Assistant Attorney General John Carlin Delivers Remarks at the 2nd Annual Global Competition Review Conference
New York, NY
United States
This important event is an opportunity to discuss a broad range of issues associated with cross-border mergers—including how, together, we can protect national security while promoting foreign investment and supporting economic growth.
The U.S. Government encourages foreign investment, and understands its importance in the global marketplace.
We understand its potential to help companies increase market share, to promote and drive innovation, and to create additional jobs both here and abroad.
That said, as we operate within the global marketplace and welcome foreign investment, we must also identify and address potential vulnerabilities introduced by cross-border transactions.
Because, with an ever-growing and evolving set of threats targeting our sensitive technologies and information, we must be vigilant. We must look for how transactions could make us more vulnerable, and do everything in our power to mitigate those vulnerabilities.
That goal is what motivates, in part, the set of complex legal regimes governing foreign investment and global transactions. It may seem daunting at times, but it exists to protect our national security and our national interests. And that set of regimes is only one piece of the puzzle.
In today’s world, we must look beyond the law governing transactions to the full range of laws designed to protect our national security.
At the Department of Justice’s National Security Division, or “NSD,” we do just that. We protect national security by taking an intelligence-driven, threat-based approach.
We know from experience that those seeking to do us harm will look for any available vulnerability to exploit. It is our responsibility to use all tools available to us to prevent them from doing so.
As professionals handling all of the intricacies of global business deals, you share that responsibility. In many ways, you are on the front lines of our national defense.
In conducting thorough due diligence in connection with a deal, you may be in the best position to identify where we may become more vulnerable. You may also be in the best position to help minimize our risk. And that can be a big responsibility on your part.
To fulfill that responsibility, it is important to broaden the scope of issues we currently think about in connection with cross-border mergers. To do this, we need to consider the full range of threats.
We need to put the foreign investment review process into a broader context. We live in an interconnected world, in which exploitation of security vulnerabilities can lead to corporate theft, the violation of export control laws, or even physical damage or loss of life.
We face a wide range of evolving threats, including those posed by well trained, highly skilled, state-sponsored cyber actors.
These are challenging times. We must be vigilant. And we must keep our eyes open, looking for potential vulnerabilities and working to mitigate them to keep our innovation, our technologies, and our nation safe.
The National Security Division
Before addressing this broad set of issues, I want to give you a sense of NSD and our approach to protecting the nation.
NSD was created in the wake of the September 11th terrorist attacks. Those attacks showed us the dangers of putting walls up between foreign intelligence and law enforcement. By doing so, we made connecting the dots of a plot very difficult. We needed to change.
With the crumbling of this intelligence wall, we recognized that we needed to unite prosecutors and law enforcement officials with intelligence attorneys and the Intelligence Community. In 2006, Congress created NSD, bringing all of the Department’s national security work into a single unit, and giving the Department its first new litigating division in almost half a century.
Lawyers in our Division play a critical role in shaping our country’s toolsets, options, and solutions to various security challenges.
In particular, NSD works on three specific areas related to protecting national security while at the same time promoting foreign investment:
1. First, our Foreign Investment Review Staff, or “FIRS,” is the Department’s representative to the Committee on Foreign Investment in the United States, which reviews certain foreign investments for national security concerns.
2. Second, we handle cases involving violations of export control laws.
3. Third, we also handle cases of economic espionage.
CFIUS
I’m not planning to spend much time today on NSD’s CFIUS-related work. For one thing, I know most of you are familiar with the CFIUS process, and you’ll hear more about it throughout the rest of this conference. And we can’t discuss particular transactions, because they are subject to confidentiality provisions by statute.
Let me simply say that, as one of the member agencies of CFIUS, DOJ takes very seriously our collective statutory obligation to protect national security if a risk is posed by a transaction that could result in foreign control of a U.S. business. We do this in the context of America’s longstanding open investment policy, which has proven so beneficial to economic growth and job creation. By focusing solely on potential national security concerns, we maintain that policy while protecting against risk in transactions under CFIUS’s purview. CFIUS conducts thorough and rigorous national security reviews of such transactions; and, if the transaction presents a risk, the statute gives us the tools we need to address it. If it doesn’t present such a risk, we not only clear the transaction; we welcome it.
Separate from CFIUS, NSD considers national security threats or concerns from many types of foreign economic activity in the United States. We approach such threats using all available tools. In keeping with the theme of this conference, I intend this morning to broaden the range of national security issues that we associate with foreign investment by discussing those other threats and tools.
