Chinese cybersecurity investment in the U.S.: Is now the best time?

The rise of cyber-attacks targeting U.S. companies has led to tightened regulations by the government and increased investment in data privacy. In fact, worldwide spending on cybersecurity technology achieved a record $77 billion in 2015, 80% by U.S. companies. The Defend Trade Secrets Act (DTSA) of 2015, which is currently pending before the U.S. Congress, if enacted, may further boost cybersecurity spending by requiring rights owners to take “reasonable measures to keep such information secret” in order to enjoy the federal protection of trade secrets. Chinese investors, however, have additional timing and regulatory factors to consider before rushing into the seemingly lucrative market. These include a potential heightened review by the Committee on Foreign Investment in the United States (CFIUS) – total investments from China topped other countries for the past three years – and the pending bilateral investment treaty (BIT) between the two nations.

Chinese investment in cybersecurity

The Chinese have been actively investing in the U.S., with a total of $6.4 billion spent in just the first half of 2015. Several of these deals involve U.S. cybersecurity firms. For example, Baidu entered into a joint venture deal with CloudFlare. State-owned Tsinghua Holdings plans to buy a 15% stake in American data storage company Western Digital. Foreign investment into U.S. cybersecurity, however, is subject to strengthened laws and guidelines for presumptively falling under the “critical infrastructure” and/or raising “national security concerns.”

The “critical infrastructure” application came through the Organisation for Economic Cooperation and Development (OECD), to which the U.S. is signatory. Notably, the OECD has a non-binding commitment to treat foreign-controlled firms no less favorably than domestic enterprises pursuant to its Guidelines for Multinational Enterprises. In reviewing the role of investment policies for protecting national security, a paper released by the organization in 2008 categorized cybersecurity under “critical infrastructure” and the field was thus expressly excluded from the scope of this commitment. The Department of Homeland Security similarly defined such infrastructure to cover cybersecurity, reaffirming the critical role of data protection technology in safeguarding critical infrastructure industries from foreign espionage.

An inbound transaction may trigger a CFIUS review if it raises “national security concerns” or has an impact on “critical infrastructure.” For example, U.S. President Barack Obama blocked a Chinese company from building wind turbines near an Oregon Navy military facility in September 2012, the first time a president has blocked a foreign investor over national security concerns in 22 years. A month later, the U.S. Congress released a report alleging that China's two largest telecom equipment manufacturers, Huawei Technologies and ZTE, are a security threat and should be blocked from acquiring American companies. Similar security concerns caused Huawei to abandon a bid to buy 3Com in 2008. In exercising his right to issue a blocking order, President Obama referred to the recommendation and investigation made by CFIUS.

Cyber-attacks and regulations

Cybersecurity is generally defined as whether and how electronic data and systems are protected from attack, loss or other compromises. In the U.S., cyber-attacks have been increasing in frequency, scale, and sophistication. A 2014 McAfee study estimates that the worldwide annual economic cost of cybercrimes is between $375 billion and $575 billion. The costs of defending cybercrimes involving intrusion detection, data recovery and remediation have also increased steeply. For example, a Ponemon Institute survey of 59 U.S. firms in 2014 found that the average annual expenditures for responding to cyber-attacks amounted to $12.7 million, up 96% over the previous five years.