Cybersecurity
CFIUS and OFAC: Motives Behind the Treasury Breach
As news continues to come out about the recent U.S. Treasury Department’s cyberattack by the Chinese state actors dubbed “Salt Typhoon,” two obscure offices, the Committee on Foreign Investment in the United States (CFIUS) and the Office of Foreign Assets Control (OFAC) have emerged front and center. While these two small offices may be unknown to most, they are in fact key players in our national strategy in keeping the U.S. safe. Looking deeper into how these organizations provide economic security provides Americans, and the investment community, perspectives on why they were targeted.
What is CFIUS?
CFIUS is an interagency committee responsible for investigating corporate deals and foreign investments in U.S. businesses to ensure they don’t create risk to national security. This committee reviews transactions that could provide foreign organizations control or influence over sensitive technologies like artificial intelligence, biotechnology, critical infrastructure, or personal data on U.S. citizens. Their analysis documents risk exposure to adversarial nations given undue leverage over American interests. CFIUS was the lead player in the investigation that ultimately resulted in the ban (an ongoing controversy) of TikTok in the United States.
CFIUS isn’t just about China
A common misconception is that CFIUS is just about our adversaries. CFIUS is about foreign investments, which means it applies to friendly nations and partners of the U.S. Foreign investment isn’t just looking to see if China or Russia are tied to the money, it applies to everyone from Canadian pension plans to British investors or Middle Eastern families. Growing firms need capital and access to pools of capital, through private equity, venture capital, or high net worth individuals, is critical to the American economy. Last year Private Equity invested nearly $1 Trillion across more than 8,000 firms. I have personal experience working with several venture capital and private equity firms and CIFUS has had an impact in our all investment decisions.
What is OFAC?
OFAC is America’s economic enforcer through the administration of U.S. sanctions programs. Their operations include tracking financial transactions to enforce sanctions and cut off individuals and entities from the U.S. financial system. OFAC released an Advisory in 2020 (updated in 2021) that highlighted potential risks, including the imposition of civil penalties for companies and people associated with making and facilitating ransomware payments to sanctioned organizations.
The Impact to National and Economic Security
The recent Treasury breach highlights how CFIUS and OFAC are being targeted by adversaries. Sensitive CFIUS information might reveal vulnerabilities in critical infrastructures or even disclose how the U.S. evaluates investment risks. For example, an evaluation of a U.S. biotech firm with proprietary research being acquired or receiving an investment by a foreign company might disclose real national health security vulnerabilities, related to that research.
Meanwhile, OFAC’s sanctions data could include targets of investigation and enforcement strategies, revealing how our government applies financial pressure on rogue states and non-state actors. This information might enable adversaries to exploit gaps in America’s economic defenses.
The “Salt Typhoon” incident is a sobering reminder that adversarial nations are targeting critical government functions. They manage sensitive information about sanctions targets and the identities of individuals collaborating with U.S. enforcement efforts. These exposures can both expose vulnerabilities found during investigations and endanger people’s lives. In the case of OFAC and CFIUS, the potential intelligence value justifies years of patient effort by state-sponsored hackers.
Salt Typhoon also highlights how cybersecurity and economic security have become inseparable and how documented vulnerabilities can directly translate into economic vulnerabilities.
(Another) Wake-Up Call
I’ve been in the cybersecurity world before the word existed. We are sick and tired of “wake up calls” or “Pearl Harbor moments.” Not much seems to change with each breach. But I do want to call out this unique risk to our policy makers and the public. This wasn’t an attack to steal money, transfer crypto, or even get sensitive information on individuals. This was a strategic attack that went after the very heart of American innovation.
CFIUS and OFAC aren’t just for policy experts. Economic security IS national security, and these offices are critical to maintaining both. While CFIUS and OFAC may operate behind the scenes, what they do is important for America’s economic security and protecting them isn’t just about safeguarding government data—it’s about ensuring our ability to maintain an edge in an era where economic power is a key battleground.