Export Control
For example, as many of you are aware, the United States regulates, in the interests of national security, the export of sensitive equipment, software, and technology.
As a country, we want our leading industrial and technological companies to profit from exports. Our economy relies to a great extent on exports, and we want to support those sales.
We find ourselves in a position where we must balance that desire to support our economy with recognition of the real threat to national security posed by certain technologies falling into the wrong hands.
The complex export control regime thus exists for good reasons, such as to prevent weapons of mass destruction from ending up in the hands of terrorists and other adversaries.
These controls and regulations protect advanced but sensitive equipment, software, and technology from finding their way to individuals who could use our innovation to do us and others harm.
Three Government entities have the authority to issue export licenses: the Departments of State, Commerce, and Treasury. And their work in this area is significant.
In one year alone, these three Departments processed over 130,000 applications. Most of those applications receive approval. However, there are limits, and for certain narrow categories of products and technologies, going to a few identified places, the national security threats posed are simply too great to take the risk.
That is why violating the laws associated with protecting export-controlled information is a serious crime.
To illustrate, in 2012, Pratt & Whitney Canada Corporation pleaded guilty to violating the Arms Export Control Act and making false statements. The companies involved agreed to pay millions of dollars as part of a global settlement with the Justice Department and State Department.
These pleas resulted from the illegal export to China of U.S.-origin military software used in the development of China’s first modern military attack helicopter, the Z-10.
Pratt & Whitney decided, on its own, that development engines for the Z-10 did not require a U.S. export license.
They were wrong, and it was an expensive mistake on their part.
The companies failed to disclose their illegal exports for several years, and finally did so only after an investor group queried one of the companies about whether it might be engaging in illegal activity.
The companies then made a number of submissions to the State Department—submissions that contained numerous false statements.
Thanks in part to the hard work of prosecutors at NSD, we obtained this landmark guilty plea and settlement.
You can see how facilitating the development of China’s first modern military attack helicopter is cause for concern. That is precisely the sort of technology transfer that our export control regime prohibits. And it’s why we continue to enforce that regime vigorously and punish those who violate it.
Consider the charges that we announced in April against Karl Lee. Lee was charged with violating sanctions prohibiting certain financial transactions with proliferators of weapons of mass destruction. The charges allege that Lee spun a web of front companies to carry out prohibited transactions essentially in disguise.
Or consider the charges against Parviz Khaki. The indictment against Khaki alleges that he worked to obtain, and illegally export to Iran, U.S.-origin materials that can be used to construct gas centrifuges to enrich uranium. Khaki was arrested in the Philippines, and we are awaiting his extradition.
As part of our all-tools approach, we will keep bringing charges like these to uphold laws cutting off transactions that threaten our national security.
FCPA
Before I turn from export control to economic espionage, I should note another important consideration in cross-border transactions that our DOJ colleagues outside NSD handle: criminal enforcement of the Foreign Corrupt Practices Act. Much as export control and economic espionage can, in many instances, be a form of white-collar crime, so, too, are FCPA violations white-collar offenses.
The FCPA makes it illegal for U.S. companies and individuals, as well as foreign companies and individuals in certain instances, to offer, promise, or pay bribes, directly or indirectly, to foreign officials to obtain a business benefit. And it can apply to practices that some foreign companies might regard as business as usual—at their peril.
So, I urge you, as part of assessing any deal, to ensure that you consider how a transaction might trigger applicability of the FCPA, and in turn how you can help ensure compliance with it. Like the export control regime, the FCPA regime is, in some ways, distinctively American. In turn, any client doing business here must receive legal guidance to ensure compliance—or face serious consequences.
Economic Espionage
Like export control violations, economic espionage poses a significant threat to national security.
When certain foreign entities eager for sensitive and valuable information can’t buy it through exports or acquire it through a transaction, they may take another approach: they try to steal it.
Corporate theft may occur through insiders employed by a company involved in a transaction. Or it may occur remotely, through cyber intrusions that exploit a vulnerability present in one of the companies’ networks.
As one example of the insider threat, in March, we successfully obtained a significant conviction for economic espionage involving a former DuPont employee named Robert Maegerle [MUH—GURL].
Walter Liew, an electrical engineer, obtained one of DuPont’s secrets from Maegerle. The two of them stole information about a process, honed over many decades, for making a multi-purpose white pigment. Liew passed this stolen trade secret to a large Chinese state-owned company.
What Maegerle and Liew stole was something Americans see and use daily. Something that, on its own, does not have a national security implication.
