Announcer

The Electronic Communications Privacy act turns 40 this year and it's showing its age. On Friday, March 6, Lawfare and Georgetown Law are bringing together leading scholars, practitioners and former government officials for installing updates to ecpa, a half day event on what's broken with the statute and how to fix it. The event is free and open to the public in person and online. Visit lawfaremedia.org ecpaevent that's lawfairmedia.org ecpaevent for details and to register.

BetterHelp Ad Reader

BetterHelp Online Therapy bought this 30 second ad to remind you right now, wherever you are, to unclench your jaw, relax your shoulders, take a deep breath in and out. Feels better, right? That's 15 seconds of self care. Imagine what you could do with more visit betterhelp.com randompodcast for 10% off your first month of therapy. No pressure, just help. But for now, just relax.

Siemens Ad Reader

Need real insight from industrial data versit with a single source of everything and get the best outcomes Transform the everyday with Siemens.

Justin Sherman

When we talk about the complexity of how do you prevent the export of a physical thing that just is so different, even if it's a really small chip, that's still quite different than how do you prevent someone from uploading something onto the Internet, which is really just a qualitatively and quantitatively different sort of question.

Jonathan Sederbaum

It's the Lawfare podcast. I'm Jonathan Sederbaum, Lawfare's book review Editor, here with Justin Sherman, the founder and CEO of Global Cyber Strategies.

Justin Sherman

It's really important to understand how entangled and how interdependent these systems are, how that interdependence can be weaponized. Because these are not decisions you can easily reverse, right? It's not the case that you can kind of let these programs sit here for a year, then pick them back up and nothing's changed, right? This isn't, you know, pausing like a Netflix episode. I mean, this is highly sophisticated set of regulations. Adversaries are not taking a holiday because the offices are not staffed or because they're distracted with other nonsense.

Jonathan Sederbaum

Today we're talking about Justin's brand new book, Navigating Technology and National Security the Intersection of CFIUS Team Telecom, AI Controls and Other Regulations, just published by Wiley. Justin, tell our listeners a little bit about your background and why you chose to write this book.

Justin Sherman

I'm a computer scientist and international relations person by background, so naturally the sort of contours of the technology and national security intersection have always interested me. And you know, that sort of blossomed over time into a Couple different reasons for writing this book. One was looking at the fact that we often talk about and for lots of good reasons, right, we often talk about technology regulation from a consumer protection perspective or maybe from the perspective of civil liberties protection or something like that, which is very, very important. But there's also a whole conversation to be had about the extent to which national security laws, national security regulations, national security regulatory programs are a way of governing technology. And I don't mean necessarily things related to, let's say how the government procures technology for national security or how it might tap into it, let's say through various intelligence authorities or something like that, but really regulating it. And so was sort of interested in digging more into that history and how it came to be. And the second reason is, as I mentioned in the book, I've also worked on issues as a consultant and advisor to the US Government related to several of the regulatory programs I talk about in this book, especially including around data security. And I was also interested by the fact that, okay, for some period of time we've really had a couple main regulatory programs focused on tech and national security. That's been export controls and as we'll get into some amount of investment review. But these days we have so many connected vehicles, data AI debates about chips and right there's so many more of these programs. The number in addition to the scope or the relevance has really gone up. And so all to say, all very nerdy reasons, but all reasons why I was interested in kind of digging into how this regime is evolving and where we see it going in this hyper technology driven time we live in.

Jonathan Sederbaum

Very good. Your book actually describes seven US regulatory programs addressing national security concerns arising from technology and data transactions of various kinds. What are some of the book's main or cross cutting themes or arguments?

Justin Sherman

There are a few worth mentioning up top. So one is that for a number of these chapters, as you mentioned, the seven programs I look at are sort of how the early chapters are organized. I actually went back and read basically all of the not every regulatory comment that would take me a thousand years, but maybe with AI we could summarize, but certainly went back and read every regulatory proceeding document published for some of these. And for example with investment review going back 50 years. And so one theme that really stuck out to me over time, consistently and across multiple programs is that there really are debates about okay, if the government's going to come into a private sector business to a private sector tech transaction, to a private sector tech R and D effort and say this particular thing is a national security risk, and you need to stop or you need to slow it down or you need to comply with xyz. How are you actually determining that that's a risk risk? So there's really a lot of debate over time about how you do that and how to really do that in a precise way such that you can differentiate what's really problematic from what might be tolerable, or to help a company, let's say, ensure that they can continue to compete and innovate and build new technologies, which, by the way, also will help national security in the long run, but also do that in a way that they understand what the government is most concerned about. So that's kind of the risk question, is one related to that I sort of argue at the end, perhaps counterintuitively, in a national security book. But the transparency is really, really critical. And this is something else that came up time and time again throughout. Looking back at the regulatory documents, were essentially companies wanting the government to publish really specific lists, maybe, say, tell us exactly what kinds of things we're allowed to build or not build, or tell us exactly what types of countries you're going to investigate a transaction with and which ones you're not, and be really, really precise and specific. A lot of the time the government has rejected those requests, saying, no, the threat space is really dynamic, so we can't pigeonhole ourselves into one specific list of here's what's a cyber threat to US Infrastructure, or here's the way that I'm making this up, but the Chinese intelligence services structure a front company. Here's the list to look for. And the second point which segues from that hypothetical, that there's, of course, a lot of classified information going on here in terms of how the government might understand the threat space. And that also can't be shared. So there's important debates about transparency. Maybe we'll come back to that. And then the last is really just this ongoing set of questions or tensions and so forth between the speed of innovation, the types of innovation that companies might want to pursue, and the national security considerations. And sometimes those are really aligned. Right? Certainly we're hearing arguments now that faster AI development is in line with US national security interests to be able to deploy quickly in various agencies. But at the same time, we've certainly seen many cases where, as Lawfare has covered since its inception, for example, how the speed of innovation in software has really created an enormous cybersecurity vulnerability surface. So all to say, all things that are ongoing But I think on some of these, it was interesting to really dig back through the regulatory proceedings and see that some of the questions being asked a year or two ago in more recent programs and the public comments were quite literally the same kinds of things folks, companies and others have been asking for, for decades and decades and decades.

