chevron-down Created with Sketch Beta.

The Year in Review

International Legal Developments Year in Review: 2021

National Security Law - International Legal Developments Year in Review: 2021

Orga Cadet, Geoffrey M Goodale, Laurence Hull, Renee Latour, Barbara D Linney, Jonathan Michael Meyer, Guy C Quinlan, Minji "MJ" Shin, Christopher Vallandingham, and Bonnie H. Weinstein


  • This article highlights significant legal developments relevant to national security law that took place in 2021.
  • It notes diligence and disclosure obligations for victims of ransomware attacks.
  • In 2021, the U.S. government took several actions to help secure the supply chain relating to information and communications technology and services (ICTS).
National Security Law  - International Legal Developments Year in Review: 2021
Savushkin via Getty Images

Jump to:

This article highlights significant legal developments relevant to national security law that took place in 2021.

I. Diligence and Disclosure Obligations for Victims of Ransomware Attacks

Ransomware attacks—cyberattacks demanding that the victim pay a ransom for decryption keys and to avoid the publication of exfiltrated information—have been described as a “scourge” on U.S. companies. These attacks affect a wide range of industries, including but not limited to healthcare, manufacturing, finance, and insurance. In 2020, the largest ransom demand was over $65 million, and the largest ransom paid was in excess of $15 million dollars—each more than three times greater than their respective values in 2019.

Companies considering paying such ransomware demands risk violating U.S. economic sanctions. In October 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) released an advisory directing companies that facilitate ransomware payments on behalf of victims—e.g., banks, cyber insurance providers, and digital forensics companies—to “account for the risk that a ransomware payment may involve a SDN [specially designated national] or blocked person, or a comprehensively embargoed jurisdiction.” As noted in the advisory, many ransomware actors have been added to OFAC’s List of Specially Designated Nationals and Blocked Persons. The digital currency wallet utilized by the threat actors may also be designated. In addition, ransomware actors may be located in sanctioned countries.

On September 21, 2021, OFAC released updated advice for companies who suffer ransomware attacks (the Updated Advisory). In the Updated Advisory, OFAC stated, “ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Such payments not only encourage and enrich malicious actors, but also perpetuate and incentivize additional attacks.” As a result, OFAC stated that “[t]he U.S. Government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.”

OFAC also stated in the Updated Advisory that “license applications involving ransomware payments demanded as a result of malicious cyber-enabled activities will continue to be reviewed by OFAC on a case-by-case basis with a presumption of denial.” OFAC strongly encouraged all victims, and those involved with addressing ransomware attacks, to report incidents to the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), or the U.S. Secret Service (USSS). If there is any reason to suspect a potential sanctions nexus regarding a ransomware payment, OFAC directs victims to also report ransomware attacks and payments to OFAC and the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (CCIP). Doing so could constitute a significant mitigating factor in OFAC’s determination of any penalty or other enforcement response.

OFAC continues to sanction ransomware operators and entities that facilitate ransomware payments. For instance, on November 8, 2021, OFAC sanctioned two ransomware operators and a virtual currency exchange that allegedly facilitated ransomware payments. This action indicated OFAC’s continuing commitment to applying U.S. economic sanctions laws towards not only ransomware attackers, but also facilitators of ransomware payments to those attackers. Ransomware victims and their supporters should, therefore, strongly consider both the enforcement risk of violating U.S. sanctions laws if paying the perpetrators of cyberattacks and the risk of designation.

In addition to disclosing ransomware attacks to CISA, the FBI, or the USSS, and potentially also to OFAC and the CCIP, victims of ransomware attacks should always consider disclosing the attack to other U.S. government agencies tasked with roles related to export controls or the protection of other sensitive data. For instance, such victims should consider whether to disclose the ransomware incident to the U.S. Departments of Defense, State, and Commerce. The U.S. Department of Defense generally requires U.S. government contractors to disclose within seventy-two hours cyber incidents involving the potential release of unclassified controlled technical information or other information. The U.S. Department of State requires reporting of certain violations under the International Traffic in Arms Regulations (ITAR). Victims should also consider whether reporting other unauthorized exports of technical data listed on the U.S. Munitions List under the voluntary disclosure provisions of the ITAR would be advisable. The U.S. Department of Commerce (DOC) similarly encourages reporting of violations of the Export Administration Regulations (which include similar definitions of “release” and “export”), including any unauthorized release of data controlled under the Commerce Control List. Whether to voluntarily disclose ransomware attacks to U.S. government agencies is a decision best made on a case-by-case basis, but given the level of communication and collaboration amongst the various U.S. government agencies with jurisdiction over such matters, entities who are victims of ransomware attacks should consider the value of transparency when weighing the costs and benefits of disclosure.

