This is part two of our series of articles on the impact of the National Security and Investment Act 2021.
As described in a previous article in this series, the Act requires acquirers of entities operating in any of 17 “sensitive areas” of the economy to notify the Government of their intention and allows the Government to scrutinise and intervene in the proposed transaction if it believes it could be detrimental to the UK’s national security.
This note looks at one of those sensitive areas – “Computing Hardware” – and what the Act means for operators of businesses in this sector and their potential investors.
What is “Computing Hardware” for these purposes?
Essentially, under the Act a business is in the “Computing Hardware” space if it is involved in the creation, supply, or exploitation of IP relating to central processing units or chips (CPUs) or their design or code, memory, or fabrication or packaging of computer processing chips or memory, or management of roots of trust (a key security component of a connected device).
It is important to note that the CPU is the piece of hardware that enables your computer to interact with all of the applications and programs installed on it. A CPU interprets the program’s instructions and creates the output with which you interface when you use a computer. It is the most important part of a computer. The sophistication, power and speed of today’s CPUs (and associated transistors) are the fundamental reason the smartphone you carry in your pocket today has far more computing power than, perhaps, the entire planet did when we first went to the moon.
Seen in that light, the Act’s definition is clearly designed to capture the kind of computing hardware that powers the new products and services that have the potential to transform business and society. The internet of things, advanced robotics, artificial intelligence and quantum computing all depend on the technological advances brought about by this kind of underlying computing hardware and the supply chain around it.
However, the definition isn’t limited to these kinds of advanced or emerging technology applications. It is broad enough to encompass the hardware that powers everyday consumer devices like smartphones, laptops and PCs, servers and all manner of electronic devices commonly found in the home and the workplace.
Also, it captures businesses that may not consider themselves as directly involved in the CPU sector. A cyber security company developing roots of trust, which are ways to ensure the identity and authenticity of devices, may cater for a wide range of security needs at a hardware or software level, but a transaction involving it is likely be within the remit of the Act. A software company whose suit of activities include developing code that interprets the instructions from a software program could also be caught.
Why is “Computing Hardware” considered a sensitive area of the economy?
The reason for including computing hardware within the scope of the Act is clearly to prevent hostile actors from obtaining access or control to the kinds of IT products that could be used to cause harm or to identify vulnerabilities in them.
But why use such a broad definition that catches things like consumer device hardware and software code?
Perhaps the Government had in mind the likes of the leading British chipmaker ARM, which was bought by Japanese investment firm SoftBank in 2016 (and which was the subject of a failed bid by US chipmaker Nvidia earlier this year). ARM’s processors are extensively used in consumer electronic devices like smartphones, tablets and wearables, while it has plans to become the “Intel for artificial intelligence”, meaning the firm wishes to be the primary producer of chips and processor units for the burgeoning AI industry. ARM was for a time one of the UK’s only technology “unicorns” (a private business valued at over $1 billion) and is held up as a significant British industrial success story – now in the hands of foreign ownership.
In the context of a global technology arms race and wider geopolitical issues, it makes sense that the Government would be interested in potential transactions involving businesses in this sensitive sector. The use of such computing hardware can be a central aspects to national security – think about the computer systems that underpin missile defence systems or critical energy infrastructure.
However, the definition is so broad that it captures basically the whole range of hardware, whether it is used for national security or critical infrastructure or not. For example, it would likely apply to hardware powering consumer smartphones and smart personal assistants, such that acquisitions of those types of businesses (which seem relatively benign in national security terms) would be subject to the Act’s notification regime.
The Government’s reason for a very broad definition is likely to relate to the concept of “dual-use” applications, i.e. the possibility that computing hardware products that are built for a benign or low-risk purpose could be adapted and used in higher-risk or sensitive settings. Also, the supply chain and product development work in this area is broadly the same whether or not the hardware is used in, say, a mobile phone or a nuclear reactor system – so a hostile actor gaining access to hardware in a consumer market segment could get knowledge or expertise that could be used to undermine national security.
What do businesses and investors need to think about?
Like all other sensitive areas defined in the Act, computing hardware businesses and their investors will still need to consider carefully whether the transactions they are involved in would bring them under the remit of the Act and follow the notification process.
While they should look carefully at the “Computing Hardware” definition in the context of their transaction, this may not be enough, because the computing hardware definition refers to other sections of the Act which apply to other sensitive areas of the Act – so the Act applies in a cross-cutting way.
For example, the Act gives an example of a CPU as being “a specialist processor for Artificial Intelligence applications” – working out whether this example applies requires a reading of the separate “Artificial Intelligence” sector definition in the Act. So a company involved in developing hardware for the AI industry would first need to work out whether what they are doing is “Computing Hardware” under this sector definition, then look at the “Artificial Intelligence” section to work out whether their chips would be used for AI for the purposes of the Act.
Similarly, the Act describes “fabrication” of CPUs as “the process of producing a microelectronic circuit… using… advanced materials” – this in turn requires a reading of the definition of “Advanced Materials” which is itself a separate sector definition in the Act. So a manufacturing business must first work out whether they are “fabricating CPU” as per the “Computing Hardware” section of the Act, then also look at the “Advanced Materials” sector definition to see if they are using these kinds of materials in their manufacturing process.
While the intent of the inclusion and broad definition of computing hardware within the Act is clear, much will depend on how the government decides to respond to notifications of potential transactions in this sector.
If, as it has indicated more generally, the government does not intervene in a large proportion of cases, perhaps the definition strikes about the right balance between safeguarding national security and minimising the burden on industry.