Two Problems with US-China Tech Security Policy
US policy on non-US tech companies, products, and services is rapidly evolving. But it often barrels past two important questions.
US government policy on non-US technology companies, products, and services is fast-evolving, touching a wide range of companies in everything from financial services to telecommunications to social media to investment. However, in their rush to develop policy in this area, many US policymakers skip past two essential questions that will impact US privacy and cybersecurity — and how trusted these policies are by industry, civil society, and the international community. Brought to you by Global Cyber Strategies, a Washington, DC-based research and advisory firm.
Two Unanswered Questions
In a new article for Lawfare, I lay out two questions that many policymakers barrel past when proposing policies and actions related to non-US technology companies, products, and services:
Which policy approaches lend themselves to a spectrum of risk identification and mitigation?
What kind of process lies behind these policy approaches?
While the media conversation and policy discussion in the United States often focus on China, it is hardly the only country implicated by questions of non-US technology, security risks, and government policy. Huawei, TikTok, and Kaspersky are some of the companies I mention that have been impacted by US government action in this area, and there are many indications that proposed policies would look far beyond China.
As I write in the article, it is important for security analysts and policymakers to develop a spectrum of risk identification and mitigation:
Not every tech company, product, and service poses the exact same set of risks. The risk scenarios themselves might vary, such as the risk of a backdoor installation versus the risk of internet traffic hijacking. And the likelihood and severity of those risk scenarios can vary too.
Because of this inherent variation, policy approaches that categorically deem every technology company, product, and service from a country a “risk” often erase these distinctions.
In other words, policy approaches that deem a non-US tech company, product, or service “a risk” or “not a risk” are not actually conducting a serious risk assessment; this is a false binary that erases the wide range of possible risk scenarios at play. Policymakers should have and should want the ability to identify different kinds of risks, develop a priority order of risks that need to be addressed, match those different risks against a spectrum of possible responses, and consider other factors at play.
Another key question that many policymakers are skipping past is about process. It might sound bureaucratic or even boring, but how the US government identifies security concerns with non-US technology companies, products, and services — and who in the government does it, and what they can do in response — is vital to ensuring that security reviews are robust, nuanced, transparent, and properly overseen.
For example, it’s an open question whether Congress is well-suited for this task, writing bills on specific companies, products, or services as they gain attention:
While plenty of congressional tech action is important and much needed, congressional hearings, bill writing, and oversight actions on technology opportunities and risks are also headline driven; they are more responsive to particular issues raised in the news, by researchers or whistleblowers or advocates, than they are proactive about continuously seeking out new issues on which to legislate or otherwise act. Congressional scrutiny of companies (broadly) also tends to be very political, even if real issues are identified. This calls into question its suitability to continuously and comprehensively identify and mitigate security risks.
On the flip side, several executive branch organizations that identify security risks in foreign investments and technology — including the Committee on Foreign Investment in the United States (CFIUS), “Team Telecom” (formally, a much longer committee name), and the Commerce Department — have faced scrutiny for their protracted review processes, broadly defined criteria, and more. For example:
Recently, a former CFIUS lawyer wrote for Semafor that CFIUS’s growing number and scope of legal reviews were causing the U.S. to lose foreign capital and innovative businesses. “There is a small but useful role for CFIUS,” he said, but “the review process takes a minimum of a month, but more often many months” and involves the possibility for involved individuals to speculate too wildly about potential security risks. Many parts of the defense apparatus, for their part, are far behind the technological cutting-edge in understanding the risks to the U.S. government associated with modern data collection, storage, analysis, sharing, and targeting.
Yet, these organizations also have staff, resources, and authorities specifically dedicated to continuously investigating and evaluating possible technology security risks — and providing potential response options to decision-makers.
Looking Ahead
As I write in the Lawfare article, it’s almost always possible to look at a specific non-US tech company, product, or service and develop a hypothetical risk scenario in which there could be a national security threat. This is precisely why policymakers need comprehensive and nuanced approaches to risk identification and mitigation, ones that consider factors like a risk’s likelihood and severity. Real security risks exist in the tech landscape, and poorly formed policy approaches will fail to identify and address those actual risks while simultaneously resulting in other harmful decisions.
For now, though, these issues persist and remain open questions for the US government writ large. Clearly, some executive branch organizations and some members of Congress are in complete disagreement when it comes to TikTok; CFIUS is still negotiating a mitigation agreement with TikTok — that would allow it to stay in the US with some technical, operational, and management structure changes — while some senators and representatives believe a complete ban on TikTok in the US is the only option. The coming months will likely bring this debate to a head, with large implications for the future of US policy on technological security risks.
Subscribe for more public insights, and reach out on Global Cyber Strategies’ website for a range of custom-tailored research and advisory services.
—
© 2023 Global Cyber Strategies LLC.