Jonathan Sederbaum

Very interesting. Let's with those broader themes in mind, let's take a closer look at each of the programs you analyze. And let's start as you did, with the most familiar, the most long standing, and that is export controls. What do you think the US has been doing right and wrong as it has to adapt its export control system to these novel issues with emerging technologies and data.

Justin Sherman

So we'll start with what I think has been done well or continues to be done fairly well, which includes, for instance, the fact that, I mean, of course, the Commerce Department, as many listeners know, right, is not being the only one that's involved in export controls writ large. But I'll mostly talk about commerce here in terms of the Bureau of Industry and Security, bis, because we're talking about technology, and that's where a lot of that outside of the military weapons space sits. And so vis a vis export controls, one thing that I think continues to be done well is giving companies actually quite specific guidance on what to do. As someone with great interest in this area, I always find it fun to read not just the designations of particular entities, but BIS routinely publishes lists of here's the exact ways that Russian front entities for the Russian intelligence services are getting around US Export compliance checks to buy whatever technology or here are the new techniques we're seeing in this part of the world to sort of illicitly diffuse technology. And here are the red flags to look for. So there's some degree of specific guidance that continues to come out. Another is we've seen BIS sort of sit within a broader set of, in my view, strategic moves to ensure that our adversaries are not diffusing or continuing to leverage technologies that they can use particularly to commit espionage against the U.S. so, of course, some of this is getting undercut now with certain chip sales and so on, which maybe we'll get to. But an example in recent years to me is the Huawei debate right around the Chinese telecom. And there were issues with this in the beginning in terms of how the US Government messaged it. But in my view, export controls and other tools were used quite effectively in tandem. I mean, Huawei's global market share took a real hit. Lots of countries stopped using a lot of their particularly 5G telecom and 4G telecom network components. So, you know, so there are ways that export controls, I think, have sat within a broader framework for how to think about something complicated like modern Chinese government cyber espionage. Challenges, though, I think I question. And of course, this is not a criticism of specific staff, but more at sort of the macro policy level, although maybe a critique of some on the Hill, I suppose, but is that it doesn't seem to me that we've all internalized the lessons from the last 20 to 30 years when you try to apply export controls to rather than physical, tangible goods, which is mostly what they've been applied to for a couple hundred years now. I mean, there were points in time where export controls were applied to information or this or that. But more recently, we've seen failed efforts around 2013 with the Wassener arrangement to restrict the spread of cybersecurity software that didn't work. I cite them. There's wonderful, wonderful scholarly papers that have been done on the war, on encryption during the Cold War and how that really, A, didn't work to try and control the diffusion of encryption technologies, and B, actually hurt the United States because you had, you know, mathematicians who were afraid to go to like a conference in Canada because maybe they'd be violating export control law. So I'll stop there. But I think, you know, when we talk about the complexity of how do you prevent the export of a physical thing that just is so different, even if it's a really small chip, that's still quite different than how do you prevent someone from uploading something onto the Internet, which is really just a qualitatively and quantitatively different sort of question.

Jonathan Sederbaum

Your mention of Huawei highlights that many of the recent efforts by the US with respect to regulating technology and data transactions are done really with an eye on US Rivalry or competition with China. One of the concepts you discuss in that regard is this notion of a small yard, high walls approach to export controls. What does that concept mean?

