The Lawfare Podcast

Episode: Lawfare Daily: National Security Regulation of Technology and Data Transactions

Date: February 18, 2026
Host: Jonathan Sederbaum
Guest: Justin Sherman, Founder & CEO, Global Cyber Strategies

Episode Overview

In this episode, Jonathan Sederbaum hosts Justin Sherman to discuss Sherman’s new book, Navigating Technology and National Security: The Intersection of CFIUS, Team Telecom, AI Controls, and Other Regulations. The conversation explores the complex regulatory environment at the intersection of technology, data transactions, and U.S. national security. Sherman delves into the structure, challenges, and evolution of seven U.S. regulatory programs and offers critical reflections on policy, transparency, innovation, and risk management amidst rising geopolitical competition, particularly with China.

Key Discussion Points & Insights

1. Framing the National Security-Technology Relationship

[01:36-05:06]

• Sherman’s Background & Motivation:

  • Dual background in computer science and international relations naturally drew him to technology-policy intersections.
  • Noted that much of technology regulation discourse centers on consumer protection or civil liberties but less on national security as a mode of tech governance.
  • "There’s a whole conversation to be had about the extent to which national security laws, national security regulations, national security regulatory programs are a way of governing technology." – Justin Sherman [02:57]

• Evolution of Regulatory Scope:

  • Traditional focus was on export controls and some investment review, but rapid technological change has multiplied the number and relevance of national security regulatory programs—covering areas from AI and chips to connected vehicles and data.

2. Overarching Themes and Tensions in Regulation

[05:24–09:10]

• Risk Assessment Challenges:

  • Ongoing debate over how government defines and determines “national security risk” for tech/data transactions.
  • The need for precision so as not to stifle innovation or overregulate.

• Transparency vs. Security:

  • Private sector has repeatedly requested clear, specific lists of forbidden or scrutinized activities or countries; the government hesitates, citing the constantly-evolving threat landscape and classified methods.
  • "Transparency is really, really critical ... throughout looking back at regulatory documents, companies wanting the government to publish really specific lists ... the government has rejected those requests, saying, 'No, the threat space is really dynamic.'" – Justin Sherman [05:24]

• Regulation vs. Innovation:

  • Balancing innovation’s speed with safeguarding against threats—sometimes these goals align, sometimes they create vulnerabilities (e.g., cybersecurity).

3. Deep Dive: Seven Key U.S. Regulatory Programs

A. Export Controls

[09:10–18:13]

• Strengths:

  • Commerce Department/BIS produces regular, actionable guidance on avoidance of export-compliance risks.
  • Successful in certain strategic cases—e.g., Huawei.
    "Huawei’s global market share took a real hit ... so there are ways export controls sat within a broader framework." – Justin Sherman [11:01]

• Challenges:

  • The paradigm struggles to adapt from tangible goods to intangible tech/data (e.g., software, AI, encryption).
  • Past failed efforts to restrict diffusion of software/encryption hurt US interests.

• “Small Yard, High Walls” Strategy:

  • "Small yard, high wall ... was a way of thinking through how do we lock down a certain subset of technologies ... but not over-index ... in a way that it undercuts university innovation or the startup ecosystem." – Justin Sherman [13:49]
  • Execution problems: “The first Trump administration drew a pretty big yard … [and] got a lot of flack” for overbreadth. Biden's administration’s critical/emerging tech list broad but difficult to focus on truly critical tech.

• Decoupling vs. De-risking:

  • Complete supply-chain decoupling from China is seen as unrealistic, but reducing risk and exposure (“de-risking”) is possible and preferable.

B. Committee on Foreign Investment in the United States (CFIUS)

[21:48–29:02]

• Scope Expansion:

  • FIRRMA (2018) expanded CFIUS to cover critical tech, infrastructure, and U.S. citizens’ data.
  • High-profile actions: TikTok (Musical.ly) and Grindr forced divestitures due to data concerns.

• Whiteboard Security Risk Problem:

  • Overly hypothetical “what-if” thinking in security risk assessments can stymie investments with speculative scenarios.
  • "If you sit in an empty room with a whiteboard and a pen long enough, you can really come up with any scenario." – Justin Sherman [25:31]
  • Need better-defined risk criteria.

C. Team Telecom

[29:02–33:41]

• Role:

  • Team Telecom (formally: interagency telecom security advisory committee) advises FCC on risks in licensing and foreign telecom transactions (e.g., cables, company partnerships).

• Performance:

  • Historically opaque (“a black box”), but notable strides in transparency since about 2019, now offering public explanations for decisions.
  • Substantial policy and regulatory shifts underway in telecom cyber.

D. ICTS Supply Chain Review (Commerce Department)

[33:41–39:10]

• Purpose:

  • Authority to restrict or mitigate entire categories of risky foreign technology (not just specific products), e.g., routers, mobile apps, connected vehicle components.

