Cyber Risks and CFIUS: A Conversation With MoFo's John Carlin

January 03, 2018 at 01:10 PM
Share & Print

John Carlin has spent most of his career in public service, focusing in recent years on national security and cyber investigations. He's now on the other side of the table as a partner at Morrison & Foerster in Washington, where he leads the firm's global risk and crisis management team.

Carlin couldn't be better positioned, leading the group at a time of rising tensions between the United States and its trading and investment partners over national security and economic interests. He joined the firm from the U.S. Department of Justice in January. At Main Justice, he was the assistant attorney general in charge of the National Security Division.

One big part of the law that's on Carlin's plate now: advising companies that are tangled up in reviews by the once-obscure Committee on Foreign Investment in the United States, or CFIUS. At the DOJ, Carlin was the Justice Department's representative on CFIUS, the interagency panel that reviews mergers and acquisitions involving foreign companies for national security threats. Before working in the division, Carlin was chief of staff and senior counsel to Robert Mueller III, the former FBI director who's now leading the investigation into Russia's interference with the 2016 presidential election.

Carlin recently spoke with the National Law Journal about bipartisan legislation introduced in November in the U.S. Senate and House of Representatives by U.S. Sen. John Cornyn, R-Texas, and U.S. Rep. Robert Pittenger, R-North Carolina, respectively, to overhaul the CFIUS review process. CFIUS reviews, which are voluntary, are meant to protect the nation from business transactions that pose a national security or strategic risk to the United States. The panel has the authority to require the transaction's parties to undertake risk mitigation, such as carving out a specific location or element of the deal.

The panel can also recommend that the president block a deal entirely. President Donald Trump, for example, in September blocked the sale of Oregon-based Lattice Semiconductor Corp. to a Chinese company. A deal by Anthony Scaramucci, briefly a White House communications director, to sell his stake in SkyBridge Capital to Chinese company HNA Group Co., which is partly government-owned, appears to be in jeopardy after not yet clearing its nearly yearlong CFIUS review, according to reports in financial media including Bloomberg News in mid-December.Treasury Secretary Steven Mnuchin, who chairs the panel, has urged toughening CFIUS reviews.

The CFIUS review process also appears to be affecting efforts by China Oceanwide Holdings Group Co. Ltd. to acquire Genworth Financial Inc.

Underscoring rising concerns, on Dec. 18, Trump announced his national security plan that labelled China, a major trade partner and investor in the United States, as a strategic "competitor" and calls both Russia and China "rival powers" seeking to "challenge American influence, values and wealth. (China responded by calling on Washington to "abandon a Cold War mentality.")

While leading the DOJ's National Security Division, Carlin oversaw the indictment in 2014 of five Chinese military members for economic espionage for hacks against several big U.S. companies, among them United States Steel, Westinghouse, Alcoa Inc. and SolarWorld from 2006 through 2014. The division also investigated the cyberattack on Sony Pictures Entertainment in late 2014 that the U.S. government determined originated in North Korea; and brought charges with the FBI against seven Iranians working for computer companies under contract to the Iranian government and military that conducted cyberattacks between 2011 and 2013 against 46 financial institutions including Wells Fargo and JPMorgan Chase & Co.

Now, much of his work involves advising clients about the growing risks of cyber intrusions by rogue states and organized crime rings, and the steps they can take to reduce the risks. He spends much of the rest of his time dealing with clients "because they have been breached and how to handle the fact that they have had an intrusion."

Law firms share the same risks as the companies they represent, Carlin points out. "We have seen both nation-states and criminal groups target law firms for schemes from insider trading for information to use they could make money on the market to using it for general strategic (use) to litigation strategy," he said.

The following conversation was edited for clarity and length.


National Law Journal:
What would the proposed legislation Foreign Investment Risk Review Modernization Act change?


John Carlin:
In recent years there have been growing concerns about the potential threats to our national security posed by foreign investment in the technology sector. Starting in the last administration and continuing now, we've seen CFIUS become much more active in its reviews, going well beyond military "supply chain" considerations that were once its bread and butter. CFIUS is focusing more and more on data privacy and economic espionage, as well as on intellectual property in the technology sphere that could have military applications. The biggest worry has been Chinese investment in technology and other emerging sectors.