Justin Sherman

Small yard high wall or small yard, high fence? You hear similar things. Is a concept that has been attributed to Robert Gates, the former, among other titles, the former Secretary of Defense. And this really got, I think if, you know, just think back, right, and you look back at some of the discussion, a lot of play around 2018, 2020, kind of during this saga of Huawei, we're talking about as a way of thinking through how do we lock down a certain subset of technologies in the US in the US Supply chain that are really critical to national security, security, but not over Index not rope in too many technologies or not be too heavy handed in such a way that it undercuts university innovation or the startup ecosystem or something else. So that was sort of the idea. And of course, on paper this sounds very sensible. And I do actually think in theory that this is a good idea. Right? Because the more that you can scope where you're looking in terms of national security risk, including on export controls, the, the more A, the limited government resources, because they're always limited that you have available, can be applied just to what you need to focus on the most. And then B, it does, you know, you don't want to slow everything down. There are some trade offs. And so it helps you limit how much you're imputing certain innovations in R and D. That said, I don't think it was actually executed well and we won't name them, but certainly a number of folks I know who worked on this quite closely in the last couple of administrations feel similarly. Right. For a variety of reasons, this sort of became something that perhaps some of the individuals working on it did not intend. But all to say, I think it hasn't been carried out the most effectively because the first Trump administration drew a pretty big yard to continue with this metaphor. It got a lot of flack around 2017, 2018, 2019, when the Commerce Department was looking at potentially implementing a wide range of export controls on artificial intelligence. And this got a lot of backlash because it was defined, I say, in quotes, in sort of a broad way. And people were saying, well, hold on a minute, this is a really difficult dual use situation. There's lots of civilian use cases for the exact same technology that's deployed in the military system. How are you going to control it? You need to scope this down further. What about the stuff underneath? It does AI quote unquote, include the cloud system that's running the software application? So it kind of led to all of these, all of these issues and then they pulled it back for that reason. The Biden administration. Again, I think it was good to have this list, but the Bureau of Industry and Security published or I mean, several agencies, but led a lot of the work to help publish this critical and emerging technologies list. And this really was quite large and includes, I sort of detail the various categories in the book, but really included a lot of different areas ranging from advanced engineering materials to biotech to hypersonics to quantum to semiconductors and space. And again, it's a challenge, right, because you could zoom in on any one of those areas and certainly find or hypothesize ways that that technology could be used to hurt US national security. Right. But at the same time, if you look at the list on the whole, it sort of looked like you were just listing everything a venture capital firm might be interested in funding. And so it gets back to this question of it's good conceptually, but we really have to be perhaps a little more critical about what makes it on and what bar do you need to clear for something to really be so sensitive that it's on that list. Right. And we can get into how, how one might approach that in different ways. Right. Some people say if even one application reaches a certain very high level of criticality, let's say some foreign adversary, military use, that's enough. Some might say it has to be the percentage. Right. So if it's one tiny biotech thing that's really concerning and the rest of it's fine, then that shouldn't be on the list. So there's ways to debate it, but I think we have a long way to go to. And of course now very little of this is being thought about in terms of the current administration, so I'm not sure we're going to fix that right now either.

Jonathan Sederbaum

Justin, another concept you discuss in the context of the US China rivalry is the idea of decoupling between the United States and Chinese economies. What does decoupling mean? And is that something that you think is desirable, undesirable, or not really a possibility at all?

Justin Sherman

I think it depends on the sort of area of technology we're talking about. So decoupling. And I'll also plug. I had Sam Bresnik from Georgetown on the Law Fair podcast a couple months ago to talk about all of this issue specifically. And that was very interesting and in part informed some of how I think about this. But folks generally say decoupling to refer to a greater degree of supply chain disentanglement from China, technologically, financially, operationally. And the term at least these days, including in the business community that people tend to use to refer to something less than decoupling but not business as usual is de risking. And so, okay, we're not going to be able to, let's say completely move manufacturing out of China, but do we have a contingency plan in place? Can we limit manufacturing dependency in certain areas or no, we're not going to be able to have zero cloud or telecom network touchpoint with that area of the Asia Pacific, but could we reduce it in some way as an example? So and same thing, right? There's a lot of software development in Eastern Europe and concerns of around Russia and so forth and same there. I don't want to only be making this about China, so. But all to say, but it's usually used in the China context. As, as you, as you note. Is it possible, who knows? We've all been debating this in D.C. for some time now around. Is it possible to really pull yourself out of a Chinese tech supply chain in the current age, especially given the manufacturing dependencies that exist and the degree of Chinese technology also in third countries, which is really important. Right. If we're talking about decoupling your supply chain from China, one way to think about that might be the touchpoints to entities and organizations and individuals within China's geographic borders. Another way to think about that, and these are not mutually exclusive, could be, well, where are our touch points with Chinese technology outside of China? Right. If there's a tremendous amount of Huawei deployment in Latin America or if a number of the cloud systems in the Middle east, including in Saudi Arabia and the UAE and Qatar, are running on Chinese infrastructure, how do I think about that? There are several ways to approach this, but I agree with folks who say that de Risking and Sam and others I mentioned are much smarter on this than I am. But I agree with the folks who say de risking is the better way to talk about it, because can you really disentangle completely? Probably not, but you can try and limit your exposure in different ways. Have folks been thinking about it as an end state? To answer your last part of your question, some have. Some have sort of said this is once we do it now, we can move on and we're not as dependent. And that was kind of the conversation, I think, maybe at the first Trump administration's onset. But at this point in time, I think it's more about de risking and mitigating and understanding that there are always going to be risks of disruption or infiltration. But how do you limit those in a way that's, you know, aligned with any organization's risk tolerance?

Jonathan Sederbaum

Got it. We've been talking about export controls. Let's turn to the second regulatory program you address. That's the Committee on Foreign Investment in the United States, known by its acronym, cfius. CFIUS has been around, of course, for quite a few decades now. How would you assess CFIUS performance in this shift toward transactions involving emerging technologies and data?

