Intersection of National Security With M&A: The Committee on Foreign Investment in the United States
Why does the United States have laws that regulate M&A activity from a national security perspective, and why are those laws now getting more attention?

print this article

Once a sleepy, shadowy backwater of the federal government, the Committee on Foreign Investment in the United States (CFIUS)—the U.S. government’s principal mechanism for screening foreign investment to assess and address its potential impact on U.S. national security—has hit the big time. In the last eighteen months, Congress passed sweeping reform of CFIUS through the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), and CFIUS has received significant additional resources—ensuring that CFIUS work has become a cottage industry in Washington. In a demonstration of its new cultural status, CFIUS has even become a running thread in the current season of Silicon Valley, HBO’s popular comedy on startup culture. As fascinating as it is to see core mergers and acquisitions regulations in popular media, a more interesting and salient legal and academic question is, Why does the United States have laws that regulate M&A activity from a national security perspective, and why are those laws getting more attention these days?

The Policy Issues Driving Regulations

Why does the United States regulate national security? It comes back to a simple point: the U.S. government, for the most part, does not hold an ownership stake, either wholly or strategically, in technologies, industries, infrastructure, resources, and businesses of national importance. U.S. telecommunications infrastructure is entirely in private-sector hands; our leading defense and aerospace suppliers are publicly traded entities, but not “public” entities in the sense of government ownership; and even our “national laboratories” are federally funded but managed principally by private-sector contractors.

This model served the United States well from the stance of innovation and economic efficiency, and, following the U.S. success, many Western democracies also privatized many of their national assets starting in the 1980s and continuing into the twenty-first century. Even where governments retained some minority interests or “golden shares,” they effectively ceded control or management of day-to-day operations to private-sector managers that responded exclusively to commercial incentives.

This model has largely served the United States well from the standpoint of national security. A strong and dynamic economy based on private market ownership and principles has given us great power in the world and fueled the technological innovation that ensures the dominance of U.S. forces on the battlefield. This state of affairs, however, also leaves the United States potentially more vulnerable than other countries, because our national security, both defensively and offensively, is inherently more dependent on the private sector. That is, the United States relies on the private sector to protect assets of importance to national security and to develop critical capabilities that advance U.S. military and intelligence prowess. Hence, the federal government has the need and the desire to regulate commercial activities related to national security.

Dating to World War I—during which the United States expropriated German property and passed the Trading With the Enemy Act—the United States has experienced flurries of legislative and regulatory activity to address the national security implications of commerce. One of the most recent such periods emerged in the wake of 9/11, and the United States is in the midst of yet another one today.

The impetus for the current activity can be summed up in one word: China. Or, more precisely: the great power competition of the twenty-first century between the United States and China. The longstanding characteristics and assumptions that had governed the U.S.–China relationship for forty years have been changing, and at an accelerating pace. Each government has concluded, for its own reasons, that its country has become too dependent on the other, and each has started to take action along a number of fronts—legal, policy, and industrial—to reduce national dependencies and reposition itself, economically and militarily, for longer-term international competition.
For both countries, technological change has linked trade and investment with national security in unprecedented ways. This is particularly true given that so many critical, ubiquitous technologies are “dual-use,” i.e., they have significant military/defense and civilian applications, which has caused each country to reexamine its technological dependencies and interconnectedness with the other. For example, data sets essential to specific commercial uses—such as developing therapeutic drugs or defining better algorithms for more precise insurance actuarial tables—can be used to refine artificial intelligence (AI) capabilities (by allowing more data to be fed into those AI capabilities) and, in turn, to advance military capabilities that leverage AI such as weapons development, force planning, and strategic analysis.

National security, once a narrow consideration employed in exceptional circumstances, has taken on far greater weight in policies, laws, and regulations impacting trade and investment in both countries—and globally.

