Chinese cybersecurity investment in the U.S.: Is now the best time?

The rise of cyber-attacks targeting U.S. companies has led to tightened regulations by the government and increased investment in data privacy. In fact, worldwide spending on cybersecurity technology achieved a record $77 billion in 2015, 80% by U.S. companies. The Defend Trade Secrets Act (DTSA) of 2015, which is currently pending before the U.S. Congress, if enacted, may further boost cybersecurity spending by requiring rights owners to take “reasonable measures to keep such information secret” in order to enjoy the federal protection of trade secrets. Chinese investors, however, have additional timing and regulatory factors to consider before rushing into the seemingly lucrative market. These include a potential heightened review by the Committee on Foreign Investment in the United States (CFIUS) – total investments from China topped other countries for the past three years – and the pending bilateral investment treaty (BIT) between the two nations.

Chinese investment in cybersecurity

The Chinese have been actively investing in the U.S., with a total of $6.4 billion spent in just the first half of 2015. Several of these deals involve U.S. cybersecurity firms. For example, Baidu entered into a joint venture deal with CloudFlare. State-owned Tsinghua Holdings plans to buy a 15% stake in American data storage company Western Digital. Foreign investment into U.S. cybersecurity, however, is subject to strengthened laws and guidelines for presumptively falling under the “critical infrastructure” and/or raising “national security concerns.”

The “critical infrastructure” application came through the Organisation for Economic Cooperation and Development (OECD), to which the U.S. is signatory. Notably, the OECD has a non-binding commitment to treat foreign-controlled firms no less favorably than domestic enterprises pursuant to its Guidelines for Multinational Enterprises. In reviewing the role of investment policies for protecting national security, a paper released by the organization in 2008 categorized cybersecurity under “critical infrastructure” and the field was thus expressly excluded from the scope of this commitment. The Department of Homeland Security similarly defined such infrastructure to cover cybersecurity, reaffirming the critical role of data protection technology in safeguarding critical infrastructure industries from foreign espionage.