Maegerle and Liew stole the formula for the color white. They committed economic espionage, pure and simple. They stole a trade secret worth billions to DuPont and received more than $20 million in compensation, an incredible return on investment for the Chinese state-owned company.
We brought Maegerle and Liew to justice in the U.S. criminal justice system. They await sentencing later this month.
Enforcement of economic espionage laws is another important means to ensure that foreign actors don’t steal the valuable intellectual property created by Americans.
And, as companies move to digital storage, economic espionage increasingly occurs not just through insider threats but also through cyber activity.
In cross-border transactions, the cyber security practices of the acquiring company are critical to the overall evaluation of potential national security vulnerabilities. That’s because, even if an acquiring company itself has no intent to steal critical information or technology, if its cyber security practices will leave us vulnerable to others who do, we must act to protect national security.
I cannot emphasize enough the importance of cyber security as a consideration in foreign investment transactions. The cyber threat, especially from nation states, is staggering.
You could envision how nation states might seek to acquire telecommunications and other cyber-related infrastructure or services to provide them with access to U.S. communications or information.
That’s why a critical component of our mitigation efforts through CFIUS, for example, is to require—when necessary—certain cyber security policies and procedures aimed at ensuring that a foreign acquirer imposes adequate practices.
But we also know that, more broadly, state-sponsored actors may exploit vulnerabilities in cyber security.
Envision a transaction involving a company that sets up computer infrastructure for other companies, where the acquiring company is based in a friendly nation.
However, if that acquiring company has less-than-stellar cyber security, allowing that deal to close without mitigating that vulnerability, we are less safe. Our companies, and our information, could be left open for the taking. It’s not because the acquirer is a bad actor. It’s just because the acquirer doesn’t have security sufficient to handle its new and potentially sensitive role within the United States.
And we know there are those who will take advantage of deficient security practices.
The threat of economic espionage is serious, and the threat of cyber economic espionage is mounting. Some estimate that, every year, the U.S. loses more than $300 billion from theft of our intellectual property.
That figure is about equivalent to the current annual level of U.S. exports to Asia.
Losses of that magnitude cost the American economy untold numbers of jobs.
They reduce the profit that American firms make from research and development, which in turn reduces the incentives and resources for innovation.
And the activity undermines the trust between countries and companies that is necessary to do business in a globalized economy.
This is a serious problem, and one that we are committed to fighting.
Just last month, the Department of Justice announced charges against five members of the Chinese military for computer hacking, economic espionage, and other offenses directed at six American victims in the U.S. nuclear power, metals, and solar products industries. We’re going to keep using all tools in our toolkit to tackle this threat to our national security. Because the threat is serious, and it’s mounting.
What This Means to You
So what does all of this mean to you? How can you have an impact on the vulnerabilities potentially introduced in cross-border transactions?
In facilitating those transactions, it’s in your interest not to acquire or create potential national security problems. This means assessing closely any relevant compliance regimes, as well as the protections in place—or needed—to address the threat of economic espionage.
We need to remember that, while profits are the lifeblood of our corporations, cutting corners here, while possibly leading to short-term gains, can be catastrophic. Doing so can provide a dangerous capability to an aggressor and also lead to legal action that results in significant financial penalties and even prison time.
Cross-border transactions, in particular, require care to avoid introducing potentially catastrophic vulnerabilities. Countries have differing types of security regimes. For example, export control regimes vary widely in their rigor.
Even if a company is accustomed to meeting the standards of its home country, it may not fully comply with the requirements of the American export control regime. These are important issues to think through when engaging in cross-border deals. You can help companies from stumbling into major problems down the road.
Similarly, foreign companies may approach the insider threat very differently from how American companies tackle it. So, when you’re considering the risks associated with a transaction, consider vulnerabilities to insider threats that the foreign company might introduce. The time of mergers is a time of great uncertainty for employees. And, especially when companies must shed jobs as part of the merger process, disgruntled employees may be particularly keen to cash in on insider information to which they have access. That’s precisely the time when defenses against insider threats must be strongest, not weakened by the introduction of lower standards.
Additionally, be aware that the host country laws under which a foreign company operates can make it difficult to address key threats, such as the threat of cyber espionage. Information-sharing practices, lawful cyber defenses, and other important aspects of cyber security operate according to different legal regimes in different countries. If foreign laws suddenly apply because of a transaction and impede taking appropriate steps to erect cyber defenses, that transaction has just introduced a serious, and potentially damaging, vulnerability.