Justin Sherman

Yeah, CFIUS turned 50 last year. CFIUS has been quite involved. It's been looking at technology issues since its inception. I offhandedly mentioned a few Examples whether it's with Japanese semiconductor acquisitions during the Reagan administration or you know, post USSR collapse or around 9 11, and particularly concerns about foreign terrorist organizations and any ways that they or their state sponsors could acquire various technologies. But the real bolstering up of CFIUS technology and data focus was in 2018, right, where you had FIRRMA pass the Foreign Investment Risk Review Modernization act and really focused on a couple key areas for CFIUS going forward. So there were some non tech components to that law, such as modifying a couple definitions and the scope of real estate activity that's covered. But it really focused on, okay, if CFIUS is going to look at foreign investments coming in the US in this day and age, we really need to look at a any investments focused on critical technology sectors. So thinking back to that list, we were talking about of of what's considered a critical technology, thinking about touchpoints to critical infrastructure. So maybe it's not owning things, but again, if you're owning something that connects to something else, for example, you own foreign actors buying an investment in the power system that underpins a water treatment plant. Or maybe there was just a great lawfare piece that Andy Grotto and Jim Dempsey did on all the operational technology in the private sector that military bases depend on. So you could think about ways that that is a concern. And the third was data and looking at US Citizens data, which is interesting, right? Not just government data, but US citizens data as a potential area of foreign adversary concern. So since then we've had a couple examples of ways this has been used, notably that CFIUS had, at least for some moment in time, opened an investigation into what is now and what was then TikTok. But right before that had been the US company Musical Ly bought by Chinese company ByteDance. So certainly a lot more people became acquainted with CFIUS than CFIUS even got a mention in a later succession episode. I won't spoil the specifics, but folks in our nerdy world are sort of tweeting, this is funny, we're entering the mainstream. But yeah, so TikTok's probably the most notable in the tech area, but there have been a few others and news reports of others. Another one is Grindr that I talk about, right? The gay dating app that Chinese investors bought and then that the US government required them to sell back to US owners out of concern. Again, thinking of the 2018 firma law because of the data was really the concern about the types of data you could get through that acquisition in your.

Jonathan Sederbaum

Chapter about cfius and in some of your Other chapters you talk about, I think with some concern about what you call a whiteboard approach to gauging national security risks. What do you mean by that?

Justin Sherman

So this is borrowing both from my own firsthand experiences and then also as I cite in there the writings of various national security experts or former officials who have talked about these dynamics as well in cfius and also beyond cfius, which is, I sort of dubbed this the whiteboard security risk problem, which is that on the one hand it's good to have that whiteboard when you're talking about these risks to gaming out how could a foreign government, a foreign adversary do abcd, Right, because that's what the foreign adversary is doing. They are sitting there figuring out how can we be creative to get around protections or go under the radar, so to speak, and take data or infiltrate systems and so on in ways that the US Wouldn't expect. So it's a good exercise. But it can also get, you can get carried away with that. And as I sort of quip, if you sit in an empty room with a whiteboard and a pen long enough, you can really come up with any scenario. And again, as I'm sure many listeners have, you see this happen firsthand. And again, I cite some specific examples that some folks who used to work on CFIUS have since written about. I mean, not revealing anything in terms of any particular matters, but just saying at a general level that yeah, sometimes most staff can sit down and say this investment looks fine and all it takes is one person and one agency to sort of speculate that there's a remote possibility that so and so could do blah, blah, blah, and then such and such would happen. And suddenly all of these transactions that most people think are low risk are getting blocked or impeded in some way. So again, it's back to kind of the first thing I was saying, which is that the key is really to just have really good risk criteria. And again, there are some programs that I mentioned, export controls, right? They kind of know what their criteria are. They have a set of set direction in many ways in terms of which technologies are of concern and so forth. And then there are others like CFIUS that have long been criticized for being a little all over the place. And I think that's a place where having that decision framework could be potentially helpful for everyone involved.

Siemens Ad Reader

Want to turn your timeline into a fast lane digital twinit to outpace the field with fast and confident decisions. Transform the everyday with Siemens Underwear drawers.

Meundies and Sleep Number Ad Reader

Are like the wild west of wardrobes. You never know what pair you're going to pull out or what shape it's in. It's time to upgrade your underwear drawer with the buttery soft comfort of Meundies. Meundies signature fabric is as soft as a warm hug from your favorite sweater. Plus it's breathable and oh so comfy, making it ideal for all day wear. Get 20% off your first order plus free shipping at Meundies.com acast Enter promo code acast that's Meundies.com acast code acast why choose a Sleep number Smart bed Can I make my sight softer?

Jonathan Sederbaum

Can I make my site firmer? Can we sleep cooler?

Meundies and Sleep Number Ad Reader

Sleep number does that cools up to eight times faster and lets you choose your ideal comfort on either side your sleep number setting. Enjoy personalized comfort for better sleep night after night. And now during our President's day sale, take 50% off our limited edition bed plus free home delivery with any bed and base ends Monday only at a Sleep number store or sleepnumber.com.

Jonathan Sederbaum

CFIUS is a program that looks at foreign direct investment in the United States. Another program you address that also looks at foreign investment but is much less well known than CFIUS is Team Telecom. What is Team Telecom and what does it do?