II. Efforts to Secure the Information and Communications Technology and Services Supply Chain (ICTS)

In 2021, the U.S. government took several actions to help secure the supply chain relating to information and communications technology and services (ICTS). As discussed below, these actions will have profound implications for U.S. and non-U.S. entities that operate throughout the ICTS supply chain.

On January 19, 2021, the DOC published an interim final rule designed to help secure the ICTS supply chain (Interim Rule). Issued pursuant to Executive Order 13,873 of May 15, 2019, (EO 13,873), and noting that the ICTS supply chain “must be secure to protect our national security, including the economic strength that is an essential element of our national security,” the Interim Rule established regulations to provide the DOC with authority to review certain U.S. transactions involving the ICTS supply chain that have a nexus with foreign adversaries that were initiated, pending, or completed on or after January 19, 2021.

Pursuant to the Interim Rule, which went into effect on March 22, 2021, the DOC may prohibit or restrict transactions conducted by any person, or involving any property, subject to U.S. jurisdiction, if they: (1) involve certain categories of ICTS; (2) are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a “foreign adversary”; and (3) pose an “undue or unacceptable risk” to the national security of the U.S. Importantly, the DOC can impose significant civil and criminal penalties for violations of DOC determinations or mitigation measures (e.g., civil penalties not to exceed the greater of $250,000, subject to inflationary adjustment, or an amount that is twice the amount of the transaction that is the basis of the violation; criminal penalties of not more than $1,000,000, and/or imprisonment for no more than 20 years).

Under the Interim Rule, “ICTS” is defined as any “hardware, software, or other product or service, including cloud-computing services, primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic, and photonic), including through transmission, storage, or display.” “ICTS Transaction” is defined as any “acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download.”

The six categories of ICTS that are reviewable by the DOC under the Interim Rule are:

(1) Critical Infrastructure: ICTS that will be used by a party to a transaction in a sector designated as “critical infrastructure” by Presidential Policy Directive 21–Critical Infrastructure Security and Resilience, including any subsectors or subsequently designated sectors;

(2) Networking: ICTS that is integral to wireless local area networks, mobile networks, satellite payloads, satellite operations and control, cable access points, wireline access points, core networking systems, or long- and short-haul systems;

(3) Sensitive Personal Data: ICTS that is integral to data hosting or storage or computing services that uses, processes, or retains “sensitive personal data” of greater than one million U.S. persons at any point over the twelve months preceding an ICTS Transaction;

(4) Surveillance/Monitoring/Home Networking/Drones: Surveillance or monitoring devices, home networking devices, and drones or any other unmanned aerial system, where one million units of the ICTS item at issue have been sold in the twelve months prior to the ICTS Transaction;

(5) Communications Software: Software designed primarily for connecting with and communicating via the Internet that is in use by greater than one million U.S. persons at any point over the twelve months preceding an ICTS Transaction, including desktop, mobile, web-based, and gaming applications; and

(6) Emerging Technology: ICTS that is integral to artificial intelligence and machine learning, quantum key distribution, quantum computing, drones, autonomous systems, or advanced robotics.

As can be discerned from the above description of the six categories, the scope of the Interim Rule is quite broad.

Significantly, only ICTS that is designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a “foreign adversary” is subject to review by the DOC. Under the Interim Rule, “foreign adversary” means “any foreign government or foreign non-government person determined by the Secretary to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons.” As stated in the Interim Rule, “foreign adversaries” specifically include China (including Hong Kong), Cuba, Iran, North Korea, Russia, and Venezuela’s Maduro regime.

In accordance with the Interim Rule, the Secretary of Commerce, in consultation with the heads of other relevant US government agencies, may review any covered ICTS transaction to determine if it involves both (1) ICTS designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a “foreign adversary” and (2) any “undue or unacceptable risk” to U.S. national security as set out in EO 13,873, and ultimately to conclude whether the ICTS Transaction should be permitted, permitted with negotiated mitigation measures, or prohibited.

On March 29, 2021, the DOC requested comments on a possible licensing regime that could be used relating to ICTS transactions. Subsequently, on November 26, 2021, the DOC issued a notice of proposed rulemaking that included proposals to amend the ICTS Supply Chain Regulations to include “connected software applications” as covered items and to propose potential indicators of risk for the DOC to consider when assessing whether an ICTS Transaction involving connected software applications poses an undue or unacceptable risk. It is expected that the DOC will issue final rules relating to the above matters in 2022.

