The Evolving Role of the Private Sector in Protecting Our National Security
-
September 11, 2024
-
Recent actions from the White House, the U.S. Department of Justice (“DOJ”), and other regulatory agencies have demonstrated even greater focus on the private sector’s role in protecting national security. These actions are focused on ensuring that the private sector is implementing protections to mitigate risks to national security by instituting corresponding requirements and regulations. Unfortunately, this creates a constantly evolving burden on the private sector to understand various obligations around national security compliance, especially regarding reporting requirements related to cybersecurity incidents and breaches.
Q3 2024 Healthcare Quarter in Review Read Now
Simply put, cybersecurity is national security. Escalating cyber attacks designed to steal sensitive data or disrupt critical infrastructure have widespread implications for organizations and individuals alike. The Colonial Pipeline ransomware attack in 2021 created panic across the U.S. and showed real-world implications of what can happen when essential services are impacted by threat actors. More recently, high-profile cyber attacks to the healthcare and telecommunications industries have created similar extensive and damaging effects. While not a cyber attack, the CrowdStrike outage highlights the interconnectedness of our digital world and how dependencies can create widespread and cascading impacts, especially for unprepared organizations.
Recent Regulatory Changes
Over the past two years alone, there have been significant regulatory advancements from the U.S. government specific to protecting national security.
In February 2024, the White House issued an Executive Order protecting sensitive personal data, including genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personally identifiable information, from transfers to “certain countries of concern.”1 The order notes that “[t]he continuing effort by countries of concern to access Americans’ bulk sensitive personal data and United States Government-related data threatens the national security and foreign policy of the United States.”2 The order puts a clear requirement on the private sector to intimately know their data and the nature of its sensitivity. Companies must understand where their data is going, who has access to it, and where it will end up following any data related transaction.
A separate Executive Order regarding artificial intelligence (“AI”) was issued in October 2023, mentioning that using AI irresponsibly could “pose risks to national security.”3 While the focus of the order is on safely developing and using AI, it should not be overlooked that national security language was included. This suggests that the U.S. government is considering national security implications in all scenarios, including emerging technology, in an effort to ensure that private sector actions do not put the U.S. at risk to foreign adversaries.
In March 2024, the National Security Division (“NSD”) of the DOJ released an update to their Enforcement Policy for Business Organizations, which states that “business organizations play a vital role in protecting our national security.”4 This update signaled a continued focus from the U.S. government regarding the role the private sector plays in national security interests, and on May 22, 2024, the DOJ announced the first declination to prosecute a company under the NSD Enforcement Policy for Business organizations, citing “timely disclosure and exceptional cooperation.”5
Also included in the updated enforcement policy was the incorporation of a mergers and acquisitions (“M&A”) Policy, encouraging voluntary self-disclosures regarding potential criminal violations by the acquired company that impact U.S. national security. By following certain requirements, e.g., submitting a voluntary and timely self-disclosure to the NSD and cooperating with their investigation, the acquiring company can receive additional protections under the M&A Policy.6 Self-disclosure is nuanced and should be carefully considered with support from experts and outside counsel. This development and the incentive for private organizations to work with the NSD suggests that M&A deals are seen as having implications to national security, especially in scenarios where foreign companies or individuals are involved.
In July 2024, the Treasury Department issued a Notice of Proposed Rulemaking to expand CFIUS’ coverage over certain real estate transactions.7 While CFIUS had authority to review and restrict certain transactions by foreigners in the U.S., the rule expands upon the transaction types to include an additional 50 military installations, as well as certain non-controlling investments in sensitive technologies.
The expanding role of CFIUS suggests that foreign-backed U.S. businesses with sensitive technologies or large amounts of personally identifiable information could be on the receiving end of heightened government oversight and investigation. To provide clarity and transparency into penalties and enforcement actions set by CFIUS, the U.S. Treasury launched a new website.8 Additional U.S. government agencies have also increased their focus on national security issues.
- The Federal Communications Commission proposed the National Security Protections for Equipment Program, which is intended to ensure wireless equipment authorizations are not compromised by entities found to pose national security concerns.9
- The DOJ has seen a recent uptick in enforcement actions involving the False Claims Act, with an increased scrutiny on government contractors’ claims regarding their compliance with cybersecurity obligations.10
- The Securities and Exchange Commission instituted rules that require reporting a material incident within four days, with the caveat that disclosure may be delayed if the U.S. Attorney General determines that making this information public would pose a risk to national security or public safety.11
- The Department of Commerce Bureau of Industry and Security has expanded its control lists over the past few years to include emerging and critical technology and has tightened controls on technology exports to nations deemed to be a national security threat.12
U.S. Government Reliance on the Private Sector
There is a deep history in the U.S. of examples when the government turned to the private sector for help in protecting the country from national security threats. In World War II, the primary operations of certain factories not controlled by the government were converted to support the war effort. For example, some factories shifted from manufacturing automobiles or household items to planes and tanks. Also during World War II, the U.S. government turned to large American banks for help with financing the war effort.