Justin Sherman

So Team Telecom, which is no longer its formal name, it has this absolutely ridiculous acronym that I'm not going to try and pronounce. I think it beats every congressional bill acronym I've ever seen. It's so absurd. But Team Telecom is an interagency committee that has been around for a few decades now, and it is chaired by the Justice Department. There are several other agencies involved, such as the Department of Defense and Homeland Security, but its role is really to advise the FCC on when the FCC is issuing a license or undertaking some other regulatory matter related to, I'll just say broadly foreign telecommunications issues. That could be a company registered in Hong Kong that wants to partner on a submarine cable connected to Los Angeles. That could be a Dutch company that wants to take a small share in a US Mobile carrier all the way to various space and other in certain areas, other issues. So Team Telecom advises the FCC on what are the law enforcement or national security or even economic security issues that might be associated with that particular matter. So it's not akin to, let's say, export controls where there are determinations made around particular types of technologies. It's a matter driven program. So when a company files, the FCC will refer to Team Telecom. They'll take a look, they'll they'll give their input. Team Telecom doesn't quote, unquote, make the decision that rests with the FCC and therefore the president. But they're an important voice in terms of thinking about how do these risks manifest and how might telecommunications networks themselves be a potential source of national security concern?

Jonathan Sederbaum

How would you compare Team Telecom's performance to CFIUS's?

Justin Sherman

So Team Telecom has had challenges akin to what CFIUS has had, which is CFIUS is often, and I think it scores the worst as I write on this question, but has long been criticized as a black box program. Right. Because as I mentioned, some folks who work on it say I'm not quite sure what's going on. And I work on it. And companies have just on the company and sort of academic side, as I'm sure many have heard a whole number of absurd stories around decisions that are made and then reversed. And just really a lot of it's hard to understand what's going on. And again, recognizing that there's classification and other things, but there's a real transparency question. So I say that to say Team Telecom had similar challenges for a bit of time. There was an, in telecom policy world, an influential report that the Senate Communications Committee had done, I'm not going to remember the year maybe 10 years ago or something like that, that really looked deeply at Team Telecom and they interviewed a bunch of staff, they interviewed former FCC commissioners, and even folks who were really involved with the process used that exact phrase. They said it's a black box. You had former commissioners saying, this is really hard to understand what's going on. And I run, you know, I have significant authority over this and I still don't quite follow. So there were a lot of efforts made after that. And I will credit the first Trump administration is the one that issued an executive order to do some of this. But Team telecom, probably from 2019, 2020 on, has really improved. Still some challenges, but really improved its transparency, has started issuing more public justifications, even if they're short explaining why they made a particular decision. Talking through here are the bullet points of why in some real examples you can find online, why this project to potentially connect the US To Hong Kong is a security risk, or here's why we're worried about a particular cable to Cuba and what we perceive as the risk that that could get passed on to other countries. So the information. So they really improved in, in some of those ways. But we're also seeing a lot of change to Team Telecom in the last year and to the fcc, of course, cybersecurity issue set in the last Year, rolling back regulations, a huge submarine cable rule. I'll keep plugging the podcast. You know, we had the lead FCC author on the podcast to talk about, talk about that after it happened. But really a lot of interesting changes. So it'll take some time to see what that'll do to these issues we're talking about.

Jonathan Sederbaum

Excellent. The three programs we've talked about so far have been around for a while. The other four programs you address in the book are much more recent and initially created by executive order. Let's turn to those. One is the IT and communications supply chain regime that got off the ground with an executive order by President Trump during his first term, followed by implementing regulations during the Biden administration. What was the core concern prompting the creation of that new program?

Justin Sherman

The core concern was essentially if we have a technology in the US Someone wants to sell overseas, we have a way to say, is that a security risk, export control controls? Or if we're building something within the US And a foreign investor wants to reach in or a foreign telecom wants to connect to it or something. The programs we mentioned, cfius, Team Telecom, we have ways of dealing with that. The concern was, well, what happens with other kinds of technologies that are already in or could be in the US Supply chain? What about a router? What about cybersecurity software? What about a mobile app? What about a connected vehicle component? Right. And again, not saying that all of these are national security threats or just because it says non US in front that it means it's a security threat. But yeah, you know what, we have enough information in the public domain around how China, Russia, Iran, others use those kinds of companies or actors in certain cases to spy, to infiltrate supply chains, et cetera. So is there a way we have to deal with that? And the answer was not really. And so this led to, as you mentioned, in short, the ICTS tech supply chain program housed at the Commerce Department that was meant to give it that authority. This was a 2019 Trump executive order. It set up a Commerce Department led program. It drew on iepa, the International Emergency Economic Powers Act. I'm amazed they haven't said IPA yet. Right. Underpins a lot of these programs, but, but essentially it was focused on the supply chain broadly. And the last of those words is really important because it was quite broad. It was allowed to look at essentially entire tech categories of transactions. So not just saying this specific router version from this company is a risk, or this specific connected vehicle component with this, you know, made in North Korea, I mean, probably not. That's not a real example, but, you know, made in North Korea stamped on it, that's a risk. But instead saying this entire category is a risk, or all Chinese made routers of this type are a risk. Right. So it had kind of a broad authority to look at the supply chain and say, what do we want to restrict? Maybe some of these, we have a mitigation policy. And then otherwise, you know, maybe we have the decision and we do have the authority that we want to actually expel this tech component from the US Supply chain.