Cyber
As you’ve heard, export control violations and economic espionage are increasingly bound up with cyber threats and cyber security. But these are far from the only threats—to companies and to national security—that, today, emerge from cyberspace. We’re also concerned about attacks—attacks against the financial interests of companies, and attacks that could endanger the lives and safety of our citizens. And the same vulnerabilities that have already been exploited to steal from us may leave us susceptible to such attacks.
Already, there have been devastating attacks against private companies. You’ve all probably heard about the serious cyber attacks launched against the U.S. financial sector. This same type of activity is happening abroad, too. For example, in 2012, Saudi Arabia’s state oil company, Aramco, suffered an attack that destroyed 30,000 of its computers—nearly 75% of its workstations, a devastating loss for any company.
And vulnerabilities can lead to far more than just infrastructure or financial damage. Two years ago, for example, al Qaeda released a six-minute video instructing its followers that America’s present vulnerability to cyber attacks is comparable to the vulnerability of its airline security before September 11. The video called on individuals “with expertise in this domain to target the websites and information systems of big companies and government agencies.”
Cyber vulnerabilities—wherever they come from—could be a matter of life and death.
You can help ensure that new cyber vulnerabilities never find their way into American businesses in the first instance.
You can help ensure that those intent on breaking in do not receive new avenues to accomplish their theft. And you can help ensure that innocent companies don’t inadvertently facilitate activity that threatens our national security.
Those who could exploit cyber vulnerabilities are by no means limited to nation states. The potential threats include organized criminal syndicates, lone hackers, and even terrorists intent on attacking the United States.
Companies cannot depend solely on their antivirus software to defend against attackers linked to deep state military budgets. It’s not a fair fight. We must work together.
That is why we at NSD and others throughout the U.S. Government have made cooperation with the private sector a key component of our cyber security strategy.
On a daily basis, the FBI works with companies that have been the victims of hacks, many of which may not even know they’ve been victimized or how to protect themselves.
In driving this work forward, the FBI has long relied on its InfraGard program, which brings together individuals in law enforcement, government, the private sector, and academia to talk about how to protect our critical infrastructure. InfraGard has more than 25,000 active members.
And the Justice Department recently teamed up with the Federal Trade Commission to issue a policy statement making it clear that antitrust law is not and should not be a bar to legitimate cyber security information sharing. Furthermore, we issued a white paper, which clarifies that the Stored Communications Act doesn’t ordinarily restrict network operators from sharing certain data with the Government to help promote cyber security. Additionally, we’re working with the Securities and Exchange Commission to discuss companies’ concerns regarding disclosures of cyber breaches to investors and to formulate a workable solution.
At NSD, we established the National Security Cyber Specialists’ Network, which includes representatives from every U.S. Attorney’s Office around the country. These prosecutors work closely with experts from our Division and the Criminal Division’s Computer Crime and Intellectual Property Section.
They are specially trained, and focused on combating cyber threats to the national security, including those posed by nation states. They also meet regularly with companies and their legal counsel to prevent attacks. NSD attorneys have met with companies from coast to coast.
And beyond DOJ, there are many efforts underway across the Government more broadly to work with private corporations on strengthening public-private cyber cooperation. The Department of Homeland Security, Department of Energy, and other departments and agencies work closely with companies to protect critical infrastructure.
In short, as you work with clients and examine the potential implications of cross-border transactions, keep cyber security firmly in mind. Cyber security is becoming an increasing part of how companies are valued for mergers and acquisitions, among other things. And it’s also important, when assessing cyber risk, to evaluate whether the laws of another country might prevent your company from taking the steps necessary to keep your systems safe.
All of this means that we in Government can help not just to keep your clients safe but also to make your clients worth more. We are, in short, eager to work with you to prepare for and address these escalating national security threats.
Conclusion
We recognize that the legal regimes that can affect cross-border transactions—including CFIUS, export controls, and economic espionage—are significant and complex. But they are there to protect against the many threats we face.
NSD will continue to approach this interconnected cluster of issues with a broad and varied toolkit. We work with private companies to prevent economic espionage, including through cyber penetrations and exfiltrations. We prosecute those who violate our nation’s export control laws. And we coordinate with our colleagues throughout the Federal Government, led by the Treasury Department, through the interagency review known as CFIUS.
We hope you will take a similarly broad approach. With the careful calibration of these tools and with an eye toward mitigating vulnerabilities and defending against threats, we protect the nation’s security while promoting foreign investment, economic growth, and job creation.
Thank you for letting me join you here this morning, and for your interest in these issues.