TechTank Podcast: “Navigating Technology and National Security”

Host: Dr. Nicol Turner Lee (Brookings Institution)
Guest: Justin Sherman (Founder & CEO, Global Cyber Strategies; Fellow, Atlantic Council; Adjunct Professor, Georgetown)
Date: December 22, 2025

Overview

In this episode of TechTank, Dr. Nicol Turner Lee sits down with Justin Sherman, author of the upcoming book Navigating Technology and National Security. Their discussion dives into how the United States regulates critical technologies—focusing less on consumer protection and far more on national security—and the evolution, strengths, and shortcomings of the U.S. regulatory landscape. Sherman offers a historical perspective, analyzes present-day complexities, highlights transatlantic considerations, and outlines possible future regulatory directions, making the conversation a valuable primer for policymakers, industry leaders, and anyone interested in the intersection of tech policy and national security.

Main Themes & Key Insights

1. Genesis and Motivation of the Book

[03:47] Justin Sherman explains the motivation behind his book:

• Lack of Public Understanding: Sherman aimed to clarify how the U.S. government actually governs technology for national security reasons.
• Bridging Debates: He noticed much tech regulation discussion focuses on consumer protection and equity, but national security is its own substantial and at times opaque driver.
• Historical Context: The book traces America's tech governance from colonial-era trade embargoes through modern programs like the Committee on Foreign Investment in the U.S. (CFIUS) and Team Telecom.

Quote:
“My motivation was really a couple of things… there's often a lack of understanding of how the US Government in practice actually approaches some of these challenges."
— Justin Sherman [03:47]

2. Recurring Patterns and Misconceptions in Regulation

[06:26] Sherman highlights enduring patterns in U.S. tech regulation:

• Consistency of Industry Pushback: For centuries, companies have complained about a lack of transparency and unclear regulatory boundaries.
• Defining Sensitive Technology: Persistent difficulty in determining exactly what constitutes an unacceptable security risk—seen in both Cold War-era supercomputers and today’s AI/data regimes.
• Modern vs. Outdated Tools: Many regulatory frameworks were built for tangible goods, making them a mismatch for regulating today's digital assets (AI models, source code, datasets).

Quote:
“The tools we have…to address [digital, intangible risks] are not always well suited because they were built for an era where you couldn't just share information and upload things on the Internet so easily.”
— Justin Sherman [10:39]

3. The U.S. Regulatory “Maze”

[12:00] Breaking down the structure:

• Two Main Models:
  • Licensing-Based: Activities (e.g., exports, large data transfers) are blocked by default, requiring case-by-case licenses for exceptions (e.g., export controls, bulk data transfers).
  • Case-by-Case Reviews: Investments, undersea cable licenses, etc., go through individualized government scrutiny (e.g., CFIUS, Team Telecom).
• Evolving Landscape: Emergent technologies like cloud and AI add layers, and old laws are stretched to new contexts.

Quote:
“We’re taking these years-old laws and regulations and trying to apply them to a world of hacking and really global technology and a really complicated and fast moving threat and technology landscape.”
— Justin Sherman [14:38]

4. Strengths and Weaknesses of the National Security Toolkit

[16:37] Pros and cons of the current system:

• Strengths:
  • Global threat environment warrants vigilant oversight.
  • Regulation is needed to catch threats (e.g., foreign acquisitions of data-rich firms).
  • National security review can address risks profit-motivated companies may miss.
• Weaknesses:
  • Lack of transparency and consistent rules.
  • Regulatory frameworks can be misaligned with present-day digital realities.

Quote:
“These are real strengths…Opportunities for the US government to say, you know what, when a Chinese investor bought Grindr…the gay dating app…they got access to tons of sensitive data and were actually concerned there.”
— Justin Sherman [17:48]

5. The Intersection of Data Privacy and National Security

[21:17] Would a federal privacy law make national security regulation less necessary?

• Sherman’s Position:
  • Baseline federal privacy law would solve many security concerns by default.
  • National security should not be the primary driver for tech governance—but is still needed for certain high-risk scenarios.
• Example:
  • TikTok debate exposes flawed assumptions about data's safety based solely on ownership, not actual handling or exposure.

Quote:
“I think the primary approach we should be taking to tech governance is not a national security one…You help national security by doing it [comprehensive privacy regulation].”
— Justin Sherman [21:39]

6. International/Transatlantic Dynamics

[24:54] Should the U.S. learn from Europe’s regulatory successes and gaps?