Jonathan Sederbaum

Have we seen much activity under that program yet?

Justin Sherman

We've seen two main things. So the first was a decision in 2024 to ban the Russian cybersecurity company Kaspersky from operating in the United States. And Kaspersky had already seven or eight years earlier, been banned by the Department of Homeland Security from use on federal agency systems. Right. The. As they said at the time, the concern was, well, we've all seen the Putin regime take an extraordinarily repressive and controlling approach to the private sector. We're worried about the risks that Kaspersky could be used essentially to spy on systems. Right. Because the Russians might say, oh, hey, look, everyone's got this great antivirus installed and you all click agree and give it all your files and permissions and how convenient that we can coerce them. So that was kind of the thinking. But so this decision in 2024 broadened that to the US writ large. So Kaspersky stopped offering updates to its cybersecurity products. Companies switched over to vendors besides Kaspersky. I'll say ban asterisk, because you can still go right now and look up, for instance, Kaspersky's threat feeds. Those were explicitly excluded from this, this ban, which makes sense, right? I mean, I don't, you know, there's, there's very little reason to, if no reason, let alone the legal issues associated with banning, you know, reading the information that Kaspersky is putting out, but it really was kind of a wholesale ban on its products. The second, just to hit quickly, was connected vehicle rule. Much contested in industry, as many of these, these things are. But essentially looking at Chinese and Russian software and hardware components in connected vehicles and implementing restrictions on their ability for future phases of vehicles, it's not a rip and replace situation, but for future versions of vehicles, to prevent them from entering the US Again with supply chain concerns, with concerns about. There was a hearing last fall on the Senate Armed Services Committee. There was talk of could you have vehicles driving by military bases or around bases and collecting intelligence. So certainly espionage driven. But those are the two big moves. I just wrote about this for Lawfare the other day. The Wall Street Journal has been reporting on essentially the gutting of this office in the last few weeks. And so not sure if they'll be doing much of anything going forward, but those are at least two pretty significant decisions that they had issued to date.

Jonathan Sederbaum

Another of the recent programs you discuss is the Cloud Know youw Customer or KYC program. President Biden mandated the establishment of that program through an executive order in 2021, and then the Biden administration issued draft regulations in January 2024. What would that system require?

Justin Sherman

This would require, as you said, KYC, so know your customer rules for IaaS infrastructure as a service providers specifically. So the shorthand, you know, folks sort of call it the cloud rule or the Cloud KYC rule, but it's specifically within cloud as for infrastructure as a service providers. And it essentially conceptually, I mean, I compare the. The two of them in some detail, but conceptually is taken from KYC and the financial sector. So, okay, how do we prevent money laundering, terrorist financing, by requiring banks to do due diligence to keep detective controls, documentation of who their customers are, what the transactions are. Can we apply that to the cloud? And as the US Government has talked about and many others have written about, the driving concern was around could you have U.S. adversaries that are exploiting those cloud ecosystems? Maybe there's a Chinese university that secretly works with the military that's training an AI system on a U.S. iAS instance. Right. Or maybe they're launching cyber operations from it or something else. So that was kind of the driver is can we institute more documentation and more reporting requirements such that we're not curtailing most of these contracts, but if we see there's a contract in there that really concerns us, the US Government has the opportunity to see that and then tell the company to change or limit or terminate that particular contract.

Jonathan Sederbaum

As I mentioned, and as you discuss in the book, that program got to the stage of proposed regulations, but not final rules. Do you expect the current administration to finalize those rules?

Justin Sherman

I don't. I don't know. I mean, no one knows, of course. So I should say I don't expect that they would necessarily shred the proposed rule. I could be wrong. I would. If I were to guess, I would say that probably the current administration will not move the rule forward and then whoever is in the next administration will have to make the decision about what to do with it. And the reason I say that is for is for two reasons, right? One, as I mentioned, some of these programs are getting pulled back in general. But two is given the emphasis right now on deregulation, this rule really got again, lots of companies complain about these rules. I cite some even stories of executives saying to me I don't care about national security. So sometimes the criticisms are unwarranted. But this one probably more than any other we talk about in the book really got a lot of heat from industry. It did not like this said, you're going to just blow back up the Snowden era distrust of clouds are a backdoor for the government. This is just going to wreck our market share. This is going to undermine trust and this is not good. So given the current deregulatory emphasis, I would be surprised isn't strong enough. I'd probably be shocked if this moved forward in any way. But I suppose we'll see.

Jonathan Sederbaum

The last two programs we'll talk about are very much focused on China. One is the new set of restrictions on bulk data transfers to China. Those also began with an executive order in this case in 2024, followed by proposed and then final rules that came into effect in the middle of 2025. What do these restrictions say?

