John Carlin has spent most of his career in public service, focusing in recent years on national security and cyber investigations. He’s now on the other side of the table as a partner at Morrison & Foerster in Washington, where he leads the firm’s global risk and crisis management team.
Carlin couldn’t be better positioned, leading the group at a time of rising tensions between the United States and its trading and investment partners over national security and economic interests. He joined the firm from the U.S. Department of Justice in January. At Main Justice, he was the assistant attorney general in charge of the National Security Division.
One big part of the law that’s on Carlin’s plate now: advising companies that are tangled up in reviews by the once-obscure Committee on Foreign Investment in the United States, or CFIUS. At the DOJ, Carlin was the Justice Department’s representative on CFIUS, the interagency panel that reviews mergers and acquisitions involving foreign companies for national security threats. Before working in the division, Carlin was chief of staff and senior counsel to Robert Mueller III, the former FBI director who’s now leading the investigation into Russia’s interference with the 2016 presidential election.
Carlin recently spoke with the National Law Journal about bipartisan legislation introduced in November in the U.S. Senate and House of Representatives by U.S. Sen. John Cornyn, R-Texas, and U.S. Rep. Robert Pittenger, R-North Carolina, respectively, to overhaul the CFIUS review process. CFIUS reviews, which are voluntary, are meant to protect the nation from business transactions that pose a national security or strategic risk to the United States. The panel has the authority to require the transaction’s parties to undertake risk mitigation, such as carving out a specific location or element of the deal.
The panel can also recommend that the president block a deal entirely. President Donald Trump, for example, in September blocked the sale of Oregon-based Lattice Semiconductor Corp. to a Chinese company. A deal by Anthony Scaramucci, briefly a White House communications director, to sell his stake in SkyBridge Capital to Chinese company HNA Group Co., which is partly government-owned, appears to be in jeopardy after not yet clearing its nearly yearlong CFIUS review, according to reports in financial media including Bloomberg News in mid-December.Treasury Secretary Steven Mnuchin, who chairs the panel, has urged toughening CFIUS reviews.
The CFIUS review process also appears to be affecting efforts by China Oceanwide Holdings Group Co. Ltd. to acquire Genworth Financial Inc.
Underscoring rising concerns, on Dec. 18, Trump announced his national security plan that labelled China, a major trade partner and investor in the United States, as a strategic “competitor” and calls both Russia and China “rival powers” seeking to “challenge American influence, values and wealth. (China responded by calling on Washington to “abandon a Cold War mentality.”)
While leading the DOJ’s National Security Division, Carlin oversaw the indictment in 2014 of five Chinese military members for economic espionage for hacks against several big U.S. companies, among them United States Steel, Westinghouse, Alcoa Inc. and SolarWorld from 2006 through 2014. The division also investigated the cyberattack on Sony Pictures Entertainment in late 2014 that the U.S. government determined originated in North Korea; and brought charges with the FBI against seven Iranians working for computer companies under contract to the Iranian government and military that conducted cyberattacks between 2011 and 2013 against 46 financial institutions including Wells Fargo and JPMorgan Chase & Co.
Now, much of his work involves advising clients about the growing risks of cyber intrusions by rogue states and organized crime rings, and the steps they can take to reduce the risks. He spends much of the rest of his time dealing with clients “because they have been breached and how to handle the fact that they have had an intrusion.”
Law firms share the same risks as the companies they represent, Carlin points out. “We have seen both nation-states and criminal groups target law firms for schemes from insider trading for information to use they could make money on the market to using it for general strategic (use) to litigation strategy,” he said.
The following conversation was edited for clarity and length.
National Law Journal: What would the proposed legislation Foreign Investment Risk Review Modernization Act change?
John Carlin: In recent years there have been growing concerns about the potential threats to our national security posed by foreign investment in the technology sector. Starting in the last administration and continuing now, we’ve seen CFIUS become much more active in its reviews, going well beyond military “supply chain” considerations that were once its bread and butter. CFIUS is focusing more and more on data privacy and economic espionage, as well as on intellectual property in the technology sphere that could have military applications. The biggest worry has been Chinese investment in technology and other emerging sectors.
Deals involving Chinese acquirers are getting a much harder look. But the government has concerns that [there are] important gaps in existing authorities. Let’s say you are trying to block the transfer of a certain type of technology. If the foreign acquirer tries to control the company that makes it, it gets reviewed and potentially blocked or mitigated. But if the same foreign company instead tries to acquire the same technological know-how through the transfer of intellectual property rights, a joint venture or getting involved on the ground floor with a startup, it can fall entirely outside the review process.
The legislation, which would represent the first overhaul of CFIUS in a decade, attempts to fill some of those gaps by broadening what qualifies as a transfer of control. It would also broaden CFIUS’ enforcement capabilities, add teeth to the process and provide fee and funding mechanism to increase the staff.
A major provision of the Cornyn bill is requiring more types of transactions to undergo expanded reviews. What are the additional types that might require review that don’t now?
For starters, the bill would give CFIUS additional authority to review investments in “critical technologies” and “critical infrastructure” that might not qualify as acquisition of control under the current rules. For example, CFIUS would have new authority to review circumstances in which a foreign company receives rights to intellectual property of a U.S. “critical technology company” through an arrangement such as a joint venture. It would also strengthen enforcement by requiring CFIUS to review transactions in certain cases where the foreign investor is owned by a foreign government.