III. CFIUS’s Evolving Concept of National Security in 2021

Over the past five decades, the evolution of the concept of “national security” has significantly transformed the U.S. government’s foreign investment regime. While reviews of direct or indirect foreign investment into the U.S. remain the domain of the Committee on Foreign Investment in the U.S. (CFIUS or the Committee), the Committee’s role in such reviews has continuously evolved, expanded, and shifted to reflect changes in U.S. national security priorities. In particular, CFIUS’s actions in 2021 reflect national security concerns with novel critical technology areas and possible repositories of sensitive personal data.

The Committee’s basic structure was established in 1975 by Executive Order 11,858 and evolved through a series of amendments and the enactment of the Foreign Investment and National Security Act of 2007 (FINSA), which significantly expanded CFIUS’s authority and presence. Post-FINSA, the focus of national security discourse in the U.S. gradually shifted to China, and the question of “technology transfer.” These trends culminated with the passage of the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), which further expanded CFIUS’s authority and significantly changed the regulatory process. In 2020, CFIUS introduced the concept of the “TID US Business” – US businesses that (1) produce, design, test, manufacture, fabricate, or develop one or more critical [t]echnologies; (2) own, operate, manufacture, supply, or service critical [i]nfrastructure; or (3) maintain or collect, directly or indirectly, Sensitive Personal [d]ata of US citizens. This past year has seen renewed examples of the Committee’s focus on critical technology and sensitive personal data as national security risks.

For critical technology, the regulatory definition grants CFIUS a degree of flexibility to adapt and expand its inquiries with respect to technological developments, covering both existing export controls and yet-to-be-designated emerging and foundational technologies. CFIUS’s recent actions with respect to robotics technology show this expansion in the scope of interest. In June 2021, Hyundai Motor Group (Hyundai), a South Korean conglomerate, acquired an eighty percent stake in Boston Dynamics, an American robotics company, with the deal conditional on Hyundai receiving CFIUS clearance. Boston Dynamics gained widespread public attention through viral videos of its robotic dog and backflipping robot among other products. Robotics is an example of an ‘emerging technology’ of interest to CFIUS, even where the particular item or technology has not been formally designated as an “emerging technology.” The inclusion of CFIUS clearance as a closing condition to the Hyundai/Boston Dynamics transaction indicated the parties’ awareness of CFIUS interest in the robotics sector.

Following FIRRMA’s codification of sensitive personal data as part of a broader notion of national security, CFIUS has continued its active review of transactions in which personal data is involved. Sensitive personal data is defined to include genetic data about any number of persons, and personally identifiable data about finances, health, geolocation, biometrics, security clearance, government ID, and certain non-public electronic communications. Beyond high profile examples like the Kunlun-Grindr case, this past year showed the Committee’s interest in the national security risks of sensitive personal data through transactions involving start-up companies. Through publicly available investor materials, it was revealed that in January 2021, CFIUS made inquiries with Italian-American transportation company HelBiz regarding its relationship with Chinese bike sharing company GonBike. HelBiz stated that its relationship with GonBike was purely contractual and only extended to the purchase of ebikes – GonBike did not invest in HelBiz. Given HelBiz’s business model which focused on “last-mile” solutions and offered geofencing, CFIUS may have determined that HelBiz’s use of sensitive transportation-related data, such as geolocation, posed a national security risk. CFIUS did not progress beyond these inquiries, but the case shows an active CFIUS when it comes to potential national security risks around sensitive personal data.

This attention to sensitive personal data is also in line with the Biden Administration’s national security agenda. In June 2021, the White House announced the Executive Order 14,034 Protecting Americans’ Sensitive Data from Foreign Adversaries (the Order). The Order outlined criteria for identifying applications that could pose a risk to national security and directed federal agencies to make recommendations on how to protect personal data. While the Order revoked and replaced former executive orders that sought to ban transactions involving TikTok and WeChat, it emphasized the continued focus on personal data as a national security threat.

The evolving and expanding concept of national security is clearly reflected in the role played by CFIUS, as the monitor of foreign investment into the U.S. The Committee’s actions in 2021 in the areas of critical technology and sensitive personal data clearly demonstrate this expanded concept of national security and therefore the range of U.S. businesses that can be implicated. Given the Committee’s history, CFIUS’s role and power will likely only continue to grow as national security concerns continue to evolve.