• GDPR as a Model:
  • Europe excels at consumer privacy, but under-emphasizes national security threats—allowing risks like data brokers selling information about U.S. military personnel.
• Transatlantic Opportunity:
  • Both the U.S. and Europe can blend strengths to cover gaps, rather than treating issues in silos or as U.S.–China binaries.

Quote:
“We can work more with allies and partners to address these shared data challenges…But instead, we sort of have these issues that are left currently unaddressed for both the Europeans and us in the United States.”
— Justin Sherman [27:12]

7. Advice for Industry and Policymakers

[28:15] How should stakeholders navigate regulatory uncertainty?

• Stay Informed:
  • Track shifts closely; policies can flip rapidly.
  • The long-term bipartisan trend is toward recurring restrictions, especially regarding China.
• Plan for Resurgence of Controls:
  • Even if deregulatory periods emerge, expect major controls (esp. vis-à-vis China) to return in the foreseeable future.

Quote:
“Over the long [term]…the general bipartisan consensus though is to have these restrictions vis a vis China…plan for in the long term a lot of these controls are going to come back.”
— Justin Sherman [29:21]

8. Cloud Computing, AI, and “Know Your Customer” (KYC)

[32:00] Adapting anti-money laundering tactics to tech:

• KYC for Cloud:
  • Inspired by financial regulations post-9/11, requiring cloud providers to identify customers and monitor uses, especially to prevent adversarial exploitation (e.g., military AI training).
• Implementation Challenges:
  • Industry resistance, concerns over overmonitoring, global sales, and technical feasibility.
  • Political signals suggest Trump administration is unlikely to enforce KYC rules strictly, but the framework remains in place for future use.

Quote:
“Deregulation is the name of the game right now. And so I…I would be. I don't think the program is going to go away…But I would be shocked if the Trump administration started really enforcing these KYC rules anytime soon.”
— Justin Sherman [34:31]

9. The Regulatory Horizon: What to Watch For

[35:37] Sherman's predictions for the most significant regulatory changes ahead:

• 1. The Toolkit Remains:
  • U.S. will retain powerful regulatory tools (CFIUS, Team Telecom, KYC for cloud, data broker oversight), even if underutilized for now.
• 2. China and Data are Bipartisan Priorities:
  • Issues with Chinese investment, control, or exposure will continue to dominate.
• 3. Children’s Safety:
  • Protecting minors—via content, privacy, AI—will be a legislative and regulatory driver for at least the next decade.

Quote:
“Anything related to kids…is gonna drive a lot of US Regulatory direction in the next decade plus.”
— Justin Sherman [37:41]

Notable Quotes & Moments

• On Consistency of Industry Pushback:
  “Throughout this period, it's been pretty similar feedback from companies that they don't feel they have a good insight into how or why the US Government makes these decisions.” — Sherman [07:33]

• On TikTok and Privacy Laws:
  “You’re basically saying that if this company is in US Hands, there's no data problem. And...if a US company owned TikTok and sold all of the data to a bunch of data brokers, that would be completely fine…” — Sherman [22:07]

• On Transatlantic Gaps:
  “European data broker[s are] actively selling data about the U.S. Military…” — Sherman [26:27]

• On Cloud Vulnerability:
  “What we're actually seeing with some of these challenges we've had over the last few weeks with the cloud sort of going offline...it's a pretty vulnerable asset as well.” — Turner Lee [31:45]

Timestamps for Major Segments

• Introduction & Guest Bio – [00:00–03:47]
• Book Motivation & Policy Gaps – [03:47–05:53]
• Historical Patterns & Misconceptions – [06:26–11:14]
• Regulatory Maze Explained – [12:00–15:30]
• Strengths/Blind Spots of Toolkit – [16:37–20:10]
• Privacy as National Security – [20:10–23:52]
• Transatlantic Data Risks – [24:54–27:27]
• Practical Steps for Industry – [28:15–30:18]
• Cloud, “Know Your Customer” & AI – [30:18–34:53]
• Future Regulatory Directions – [34:53–38:03]
• Book Availability – [38:23–38:42]

Conclusion

Sherman’s appearance on TechTank reveals just how deeply intertwined national security, technology policy, and regulatory regimes have become in the U.S.—and how much they lag behind or outpace the rapidly evolving digital reality. With a blend of historical context, present-day analysis, and clear-eyed predictions, Sherman prompts listeners and policymakers to anticipate where regulatory paradigms are shifting and what tools or collaborations may still be needed.

To order Justin Sherman’s book:
Available at Amazon, Barnes & Noble, and other booksellers after December 16, or for pre-order before then.

[Podcast hosted by Brookings Institution – “TechTank,” episode airing December 22, 2025.]