Justin Sherman

These restrictions are primarily aimed at how the acquisition of commercially held data and commercially brokered and sold data could be used by foreign actors. Again, the countries of concern and the rule include Cuba, Iran, North Korea. But again, if we're talking about just based on the news, which countries are carrying out tremendous volumes of cyber espionage and have large sophisticated tech sectors, obviously China wins that ranking. So the thinking being there's a lot of concern about China here, but concern that as I quip in the book why hack when you can buy. You know, as I've written about a lot, we have a huge unregulated industry of data brokers in the United States which are companies that are in the business of selling people's data. So not just collecting it, but outright in some cases even dumping it into Excel spreadsheets and selling it. And I'd done some, some, some studies funded by the, at that time the Defense Department looking at this problem and so on and anyway, really concerned that you could get military personnel data, you can get bulk health data, genetic data and then what could be done with that? If you combine it, let's say if you're China with oh, everything we stole from the Office of Personnel Management and everything we stole from Marriott and everything we stole from the Anthem Healthcare company and so on and really mash it all together. So all to say the regulations were basically in two buckets. One was if you're outright brokering, as the rule calls it, data that might be data specifically on government personnel or facilities that kind of has its own thresholds or bulk data on the US population writ large. So those numbers are a little higher, a little different, but that's its own category. You have some restrictions on it. And the second part of the regulation, which again, this is a whole other time, but some folks criticize, and some of these I think are fair criticisms that the rule was meant to be about data brokerage and now you're including low risk transfer is what it's called. But the second part of the rule referred to refers to low risk transfers. So let's say you're on a federally funded health research contract and you're partnering with a non US entity. Well, what are you doing with the data? Whose data is that? Where's it going? So questions like that. And so in doing so, it's not just data brokers and ad tech that are regulated, even though they're the intended focus of the program. From my perspective, you also have banks and healthcare companies and others that are not, quote, unquote, selling the data, but they're subject to the low risk transfer. So that's kind of what that program does. And we've again, we've seen kind of a gutting of that. I mean, I worked a lot on that program in the last administration, into the beginning of this administration, and that office as well has been gutted. So we'll see what happens going forward with enforcement.

Jonathan Sederbaum

Yeah, indeed. I saw just this morning that Lenovo was sued by some private plaintiffs for violating these bulk data restrictions through some of their tracking of customer data and their handling of it. Do you think that private litigation may step in to be the more frequent enforcement tool as compared to direct government enforcement?

Justin Sherman

It's quite possible. We've seen a few lawsuits so far. We also have a bill that was attached to the TikTok ban bill that became law PADFA, the Protecting Americans Data From Foreign Adversaries Act. And this was signed into law as this Justice Department bulk data program is being stood up. So you have the EO Executive Order Driven program, and now you have Congress pass this law for the FTC to actually do some work in this area. So I don't think that made any sense to do that. That was a conversation for another time. But all to say you also have a statute that now says certain kinds of this Activity are a threat to national security. And I definitely think that in the coming years there's probably not too many, but there will be plaintiffs firms that look at that and say, okay, this is interesting. This is a clear hook to look at. How are companies potentially sending US Citizens data overseas in ways that are problematic.

Jonathan Sederbaum

The last program you address is one concerning outbound investment screening, that is screening of investments by US individuals and organizations of certain kinds in China. Draft regulations, you note for that outbound investment screening regime were issued in July of 2024. Have those rules been finalized and gone into effect?

Justin Sherman

They have been. 2024 was the final rule. In January of 2025 was when it went into effect. So it has been, yeah, the focus of this really, which is interesting, right, because most of these programs we've mentioned, or really I should say all these programs we've mentioned might be primarily focused on certain countries or certain subsets of countries, but on paper they apply to many of them. Right. So even I just mentioned, right. Let's say the primary concern of something like CFIUS is probably not North Korean investment in, you know, the US Tech sector. North Korea is in there. Right. And if for some reason something happens, that's an authority. The outbound program's different in that way because it focuses only on China and then it focuses only within China on three particular sectors, such as microelectronics. So it actually is quite just sort of interesting scoped down. And I talked to, as with many of these chapters, a number of the folks who really drove this work in the last administration and again, that was kind of the thinking, right, Was Iran is so papered over with sanctions, that's not really a concern that US businesses are pumping money there. Right. Russia, same since 2022. Really not viable or something. We're particularly concerned about North Korea. Ha. What tech sector? Right. So, you know, so it's really China that we're concerned about. And I will say the credit to them, I will credit both the bipartisan China Committee report that was done on US Venture capital investments in Chinese AI. And then CSET at Georgetown also published a study on before the committee on this same topic. And a number of the folks who led this work had. Had credited, obviously there's lots of other concerns going on, but had credited those two studies as really driving forward a lot of the public attention to this issue. So rules are finalized. We'll see what happens or if there's any enforcement. But it's certainly, it's certainly interesting to have one of these amid all the growing, growing, growing scope really kind of zoom in on one particular area of, of national security threat.

Jonathan Sederbaum

We've covered some of the specifics now of seven programs. Let's step back as we get toward the end of our episode and circle back to some of your larger themes. If you had to write an elevator pitch for each of three different policymakers in the executive branch, members of Congress and industry leaders about some of the takeaways from your book, what would be the key points that you would want to drive home to each of those audiences?