IV. Nuclear Arms Control

On February 3, 2021, the U.S. and Russia agreed to a five-year extension of the New START agreement, which limited the deployment of strategic nuclear weapons, as it was about to expire, and the two countries later announced their initiation of a series of discussions on strategic stability. On November 16, 2021, U.S. National Security Advisor Jake Sullivan announced that Presidents Biden and President Xi Jinping, during their virtual summit, had agreed to “look to begin to carry forward discussions” between the U.S and China on strategic stability.

The nuclear weapon states continued to modernize their arsenals in 2021. Russia continued to test new types of nuclear weapons, and the Russian defense ministry announced plans for increased nuclear weapons budgets over the next three years. The U.S. continued technical upgrades of its existing nuclear missiles to enhance their “hard-target kill capacity,” and the national defense authorization for the coming year includes plans for a new generation of silo-based missiles as well as a new stealth air-launched cruise missile. China prepared what appears to be new missile silos and tested hypersonic delivery vehicles, one of which was designed for earth orbit. The government of India announced that the Chinese orbital vehicle “will not go unanswered” and tested a new missile with a range sufficient to strike most places in China. The United Kingdom announced plans to increase the ceiling on the number of warheads in its arsenal. North Korea intensified its missile testing program and vowed to expand its “growing reliable deterrent.”

The Biden administration is conducting a reexamination of the Nuclear Posture Review, a general formulation of national nuclear strategy, with results currently expected in early 2022. Arms control advocates are pressing for a declaration that the U.S. will never be the first to use nuclear weapons, but these efforts are reportedly opposed by the U.S. military and by allies currently under the U.S. “nuclear umbrella.”

The Review Conference of the Parties to the Treaty on the Non-Proliferation of Nuclear Weapons, postponed in 2020 because of the pandemic, is currently scheduled to convene in January 2022. Meanwhile, a Treaty on the Prohibition of Nuclear Weapons (TPNW), prepared by non-nuclear states frustrated over lack of progress on disarmament under the NPT, entered into force in 2021 with its fiftieth ratification, but is opposed by all states currently possessing nuclear weapons.

In 2021, efforts continued to revive the Joint Comprehensive Plan of Action (JCPOA) restricting nuclear activities of Iran, from which the U.S. withdrew during the Trump administration. No agreement has yet been reached to revive the JCPOA.

The National Defense Authorization Act (NDAA) enacted in 2021 mandates that the National Academies of Science, Engineering, and Medicine must complete a study, within eighteen months, on the effects of various nuclear war scenarios on the climate and environment. The NDAA directs the U.S. Secretary of Defense and Director of National Intelligence to furnish the study groups with relevant information.

A United Nations research report on cybersecurity and nuclear weapons risk concluded that “[t]here remains much ambiguity, some intentional, surrounding the types of cyber operations that could elicit nuclear response; this lack of clarity around these ‘red lines’ feeds into the type of misperception, miscalculation, or misunderstanding that can drive escalation.”

V. Targeted Disinformation Campaigns

In 2021, the U.S. government continued to pursue legal avenues to combat disinformation campaigns conducted by foreign actors. Legal methods employed by the U.S. government include the imposition of sanctions on individuals and entities responsible for disinformation campaigns, the seizure of websites, and the indictment of individuals. Though measures to counter disinformation campaigns have received bipartisan support, legislation expanding the ability of the U.S. government to punish individuals and nations that engage in disinformation campaigns has languished in both chambers of Congress since the beginning of the 117th Congress in January 2021.

Disinformation campaigns are coordinated efforts to intentionally mislead the target audience. Congress has distinguished legitimate attempts to influence the U.S. audience “through public diplomacy and strategic communication campaigns” from illegitimate ones, whose aim is “to weaken American alliances and partnerships by creating new divisions between them, or by exacerbating existing ones” and “to foment domestic social and political divisions, and to exacerbate existing ones, within democratic countries, by undermining popular confidence in democracy and its essential institutions.”

In a March 10, 2021 unclassified summary of an Intelligence Community Assessment required by Executive Order 13,848, the Intelligence Community concluded that Russia and Iran attempted to influence the 2020 U.S. presidential elections. Russian attempts included the promotion of false claims of wrongdoing by President Biden’s family members related to Ukraine. The U.S. Treasury Department’s OFAC imposed sanctions on sixteen entities and sixteen individuals who assisted the Russian effort and six Iranian individuals and one Iranian entity who assisted the Iranian effort. The sanctions were based on statutory authorities granted to the president.

