The U.S. should bolster investment reviews to combat China

The Committee on Foreign Investment in the United States just published its 2024 report, revealing once again that shielding U.S. tech from risky foreign investments was a critical focus for the interagency group that reviews investments in the United States for national security risks. But as U.S.-China tensions further intensify, bolstering these reviews is even more important for national security — and getting it wrong all the more damaging.

When President Trump took office again in January, he signed an executive order “fast-tracking” investments from (unspecified) allied and partner countries — in other words, expediting their CFIUS reviews — as a way to accelerate the funding of U.S. advanced tech and other businesses. It’s an idea with some merit.

Yet, CFIUS remains plagued by procedural problems, far beyond the screening of allied investments, that impact the rigor, transparency, and ultimate efficacy of its national security reviews. These issues make a CFIUS shakeup an opportune moment to evaluate the U.S. government’s broader strategy for screening investments into U.S. technologies. Policymakers should ensure CFIUS has a more rigorous analysis of risks, a more nuanced focus on China, and greater transparency — all of which will help U.S. tech security and with competition against Beijing in the coming years.

President Ford created what is now CFIUS in 1975 through executive order, making it 50 years old this year. In subsequent administrations, president after president kept it around as a matter of executive policy, and Congress statutorily authorized the Committee in 2007. The idea was that certain non-U.S. investments in U.S. companies could potentially enable foreign adversaries — such as, at the time, the USSR — to infiltrate supply chains, steal trade secrets, or even sabotage operations. This could target anything from U.S. energy infrastructure to steel plants for tanks.

As described in my upcoming book on U.S. national security governance of technology, CFIUS had a tech focus from its earliest days, such as handling concerns in the 1980s about Japanese investments in semiconductors. But as time went on, its tech focus grew substantially. CFIUS received authorities in 2018 to evaluate how foreign investments impact sensitive U.S. data and technologies. It forced a Chinese buyer to sell the gay dating app Grindr back to U.S. owners. And it even opened a 2019, pre-ban-debate investigation into TikTok. The current Committee structure puts the Treasury Department at the helm, working with departments from State to Defense, to parse these risks and recommend whether to block, approve, undo, or put security conditions on transactions.

Today, as its newest report says, CFIUS spends a substantial amount of time looking at risks to U.S. technology. Outside of real estate transactions, which CFIUS also reviews, 53% of companies that sent a “covered notice” to CFIUS in 2024 — alerting the group in detail of a potentially relevant investment — came from the “Finances, Information, and Services” sector, up from 50% in 2023. This category includes companies in telecommunications, computing infrastructure, data processing, and professional, scientific, and technical services. 

But the Committee is even more tech-focused than the numbers suggest: companies can also submit shorter filings to CFIUS — simpler “declarations” typically intended for less risky investments — not counted in these numbers. And companies not in tech, per se, can receive CFIUS scrutiny for a tech-related issue, such as a health insurer with sensitive data taking a non-U.S. investment.

The latest report also clarifies that CFIUS is highly focused on China. Investments from China motivated more covered notices in 2024 than investments from any other country — including from other adversaries such as Iran and Russia, which counted for none. Shorter declarations, meanwhile, were led by investments from Japan, Canada, France, and the United Kingdom. (China’s domination of covered notices but not shorter declarations may suggest Chinese investors prefer providing more information to CFIUS up front to — in their minds — make the U.S. security review timeline more predictable.)

Combined, these new data points illuminate the challenges at hand in the coming years.

CFIUS has powers to look at a broad sweep of investment activities. These range from acquisitions of big American firms to influential minority stakes in Bay Area startups to transactions involving national security-critical technologies — like AI models, space communications systems, and biotech applications. 

CFIUS has a substantial focus on Chinese investments, which the intelligence community has repeatedly said create opportunities for Beijing to steal U.S. technologies. And it must screen U.S. allied and partner investments that could create risks, too (including due to, say, Chinese front companies in Japan or Russian ones in the U.K.).

Despite this broad, consequential activity, CFIUS is often described as a “black box.” Companies complain it’s difficult to understand and therefore navigate; congressional overseers have told me repeatedly in recent years that they want better insights into CFIUS’s activity on AI, chips, China, and more, including to inform decisions about whether it needs more funding. 

Unlike other tech and national security regulatory programs, CFIUS additionally appears to lack an adequately standardized framework to identify and mitigate national security risks. Methodology sounds boring. But a rigorous, standardized risk process is the difference between identifying the right risks and working to address them — and acting in good faith but getting distracted, going down rabbit holes, inflating unlikely scenarios, and pulling focus from the highest priority risks.

The new administration — or a future one — and Congress should push CFIUS toward a more standardized, rigorous risk management process. This could include a White House-led effort to better synchronize risk mitigations across CFIUS-involved agencies or creating robust frameworks for issues like investors’ access to company-held data, software source code, or technical schema.

Related, CFIUS should work to resist the ever-growing D.C. temptation to label all China-related activity “a risk,” taking a reductive view of the threat landscape. It should instead apply more nuance to areas that present minimal, mitigatable risk versus areas that present outsized risk to U.S. technologies or data (such as with the later-undone Grindr acquisition).

Lastly, more transparency into U.S. investment security reviews would help companies, the public, overseers, and national security at once. No, CFIUS should not alert the press every time a company considers a merger or funding round — that’s proprietary and should be kept that way. And it relies on classified insights within the government to assess risks, too.

But Congress can and should compel the Committee to provide greater insights into its activities than only the statistics in its annual reports. Making its generalized risk criteria a bit clearer to companies — for instance, what areas concern it most and how it thinks about mitigations for risky investments — could help lower compliance costs without tipping off U.S. adversaries with too much detail. It could help congressional overseers better ensure the interagency team is focused on the right issues, including with tech and China, and can get briefings that protect company trade secrets but provide more details about security issues and reviews.

Increasing CFIUS’s transparency is also a win for the public. As CFIUS launches investigations that impact widely used communications and other technologies — TikTok being the chief example — transparency is both vital in a democracy and helpful to inform public debate. And as competition with China intensifies, investment security reviews will prove a critical vector for protecting business innovation, securing U.S. supply chains, and bolstering long-term security.

Justin Sherman is the founder and CEO of Global Cyber Strategies, a D.C.-based research and advisory firm, and the author of “Navigating Technology and National Security.