To make this point more concrete, consider that Chinese investment in the United States essentially did not exist until 2005, when the Chinese company Lenovo acquired the PC division of IBM. Between January 2005 and December 2007, investment was still just a trickle, reflected in the fact that, over those three years, CFIUS reviewed a total of four Chinese transactions.1 That pace quickened around 2012, during which CFIUS reviewed twenty-three Chinese investments,2 and only accelerated further, with CFIUS reviewing a total of 143 Chinese cases during 2015, 2016, and 2017, according to recent CFIUS data.3

The primary sources of U.S. foreign direct investment changed in a flash, and therefore so did the nature and complexity of cases under CFIUS review. Against this backdrop, Congress stepped in, having decided that CFIUS’ authorities were inadequate to assess and address the new risks associated with the changing composition of U.S. foreign investment, and last year it passed FIRRMA, the most significant reform of CFIUS in thirty years.

What Is CFIUS, and What Is Its Role Now?

CFIUS is an interagency committee—not one agency—that is fundamentally a regulator of M&A. The committee is chaired by the U.S. Department of the Treasury. Other voting members include the Departments of State, Defense, Commerce, Justice, Homeland Security, and Energy; the Office of Science and Technology Policy of the White House; and the Office of the U.S. Trade Representative. Nonvoting members include the Department of Labor and the Office of the Director of National Intelligence, which must produce a classified threat assessment for each transaction reviewed by CFIUS. As chair of the committee, the Treasury Department also has authority to include other relevant executive branch agencies in CFIUS deliberations, such as the Department of Health and Human Services in a review involving a U.S. medical device manufacturer.

In effect, CFIUS is an “all-of-government” review designed to ensure that each transaction is evaluated by the right subject-matter experts throughout government, representing and balancing both economic and security perspectives. Importantly, agencies must reach consensus to approve any transaction. CFIUS is thus the ultimate exercise in both interagency coordination and Washington, D.C. regulatory inside ball.

The most important thing to understand about CFIUS—and, ironically, the thing that is often least well understood—is that, as a legal matter, it sits between the White House and Congress, which results in a certain discipline and caution in the review process. The president has the original statutory authority to review foreign acquisitions of U.S. businesses from a national security perspective and to take action to mitigate a threat to national security. Statute and executive order then delegate this authority to CFIUS. CFIUS can approve a transaction, with or without conditions, but if it approves, it must certify to Congress at senior political levels that the transaction presents no unresolved national security concerns. However, CFIUS cannot actually prohibit a transaction; only the president has the authority to do so. Thus, if CFIUS determines that the only adequate and appropriate resolution is to block a given transaction, it must send the matter to the White House for the final decision.

CFIUS’ power is incredibly expansive. There is no judicial review of CFIUS’ national security decisions, and if parties do not file with CFIUS and receive approval, there also is no statute of limitations on its authority to review already-consummated transactions. However, if parties do file for and receive CFIUS approval, there is a legal safe harbor against later action by both CFIUS and the president. Thus, parties are incentivized to seek CFIUS’ review and approval voluntarily in instances where they expect that the U.S. government may have national security concerns about an acquisition, either now or in the future.

Historically, CFIUS’ power has extended to its authority to review any merger, acquisition, or takeover that could result in “control” of a “U.S. business” by a “foreign person.” Each jurisdictional term is broad, with few bright lines regarding their scope. This means CFIUS can exercise its jurisdiction elastically, stretching to review even smaller minority investments or acquisitions of a collection of assets in the United States when it perceives a potential national security risk. Unlike the competition reviews under the Hart–Scott–Rodino statute, there is no transaction size threshold for CFIUS jurisdiction. Note, too, that the words “national security” do not appear in the jurisdictional terms. As a technical matter, CFIUS can review any transaction that meets the above definition, even, for example, the acquisition of a mom-and-pop ice cream store in Iowa by a Canadian citizen. It has the authority to take action, however, only if the transaction under review “threatens to impair the national security.” And, therefore, the vast majority of foreign M&A is not filed with CFIUS.

If CFIUS has such broad jurisdiction, then one might reasonably ask why Congress needed to give it new authorities in FIRRMA. The fundamental policy concern that Congress sought to address was the fear that certain transactions that created risks to national security were slipping past CFIUS—either because they were not voluntarily filed with CFIUS, which itself might not have had the resources to identify and catch them, or because they were nonpassive, noncontrolling investments that were outside CFIUS’ existing jurisdiction.