In June 2021, the Department of Justice seized thirty-three websites run by the Iranian government, claiming that “components of the government of Iran . . . disguised as news organizations or media outlets, targeted the United States with disinformation campaigns and malign influence operations.” The legal basis for the seizure were violations of the Iranian Transactions and Sanctions Regulations, which ban the unauthorized export of services to Iran. However, this tactic has been criticized by groups and individuals within the U.S. as a U.S. government attempt to suppress views critical of U.S. government policies arguing that determining what is a legitimate news organization and what is or is not disinformation should be left to individual readers.

Two Iranian nationals were indicted for, among other things, hacking into an election website to obtain confidential voter information. They used this information to disseminate disinformation about the vulnerabilities of voting websites, including a fake video which allegedly showed an individual casting fraudulent ballots. The U.S. Department of Justice acknowledged that the suspects were presumed to be in Iran but believed that, due to the indictment, the suspects “will forever look over their shoulders as we strive to bring them to justice.”

The difficulty of combating these disinformation campaigns is compounded when foreign actors use witting or unwitting U.S. citizens to disseminate the disinformation. The First Amendment limits the ability of the U.S. government to act against U.S. citizens for spreading disinformation since disinformation, in most cases, is not illegal. Therefore, the U.S. government has relied on social media companies to curb the flow of disinformation on their platforms. As revelations about the baneful impact of social media platforms continue to unfold, pressure on social media companies continues to mount.

VI. Update on the Budapest Convention on Cybercrime

November 23, 2021, marks the twentieth anniversary of the first international treaty focused on cybercrime, officially known as the Council of Europe’s Convention on Cybercrime, or more informally referred to as the Budapest Convention on Cybercrime (the Budapest Convention). The treaty remains the most relevant and effective international treaty on internet, cyber (computer) crime, and electronic evidence. Among the topics covered by the treaty are the harmonization of national laws, improved investigative techniques and increased cooperation among signatory nations, violations of network security, computer-related forgery and fraud, offenses in connection with child pornography, and offenses related to the infringement of copyrights. Its main objective, as set forth in its preamble, is to pursue a common criminal policy by the signatory member states aimed at the protection of society against cybercrime, especially by the adoption of relevant legislation by the member states and the fostering of international cooperation.

The Budapest Convention, which opened to signatories in November 2001, went into effect on July 1, 2004. As of April 2022, sixty-six states have ratified the treaty, while a number of additional states had signed but have yet to ratify it. The U.S. Senate ratified the treaty in 2006. Russia, while a member of the Council of Europe, has declined to become a signatory, citing national sovereignty issues. Nonetheless, for the last ten years, Russia has made its own proposals for revisions and expansion of the treaty. Two other significant countries, India and Brazil, also have declined to adopt the treaty.

As the Budapest Convention was formulated in the early 2000s, it covers only cybercrimes recognized at the time. It does not account for the exponential expansion of cyber and malicious activity, cloud computing, and digitalization. To address these and other concerns, on May 28, 2021, the Council of Europe adopted the Second Additional Protocol to the Convention on enhanced co-operation and disclosure of electronic evidence (the Second Additional Protocol). As set forth by the Council at the time of the adoption, “Considering the proliferation of cybercrime and the increasing complexity of obtaining electronic evidence that may be stored in foreign, multiple, shifting or unknown jurisdictions, the powers of law enforcement are limited by territorial boundaries. As a result, only a very small share of cybercrime that is reported to criminal justice authorities is leading to court decisions.”

The Second Additional Protocol provides a legal basis for disclosure of domain name registration information and for direct co-operation with service providers for subscriber information, effective means to obtain subscriber information and traffic data, immediate co-operation in emergencies, mutual assistance tools, as well as personal data protection safeguards. The text is scheduled to be opened for signing by Member State participants in May 2022.

Since its formulation, there have been calls by signatory and non-signatory member states for a more comprehensive version of the Budapest Convention. In July 2021, the Russian government submitted a draft convention to the U.N., recommending it to be used as the basis of a future treaty. The U.S. has indicated consideration of the proposal with modification to account for U.S. norms and policy, which is set to be taken-up by the U.N. in 2022.

Orga Cadet served as the committee editor of this article. Barbara Linney and Orga Cadet co-authored “Diligence and Disclosure Obligations for Victims of Ransomware Attacks.” Geoffrey Goodale and Jonathan Meyer co-authored “Efforts to Secure the Information and Communications Technology and Services Supply Chain.” Renee Latour, Laurence R. Hull, and MJ Shin co-authored “CFIUS’s Evolving Concept of National Security in 2021.” Guy C. Quinlan authored “Nuclear Arms Control.” Christopher Vallandingham authored “Targeted Disinformation Campaigns.” Bonnie H. Weinstein authored “Update on the Budapest Convention on Cybercrime.”