China (Photo: Thinkstock)

(Photo: Thinkstock)

Deals involving Chinese acquirers are getting a much harder look. But the government has concerns that [there are] important gaps in existing authorities. Let's say you are trying to block the transfer of a certain type of technology. If the foreign acquirer tries to control the company that makes it, it gets reviewed and potentially blocked or mitigated. But if the same foreign company instead tries to acquire the same technological know-how through the transfer of intellectual property rights, a joint venture or getting involved on the ground floor with a startup, it can fall entirely outside the review process.

The legislation, which would represent the first overhaul of CFIUS in a decade, attempts to fill some of those gaps by broadening what qualifies as a transfer of control. It would also broaden CFIUS' enforcement capabilities, add teeth to the process and provide fee and funding mechanism to increase the staff.


A major provision of the Cornyn bill is requiring more types of transactions to undergo expanded reviews. What are the additional types that might require review that don't now?

For starters, the bill would give CFIUS additional authority to review investments in "critical technologies" and "critical infrastructure" that might not qualify as acquisition of control under the current rules. For example, CFIUS would have new authority to review circumstances in which a foreign company receives rights to intellectual property of a U.S. "critical technology company" through an arrangement such as a joint venture. It would also strengthen enforcement by requiring CFIUS to review transactions in certain cases where the foreign investor is owned by a foreign government.


What else is particularly different from existing law around CFIUS?

The major emphasis on cybersecurity and information security concerns. There's a requirement that CFIUS evaluate whether any covered transaction is likely to exacerbate cybersecurity vulnerabilities in the United States. CFIUS would also be required to more carefully scrutinize transactions that could give foreign investors access to personally identifiable information [PII] about Americans.

What this means is that in practice is that deals in sectors like health care, insurance, gaming, finance and e-commerce are all going to get more scrutiny given the amount of PII at issue. Already my clients are surprised to hear that these kinds of transactions raise "national security" concerns that need to be mitigated just as if they were a defense contractor.

My prediction is that the provisions addressing cybersecurity risks and transfer of personal information about Americans alone will cause a dramatic increase in the number of transactions where the parties file with CFIUS because they may raise national security concerns.


How would this proposal change the transparency of CFIUS proceedings?

The Cornyn bill would strip some of the secrecy and confidentiality that currently surround CFIUS proceedings, including giving CFIUS the power to share information with domestic and foreign governmental entities, "to the extent necessary for national security purposes and pursuant to appropriate confidentiality and classification arrangements." The bill also contains more detailed reporting requirements.


Is this bill specifically meant to address trade with China or is it more broadly targeted?

While China is not named expressly in the bill, its sponsors haven't exactly been coy about the fact that it is aimed squarely at China.

The bill also allows CFIUS to identify "countries of special concern." If a transaction involves investors from a "country of special concern," then CFIUS has to consider additional factors, including whether the transaction could give a competitive edge to that country in a strategic industrial or technology sector.

The bill also allows you to "white list" a country to say that it presumptively does not pose a security threat. Clearly, China, while not named, would seem a prime candidate for greater scrutiny under that approach. So would countries on the sanctions list such as Iran.


How would this bill change the submission process and associated fees?

Currently, CFIUS doesn't require parties undergoing review to pay any fees. The bill would allow CFIUS to charge companies processing fees up to $300,000, or 1% of the total transaction value. But it would also allow for certain improvements from the point of view of the companies, including the ability of companies in low-risk categories to submit abbreviated filings.


Now that you are advising clients instead of enforcing the laws of the United States, what are you finding when you counsel them about CFIUS?

I am finding right now in practice that just as this is a relatively new area in due diligence, a lot of clients are being caught unaware that their cybersecurity practices are going to be relevant to the national security concerns of CFIUS. I also find that once you can explain why CFIUS is raising concerns, that we can often draft ways of doing the deal that help the business while mitigating the government's concerns.

CFIUS knows the national security concerns, but on the government side, they don't know what is critical for the business purpose, so without creative suggestions from the parties, you might never know that deal could go through with proper mitigation.


What concerns do you have going forward for your clients in the area of CFIUS review?

Already, the responsibility being placed on CFIUS strains its resources and bandwidth and can make it challenging to get transactions through quickly. Filling gaps in the review process is important because there are serious national security concerns at stake here. But so is finding a way to have certainty and predictability for transactions that don't raise issues or where the concerns have been addressed. Clients also crave more transparency on how CFIUS is approaching a deal so they can plan rationally and address concerns.


— Connect with ThinkAdvisor Life/Health on
Facebook and Twitter.

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Resource Center