Justin Sherman

So for executive branch, I probably would talk about two concepts that I mentioned. One, just in general, the issue of supply chain entanglement. Right. More and more of our technology supply chains are really interconnected, connected and interdependent with other countries around the world. That second I word leads to the second point I'd make, which is weaponized interdependence. And as many listeners know, wonderful set of concepts that Henry Farrell and Abraham Newman have built out. And I highly commend. There are several books and papers that really dig into this. There's also an edited volume they did. I'll also say that Adam Siegel and some others contributed to With Tech Things specifically, so you can actually go read their framework applied directly to technology supply chains. But I mentioned those two because we're seeing the administration really pull back from a number of these programs, whether it's, you know, gutting some of these offices or indicating at the FCC that the move is more towards this sort of trusted vendor idea. So rather than doing the same level of screening of every actor through Team telecom, we're going to designate some of these as trusted, as I constantly point out. The flip side problem with that is then the adversary says, oh, so you're not really looking over here? And then that's probably where they'll go. So there's concerns there. But I'll just say as there's this step back from these programs, I would kind of make the point that it's really important to understand how entangled and how interdependent these systems are, how that interdependence can be weapons weaponized. To go back to Farrell and Newman's concept, because these are not decisions you can easily reverse. It's not the case that you can kind of let these programs sit here for a year, then pick them back up and nothing's changed. This isn't pausing like a Netflix episode. I mean, this is highly sophisticated set of regulations. Adversaries are not taking a holiday because the offices are not staffed or because they're distracted with other nonsense. So I'm going to start editorializing a little bit more here. So that really would be my main point is look, a lot of these issues that we're being told we'll get to it later, right? We're going to negotiate with China on trade first, then we'll get later to these security questions or we're going to deal with the ceasefire, supposed ceasefire in quotes with Ukraine right now, then we'll get to it later. That second part is really troubling because of the entanglement, because, because of the interdependence and all of the adversary tech that can sink its hooks in deeper in the interim. That was nowhere close to an elevator pitch. So I'll try to be a little more pithy for these last two. So you also mentioned for members of Congress and for industry. So for Congress I would say we've as I mentioned in some areas done a pretty good job working with older legal authorities, relatively older legal authorities, applying them to some of these modern tech issues, right? Whether that's with cfius, whether that's with export controls and in plenty of areas Congress has done a good job passing new legislation to update those authorities. Firrma is a great example with cfius, right? Really giving it that authority to look at tech, to also look at non controlling investments is huge. Right, because, and obviously I'm not saying anything non public here or anything, but you can get scenarios where let's say hypothetically the foreign actor would say oh perfect, if you're only looking at transactions over 30% ownership, I'm going to invest 2% but my 2% is going to say asterisk. I want control of the data center or I want access to the R and D lab or whatever. Right? So like anyway, so I mentioned that. So Congress has done a good job updating these laws. We need to keep doing that. So don't let only the executive branch drive but think about like with statutorily authorizing some of these, a lot of these are executive orders, the bulk data program team telecom, let's put that in statute, let's assign some resources to it, let's give it some teeth. Last industry. So the main point I make is government can learn from industry, industry can learn from government and probably a wonky both sidesism sounding kind of conclusion. But just to say, right there are areas again reading those decades and decades of regulatory filings, having sat in conversations with executives who have made good points and executives who have said the most insane things to me about how little they care about China or spying or whatever is in some areas, government can help you better understand the risks, right? Some companies are super sophisticated on these issues, including because they hire former US Government experts or consult with leading academics. Some are not. And so actually these programs are a way for the US Government to provide that expertise and say, hey, you know what, we know you're not doing this intentionally, but this kind of investment or this kind of sale could actually be a real risk. So there's things they can learn. Conversely, I do think, as I mentioned, government can be more transparent. You're not going to provide the list of everything that concerns you. That's ridiculous. It also doesn't exist, right? It's constantly evolving. But it could be more transparent to help industry navigate these programs with less uncertainty. Because again, at the end of the day, like we said at the outset, and as you mentioned a few times, rightfully throughout, the goal is to both have tech innovation, advancements in healthcare, responsibly applying new technologies and new areas, et cetera, et cetera, at the same time as you have national security, right? It's both, and it's not either or. And so the more that we kind of strike those right balances, I think the better off we can be. Pick your tech area, pick your buzzword area, right? But no matter what it is, that balance is going to be really, really critical going forward.

Jonathan Sederbaum

Excellent. Thanks very much, Justin. It's been a pleasure talking with you.

Justin Sherman

Thanks for having me.

Jonathan Sederbaum

The Lawfare Podcast is produced by the Lawfare Institute. If you want to support the show and listen ad free, you can become a Lawfare material supporter@lawfairmedia.org support supporters also get access to special events and other bonus content we don't share anywhere else. If you enjoy the podcast, please rate and review us wherever you listen. It really does help. And be sure to check out our other shows including Rational Security, Allies, the Aftermath and Escalation. Our latest Lawfare Presents podcast series about about the war in Ukraine. You can also find all of our written work@lawfaremedia.org the podcast is edited by Jen Pacha with audio engineering by Kara Schillen of Goat Rodeo. Our theme song is from Alibi Music and as always, thank you for listening.

Siemens Ad Reader

Need real insight from industrial data? Verse it with a single source of everything and get the best outcomes. Transform the everyday with Siemens.