In today’s world, companies in various industries are increasingly running into issues that have national security implications. Research universities and other academic institutions can face issues involving national security risks as well. As a result, whereas protecting national security was once a matter reserved for the federal government, today, both private and public companies and institutions can play vital roles, and these entities must implement adequate security controls to mitigate threats and prevent intrusions.

Understanding the National Security Risks in the Business and Academic Settings

Traditionally, protecting national security largely centered around protecting the nation’s borders. If threats could not come in, then they could not cause harm. While border security remains a fundamental concern today (and this is an area in which businesses and universities can play a part), the ongoing technological revolution has forced the U.S. government as well as domestic businesses and universities to confront unprecedented challenges in a world that is constantly evolving.

“Given the risks that are inherent in today’s global environment, businesses and academic institutions need to give due consideration to the very real possibility that their operations could raise national security concerns. If concerns exist, then they must be addressed proactively through the adoption of appropriately-tailored security protocols, policies, and procedures. ” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.

While the threat of physical attacks remains – and always will remain – a concern, today, cyber threats are not just more common, they are a daily occurrence. The U.S. Department of Justice (DOJ) is just one of the multiple federal agencies that are on the front lines of combatting cyber threats originating both in the U.S. and overseas. Through its China Initiative, the DOJ is utilizing, “criminal investigation and prosecution[] to counter economic espionage and other forms of trade secret theft,” which in many cases involve attempts to gain access to sensitive information owned by businesses and universities.

Due to the fact that businesses and universities can indirectly present national security threats as the result of failing to adequately protect the information of national importance, the businesses and universities for which this is a concern need to take adequate measures to prevent outside intrusions. This means not only adopting logical and physical security protocols to protect their research and development data, but screening employees and students, effectively managing imports and exports, cautiously approaching foreign investments, and implementing other necessary policies and procedures as well.

7 Areas of Concern with Regard to National Security for U.S. Businesses and Universities

From Internet service providers to technology companies, and from corporate think tanks to research universities, all types of businesses and institutions in the U.S. need to be cognizant of the potential national security implications of their day-to-day operations. For example, seven particular areas of concern are:

1. Data Privacy and Cybersecurity

Data privacy and cybersecurity are crucial issues for national security, not just for the federal government, but for government contractors and other businesses and institutions that do work in areas that have potential national security implications. The list of businesses and institutions that fall into this category is extremely broad, and includes everything from social media and cloud storage companies to medical research institutes and defense contractors.

If a company’s business operations present threats for either: (i) gaining access to sensitive computer systems or data through the company’s platform or services; or, (ii) a direct national security threat in the event that the company’s proprietary information falls into the wrong hands, then that company absolutely must take extensive measures to ensure that its systems are as secure as possible. The same is true for research universities and other institutions that either work with the government or conduct independent research in areas of interest or concern to U.S. national security.

Of course, in today’s world, cybersecurity is a moving target, and this presents challenges even for the most well-heeled corporate and academic institutions. In order to avoid (and thwart) threats, businesses and universities need to keep pace with the rate of innovation of foreign economic espionage and counterintelligence interests—and this, clearly, is easier said than done.

2. Importing and Exporting Software, Data, and Physical Goods

Importing and exporting are activities that can present national security risks as well. On the import side, businesses and universities need to be sure that they know the source of products and other assets acquired from overseas, and they must be able to effectively assess any national security risks, such as spyware and malware, associated with imported goods. On the export side, businesses and universities need to have adequate controls in place to ensure that their innovations end up in the right hands, and are not at risk of being re-exported to entities in foreign countries with interests that are adverse to those of the United States.

Minimally, businesses and universities must comply with the International Traffic in Arms Regulations and Export Administration Regulations (to the extent that they are applicable), but their obligations may also extend far beyond these aspects of regulatory compliance. In the end, businesses and academic institutions must take adequate steps to ensure that the fruits of their research and development efforts are not used against the United States, and they must ensure that adequate controls are in place before they send assets overseas.

3. Employee and Student Screening

Many of the DOJ’s recent cases involving threats to national security have arisen out of cases in which foreign nationals have infiltrated companies and universities as employees or students. Once securing employment or admission, these foreign nationals then infiltrate companies’ or universities’ secure systems acting as agents of their countries of citizenship. Under the DOJ’s China Initiative, for example, the agency has prosecuted cases in which foreign nationals have been caught attempting to transmit data with national security implications to their home countries, and in which foreign nationals have been caught attempting to smuggle assets outside of the United States via air or sea.

With this national security concern in mind, businesses and institutions must ensure that their employee and student screening protocols are adequate to prevent these types of intrusions. While these types of intrusions can be difficult to detect and prevent, this is not an excuse for compromising national security. If a company or institution owns or has access to data or other information with national security implications, then it must take the necessary steps to ensure that the people who work on its premises are not acting on behalf of foreign interests.

4. Foreign Investments

Foreign investments in U.S. businesses and institutions can raise national security concerns, and the Committee on Foreign Investment in the United States (CFIUS) pays particularly close attention to foreign investments originating from countries that are known to have interests counter to those of the United States. Prior to accepting foreign investments, businesses and institutions must address any and all potential national security concerns, and they must ensure full compliance with the Exon-Florio Amendment to the Defense Production Act and the Foreign Investment and National Security Act of 2007 (FINSA), among other pertinent federal statutes.

5. Bribery, Corruption, and Malign Foreign Influence

Domestic businesses and academic institutions face bribery and corruption concerns on two fronts: (i) they must ensure that their personnel do not engage in attempts to bribe foreign officials which could put them in a compromised position; and, (ii) they must ensure that their personnel do not accept bribes from foreign entities with adverse interests. While anti-corruption training is an important mitigating step, it is far from sufficient on its own. Companies and universities must have controls in place to monitor for signs of corrupt transactions and other dangerous activities, and they must be able to ensure that their employees’ actions do not provide inroads for threats of economic espionage, trade secret theft, or malign foreign influence.

6. Cryptocurrency

The DOJ, the U.S. Department of the Treasury, and the White House have all labeled cryptocurrency as a potential national security concern. This is due to a combination of factors—namely, the risk of cryptocurrency being used for illicit purposes and the government’s limited ability to track cryptocurrency transactions.

As more cryptocurrencies are introduced, it will become increasingly difficult for U.S. and global authorities to monitor cross-border transactions, and this means that they will likely need to target their enforcement efforts based on the information received from banks and companies that report their cryptocurrency transactions to the Internal Revenue Service (IRS) and other taxing authorities. From a compliance and risk management perspective, companies that utilize cryptocurrency will need to be prepared to affirmatively demonstrate that their cryptocurrency transactions do not involve national security implications.

7. Defense and Government Contracting

Finally, defense contractors and other government contractors face particular burdens when it comes to ensuring that their operations do not present threats to national security. In addition to the issues discussed above (among others), defense and other government contractors must address the very real risk that foreign entities will seek to infiltrate their operations in order to engage directly with the U.S. government. For contractors that work with foreign governments, avoiding national security risks also involves establishing clear and uncompromised delineation between the U.S. and foreign interests.