Shut Out: Data Security and Cybersecurity Converge in Next Wave of US Tech Controls, Rhodium Group, March 5, 2024.
New US tech controls will force a mindset shift for a wide range of industries on how their products could be deemed national security risks.
Where data security and cybersecurity meet. With an executive order on data security and accompanying Department of Justice rulemaking, the US is crafting a more coherent regulatory framework to restrict cross-border flows of data on US persons. The relatively narrow scope allows the US to argue that it remains committed to a free and open internet, but national security concerns do not stop at human personal and military-related data. The US is also conditioning the facilitation of cross-border data flows on secure and trustworthy ICT systems at home and abroad.
Commerce’s Information and Communications Technology and Services (ICTS) program is alive. The US has a diverse toolkit to regulate ICT infrastructure, as evidenced by a groundbreaking Commerce ICTS investigation into an entire class of technology—connected vehicles. The Commerce probe threatens to further splinter EV supply chains between “in China, for China” and “China-free” US markets. The probe also sets an important precedent for other connected systems to come under scrutiny, including agtech and biomanufacturing, autonomous and automated systems, large language AI models, and cloud-based computing.
Beware the long arm. There is strong potential for extraterritorial US ICT measures given the inherent interconnectivity of ICT systems across borders and how the US is framing a theory of harm around the risk of Chinese OEMs and suppliers being co-opted by the Chinese government to enable malicious cyber activity. Cracking down on sensitive bulk data transfers via third parties may also lead the US to cover more of the map, similar to the design of US export controls on semiconductors and advanced computing.
Surgical strikes. New US data security measures appear to address several long-running policy debates without taking the political heat for banning companies outright. For example, restrictions on human genomic data and on bulk personal health data may deter US biotech/pharma firms from using Chinese firms like BGI for genomic sequencing and Wuxi Biologics for contract research. Moreover, restrictions on bulk personal data, including geolocation data and biometric identifiers, may handicap prominent Chinese social media and e-commerce platforms active in the US market, from TikTok to Temu.