FIRRMA’s solution to this apparent dilemma was to broaden the aperture for CFIUS review, without creating absolute bars or singling out specific countries. It sought to accomplish this in several ways.

First, it preserved CFIUS’ authority to review transactions conferring control, while expanding CFIUS’ authority to include review of 1) certain real estate transactions and 2) certain nonpassive, noncontrolling investments in U.S. businesses involved with critical infrastructure, critical technologies, or sensitive personal data of U.S. citizens—businesses that by their very nature were more likely to present national security concerns.

Second, for the first time, the FIRRMA legislation mandated filings for certain transactions—in particular, those involving critical technologies, critical infrastructure, and sensitive personal data in which a “foreign government has, directly or indirectly, a substantial interest.” The legislation also allowed CFIUS to require a filing for every foreign investment in critical technology businesses that meets certain triggering criteria.

Third, it pledged more resources to the CFIUS agencies—thereby spawning an entire new industry in Washington of (other) agencies and contractors chasing after CFIUS appropriations (and law firms chasing after CFIUS lawyers).

Not long after the signing of FIRRMA, CFIUS issued a pilot program to implement certain of these new authorities—namely, to review certain noncontrolling, nonpassive transactions involving “critical technologies”—and CFIUS has proposed regulations to implement the remaining authorities. Those final regulations must be in place by February 2020, which will be the true starting gun for the next version of the CFIUS process.

Impact for Transaction Parties and Advisors

The evolution in the CFIUS process portends several lessons for transaction parties and their advisors.

The first is that national security regulation in M&A is here to stay. The issues animating the tension between the United States and China will not abate anytime soon. And, other countries are looking to adopt new regulations or enhancing existing authorities to review foreign investments, with CFIUS’ encouragement. The net is that for the foreseeable future there will be more global regulation of foreign direct investment than ever before.

Second, although some risk lies in this type of proliferation for M&A and global investment flow (i.e., it could feed and enable protectionist sentiments), there is also an opportunity to spur investment by facilitating a rational, predictable investment environment. To do so, laws and regulations must be clear; processes must be professional; and authorities that implement them must focus on solutions that enable investment and not simply rejections. This means, for example, using authorities to manage and mitigate risks, rather than merely to try to eliminate risk outright by blocking transactions. If the laws are developed and employed in this fashion, then they can provide certainty, transparency, and confidence around transactions that, right now, often face fluid, opaque, and unpredictable environments.

Third, this is no longer simply an execution issue for a small segment of transactions. For transaction parties, the net effect of these trends and considerations is to place greater emphasis on up-front identification and planning for these issues as part of their transactional strategy and diligence processes.

A final word: individuals who spend their entire lives in business perceive the world and its related risks very differently from those whose job it is to protect national security—and who are privy to information that the rest of us do not see. To understand, manage, and navigate national security regulation, in turn, parties must be able to inhabit and empathize with that latter mindset, not to be so frozen with fear that they cannot move forward but also to recognize the problem sets confronting regulators and to work to solve them within the commercial constraints of the transaction at hand. In many respects, there is more art than legal science in this field, because national security laws—including the laws governing CFIUS—necessarily will leave some degree of ambiguity to empower the regulator to exercise flexibility and discretion to address evolving and unanticipated risks that the regulator may perceive. But such breadth also leaves room for creative solutions that, if calibrated and framed to address the national security concern, can enable transactions and remove uncertainty for parties to a transaction. Such thoughtful planning and a solutions-oriented approach will be even more important in the new era of CFIUS that will soon be upon us.

David Fagan is a partner and Brian Williams is a senior advisor at Covington & Burling LLC.


  1. Committee on Foreign Investment in the United States, 2008 Annual Report to Congress (December 2008),
  2. Committee on Foreign Investment in the United States, Annual Report to Congress for CY 2012 (December 2013),, p. 17.
  3. Committee on Foreign Investment in the United States, Annual Report to Congress for CY 2016 and 2017 (November 2019),, p. 18.

Leave a Reply

Your email address will not be published. Required fields are marked *

XHTML: You can use these tags <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>