of a U.S. company working within its borders. The software itself contained malware enabling malicious actors to enter private networks. 

“We were able…through our own investigative techniques, to understand how to close that backdoor,” she said.

While data privacy is a chief concern for both agencies, Rosen clarified that CFIUS will be reviewing cases featuring other critical and emerging technologies, including semiconductors, quantum information systems and artificial intelligence.

“One of the things we recipients are really trying to do is think around the corner and be thoughtful because if our adversaries want to use acquisitions to get our sensitive technology, they too are thinking about new and novel ways to do so,” he said. “And so we're trying to stay one step ahead of them.”