Introduction

For hundreds of years, the United States has used national security powers to tackle national security issues related to trade and technology. The first core bucket of these powers was export controls, used to implement trade embargoes against Great Britain in 1775 (back in the days of the American colonies), restrict the export of technical data to North Korea during the Korean War, and limit the spread of encryption amid the Cold War's height. As time passed, however, and companies, government agencies, universities, and individuals developed new technologies—and as they began using technologies in new ways—the U.S. government significantly expanded its legal authorities and regulatory powers to govern technology for national security ends. Today, there are not just U.S. export controls on semiconductors, remote-controlled drone components, and even artificial intelligence (AI) technologies, but national security programs focused on foreign investments into the United States, outbound investments from the United States, telecommunications, cloud services, data sales and transfers, and technology supply chains writ large.

This book details the history and future of how the U.S. government has come to govern so much technology—from software to hardware; from cloud services to connected vehicles; covering billions of dollars’ worth of economic activity each year—through a national security lens. It examines how one main set of national security regulations and review programs, with some technology focus, has evolved into several adjacent, relatively expansive authorities with significant or complete focuses on technology and data. It analyzes how regulations and review programs have expanded from looking at specific tech-related transactions, such as a foreign investment in a U.S. defense technology startup, to governing entire classes of transactions, such as how all non-U.S. technology of a certain type should be permitted to operate in the country. And it explores how national security authorities and regulatory structures designed originally for tangible, physical goods and related services—such as selling a radio to Germany or a supercomputer to Russia—have been applied, with some successes and some failures, to a host of intangible, digital things such as data, software, and AI model weights.

All these regulations and review programs matter because technologies and those who use them pose increasing, highly complex risks to U.S. national security. Foreign cybercriminals can effectively hold oil pipelines and regional hospitals hostage by launching ransomware attacks from halfway around the world. Terrorist organizations can cheaply acquire components for technologies such as drones that can be deployed with rigged explosives. Nation-state adversaries such as China, Russia, and Iran can insert backdoors into telecommunications supply chain components, leverage the might of American cloud computing services to train their own AI models, exploit the lack of strong U.S. privacy laws to siphon highly sensitive commercial data about U.S. military and intelligence personnel, and steal U.S. corporate secrets to advance their own defense weapons programs or stand up their own private-sector, state-crowned champions. These governments can even use foreign investments, university partnerships, and other seemingly innocuous moves—hidden with largely beneficial or indeed innocuous activity—to acquire U.S. technological capabilities or sabotage them. Because the United States is so technologically advanced, internet-dependent, and deficient in country-wide, consumer-focused cybersecurity, privacy, digital resilience, digital product safety, and other regulations, there is a significant vulnerability space to be addressed.

These regulations and review programs are therefore designed to empower the U.S. government to identify and mitigate complex risks to national security that exist in the private sector. While U.S. tech innovations have provided many advantages for U.S. national security—the incredible talent pipeline the country has attracted, at least historically, among them—many private-sector companies are focused on building businesses, deploying technologies, and making money. Their focus is not national security. Far from suggesting that all U.S. companies should be making U.S. government interests their top priority—in fact, this would be highly problematic and make the United States more closely resemble some of its autocratic adversaries—it simply means that private-sector technology and national security priorities can differ. And so can companies’ knowledge about national security issues and their capacity to address them on their own. Hence, as private companies make technology-related decisions that may be adverse to U.S. national security, these regulations and review programs provide the government the opportunity and the authority to identify risks and require steps to mitigate them.

Simultaneously, these regulations and review programs matter because they collectively give the U.S. government potentially significant power over private-sector technology activities, ranging from semiconductor manufacturing to cloud services provision to connected vehicle development to high-volume data transfers. This collective national security regime has tremendous impacts on U.S. businesses, their customers in the United States and around the world, and the U.S. citizens who rely on various technology products and services. In recent years, for example, the U.S. government has used or cited these authorities to expel Chinese state-owned telecoms from operating in the country, require a Chinese investor to sell gay dating app Grindr back to U.S. owners, eject Russian cybersecurity provider Kaspersky from the U.S. market, place downstream pressure on allies and partners to limit the use of Chinese technology equipment in their supply chains, require cloud service providers to limit the entities to which they sell their services, and even attempt to ban TikTok from the United States completely. The scope of U.S. government action—and even more so, the potential scope of action as these authorities grow more numerous—is much more significant than many companies, members of the public, and policymakers may fully appreciate.

In a democratic system, it is important for such powers to conform to values such as transparency, accountability to the public and overseers, respect for privacy and civil liberties, and proper regard for the autonomy rightfully afforded to private American companies. These are inherently important in a democracy, speak to U.S. Constitutional and legal values to be upheld, and enable the U.S. government to more credibly message its tech-focused national security authorities—at a time when authoritarian adversaries in Beijing, Moscow, and elsewhere crack down on technology, citing their own security interests. If the U.S. government is going to expel non-U.S. technology on national security grounds, it should be able to credibly explain at home and abroad why measures such as relative transparency, opportunities for private-sector lawsuits and appeals, and legislative oversight (if all indeed in place) make the legal power and the security decisions different from, say, a Chinese government censorship demand or a Russian government expulsion of Western technology to advance repression. That differentiation is strategically important.

It is also important for these expanding national security regulations and review programs to be functional, given the tremendous volume and complexity of technology-enabled or -related threats facing the United States. This means ensuring, among others, that the regulations and review programs are carefully designed, properly focused, appropriately resourced, and effectively enforced. Some of this requires a tricky balance. As the scope of these authorities and the reach of their use get wider and wider, such as leading to government calls to ban the widely used app TikTok, it can arguably become even more important for the U.S. government to be transparent about its regulatory processes and risk decisions; at the same time, the U.S. government cannot share everything it knows with the public or the private sector, including because of classification. Nor should it investigate risks posed by sophisticated, well-resourced, and persistent adversaries—which always shift their tactics—based on a static list of overly specific criteria.

After detailing these programs’ histories, their legal structures, and their major enforcement case studies—coupled with a fair amount of injected analysis and opinion about their design, operation, and efficacy—this book looks to the future. It describes the dynamic threat environment cutting across nation-states like Russia and China, actors like cybercriminals, technologies like satellites and quantum computing, and emerging themes such as highly entangled global tech supply chains, the strategic importance of data and information, and government loss of direct control over the dissemination of technologies and data in the internet age. And it looks at how the U.S. government can use one central question, the degree to which it builds and discloses some of its risk criteria for each program, as a way to strike the right balance across transparency, accountability to the public and overseers, credibility to the private sector and international partners, and much more.

As the threat space becomes more complex, and as the United States leans more toward national security authorities than comprehensive, consumer-oriented technology...