• Activity:

  • 2024 ban on Kaspersky antivirus products and restrictions on Chinese/Russian components in connected vehicles.
  • "Those are two pretty significant decisions that they had issued to date." – Justin Sherman [36:42]
  • Office currently weakened (“gutted”), future uncertain.

E. Cloud “Know Your Customer” (KYC)

[39:10–42:30]

• Mandate:

  • Proposed via Biden’s 2021 EO, would require cloud providers (IaaS) to document customer identities, analogous to “KYC” for banks.
  • Aimed at preventing adversaries from exploiting U.S.-based cloud infrastructure.

• Outlook:

  • Facing strong industry opposition, unlikely to be finalized under a deregulatory climate:
    "I’d probably be shocked if this moved forward in any way." – Justin Sherman [41:15]

F. Bulk Data Transfer Restrictions to China

[42:30–47:06]

• Rules:

  • Enacted 2025, restricted bulk sales of U.S. commercial or sensitive data to China, Cuba, Iran, North Korea (but mainly China-focused due to threat profile).
  • Addressed “why hack when you can buy”: vast, lightly-regulated data broker industry poses espionage risks.
  • Coverage includes data brokers and “low risk transfers” (research, business data flows, etc.).

• Enforcement:

  • Agency weakened/restructured; private litigation (e.g., suit against Lenovo) may fill enforcement gaps.
  • New Congressional statute (PADFA) now supplements EO-authorized rules.

G. Outbound Investment Screening (China-Focused)

[47:06–49:37]

• Status:

  • Rules finalized in 2024, operational January 2025, narrowly target U.S. investment into key Chinese high-tech sectors (microelectronics, AI, etc.)

• Significance:

  • Unlike other programs, intentionally focused only on China and certain advanced sectors—reflects bipartisan consensus on targeted risk.

4. Policy Recommendations for Different Stakeholders

[49:37–55:48]

• To Executive Branch:

  • Focus on supply-chain “entanglement” and the risks of “weaponized interdependence” (Henry Farrell & Abraham Newman’s frameworks).
  • Avoid complacency or “pausing” regulatory programs—adversaries do not wait.

    "Adversaries are not taking a holiday because the offices are not staffed or because they're distracted with other nonsense." – Justin Sherman [50:12]

• To Congress:

  • Congress has done good work modernizing legal authorities (e.g., FIRRMA), but further statutory updates, resource allocation, and permanence are needed—many programs still rely on EOs alone.

• To Industry:

  • Government and industry can mutually benefit: government provides risk intelligence; industry needs (and deserves) more transparency.
  • The balance between security and innovation is not a zero-sum game.

Notable Quotes & Memorable Moments

• On irreversible regulation decisions:

  "These are not decisions you can easily reverse ... This isn't pausing like a Netflix episode. This is a highly sophisticated set of regulations. Adversaries are not taking a holiday."
  – Justin Sherman [02:07], [50:12]

• On 'Whiteboard Security Risk':

  "If you sit in an empty room with a whiteboard and a pen long enough, you can really come up with any scenario."
  – Justin Sherman [25:31]

• On the limitations of decoupling:

  "Can you really disentangle completely? Probably not, but you can try and limit your exposure in different ways."
  – Justin Sherman [18:35]

• On need for statutory reform:

  "Many of these are executive orders ... let's put that in statute, let's assign some resources to it, let's give it some teeth."
  – Justin Sherman [52:04]

Timestamps for Key Segments

• 01:36 – Introduction to tech-national security regulatory complexity
• 02:57 – Sherman's background & book motivation
• 05:24 – Cross-cutting regulatory themes
• 09:10 – Export controls: successes and challenges
• 13:49 – “Small yard, high walls” explained
• 18:35 – Decoupling vs. de-risking supply chains with China
• 21:48 – CFIUS origins, evolution, and data focus
• 25:31 – The 'whiteboard security risk' critique
• 29:19 – Team Telecom’s mandate and transparency improvements
• 33:41 – ICTS supply chain rules and high-profile decisions (Kaspersky, vehicles)
• 39:31 – Cloud KYC regulatory proposal and prospects
• 42:54 – Bulk data transfer restrictions and enforcement issues
• 47:30 – Outbound investment screening targeting China
• 49:37 – Tailored policy advice for executive branch, Congress, and industry
• 55:48 – Closing remarks

Summary Takeaways

• U.S. national security regulation of technology/data is rapidly evolving, increasingly sophisticated, and wrapped in tensions around transparency, risk definition, and the pace of innovation.
• Geopolitical dynamics—especially with China—are driving both new regulatory programs and sharper focus within existing ones.
• Major challenges persist around defining national security risk, the transparency of regulatory processes, and adapting old legal tools to novel tech realities.
• Both government and industry must collaborate—to maintain innovation and to ensure national security—while each also has scope to improve: government in its transparency and strategic focus, industry in its risk awareness and support for statutory modernization.