The nature of these collaborations has evolved over time, reflecting the changing security landscape and technological advancements. Recently, the U.S. government has increasingly relied on the private sector to develop intelligence on and protect against cyber threats to critical infrastructure.
To keep pace with evolving cybersecurity risks to national security, the White House National Security Council published the “National Security Memorandum (“NSM”) on Critical Infrastructure Security and Resilience” in April 2024.13 The NSM replaces Presidential Policy Directive 21, which focused specifically on counterterrorism, and broadens the national security conversation to include increasing minimum security standards and resilience capabilities across critical infrastructure and protecting essential services and national security interests.14
The concept of using public-private partnerships to mitigate risks is not new. In 2005, the Office of Justice Programs, Bureau of Justice Assistance within the DOJ released a report titled, “Engaging the Private Sector To Promote Homeland Security: Law Enforcement-Private Security Partnerships.”15 This document mentions that “to effectively protect the nation’s infrastructure, law enforcement and private security must work collaboratively because neither possesses the necessary resources to do so alone.” Information sharing is a vital notion within cybersecurity, as the more data available about threat actors and their tactics, techniques, and procedures, the better risk mitigation strategies can be tailored to defend against threats.
Keeping Pace with Changing Requirements
With increased attention and reliance from the U.S. government regarding national security concerns, the private sector should proactively assess their cybersecurity risks through the lens of national protection by:
- Establishing or enhancing a robust compliance program that promotes a culture of compliance and has buy-in and support from all levels, and includes training programs and strong communication;
- Conducting regular risk assessments, including cybersecurity program assessments, supply chain vulnerability assessments, and M&A due diligence assessments. Efforts must also be made to review both inbound and outbound foreign investments to assess the national security implications of these investments;
- Seeking outside advice from legal counsel and cybersecurity experts who can independently and objectively identify vulnerabilities and help implement protections with the aim of building cyber resilience;
- Utilizing government resources to aid in their compliance and security efforts; and
Coordinating with government agencies regarding early self-reporting, remediation efforts, and active collaboration may enable private sector companies to avoid prosecution and penalties for cybersecurity incidents, even when national security issues are involved.
With national security and cybersecurity so intertwined, and as the world becomes increasingly digital and connected, defending the U.S. is a joint responsibility of the U.S. government and its privately owned companies.
1: “Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” The White House (February 28, 2024).
2: Id.
3: "Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence," The White House (October 30, 2023).
4: "Report of the Attorney General to the Congress of the United States on the Administration of the Foreign Agents Registration Act of 1938, as Amended, for the Six Months Ending June 30, 2020." U.S. Department of Justice, National Security Division, 2020.
5: "Ringleader and Company Insider Plead Guilty to Defrauding Biochemical Company and Diverting Funds." U.S. Department of Justice, Office of Public Affairs, (May 22, 2024).
6: Id.
7: “Treasury Secretary Yellen Calls for Strengthening and Expanding the Multilateral Development Banks at the UN SDG Summit." U.S. Department of the Treasury, (July 8, 2024).
8: "CFIUS Enforcement." U.S. Department of the Treasury.
9: "FCC Proposes National Security Protections for Equipment Authorization Program." Federal Communications Commission, (May 23, 2024).
10: "False Claims Act Settlements and Judgments Exceed $2.68 Billion in Fiscal Year 2023." U.S. Department of Justice, Office of Public Affairs, (February 22, 2024).
11: "SEC Charges with Involvement in a Fraudulent Cryptocurrency Scheme." U.S. Securities and Exchange Commission, (July 26, 2023).
12: "Commerce Proposes Restrictions on U.S. Persons Supporting Foreign Military Intelligence and Security Services." Bureau of Industry and Security, (July 25, 2024).
13: "National Security Memorandum on Improving the Cybersecurity and Resilience of Critical Infrastructure." Cybersecurity and Infrastructure Security Agency.
14: "Presidential Policy Directive -- Critical Infrastructure Security and Resilience." Obama White House Archives, (February 12, 2013).
15: United States, Department of Justice. Managing Large-scale Security Events: A Planning Primer for Local Law Enforcement Agencies. Bureau of Justice Assistance, (September 2005).
Published
September 11, 2024
Key Contacts
Senior Managing Director