Defense Contractor ‘Reinvents Itself’ to Operate Under Foreign Ownership
At a time of heightened concern about attacks on U.S. computer networks, the federal government might be expected to frown on a foreign takeover of one its cybersecurity contractors.
The $890 million acquisition last year of Maryland-based SafeNet by European digital security giant Gemalto was approved in January, although extraordinary actions had to be taken in order to allow the newly acquired company to remain a government contractor.
“SafeNet had to reinvent itself to continue to sell to the government,” said Kirk Spring, president of SafeNet Assured Technologies in Abingdon, Maryland. The company provides data encryption hardware and software to military and intelligence agencies.
A six-month review by the Committee on Foreign Investment in the United States and the Defense Security Service determined that, for the acquisition to be approved, Gemalto would have to spin off SafeNet’s government contracting arm as an independent subsidiary that would operate entirely as a U.S. company and be overseen by a U.S.- approved board of directors.
The new subsidiary, called SafeNet Assured Technologies, accounts for just 1 percent of Gemalto’s $3 billion operation but the parent company decided that the spinoff was a reasonable answer to
U.S. regulators’ concerns about protecting classified information that is considered of consequence to national security.
With already a large footprint in the U.S. information technology market, “Gemalto had been through this before. They knew there would be concerns,” Spring said in an interview. “The cost of splitting us off was minimal compared to the deal. Corporate ownership of a U.S. government contractor also was appealing to Gemalto because of the growing federal cybersecurity market, he said. And the U.S. government helped to make the deal work because it didn’t want to lose SafeNet as a supplier, he noted. “Financially it made sense on both sides.”
One of the imperatives in the SafeNet deal was to prevent any unauthorized influence on the products sold to the government. The U.S. subsidiary owns the intellectual property of every product sold to the government, Spring said. “There is no foreign influence on those products at all.”
SafeNet Assured Technologies also can resell Gemalto’s commercial products to the government. “Some federal agencies are using these products but still want a U.S. entity to do the buying from.
They need to be able to procure from a U.S. entity,” he said. “We provide that proxy barrier so we buy the products from Gemalto and protect the identity of the agency that is procuring those products.”
Under the proxy agreement, the 63-employee U.S. subsidiary must not only run as an independent operation but also have separate accounting systems, financial reporting, sales and engineering workforce. “Federal customers were very supportive of us setting up a subsidiary,” said Spring. “That allows us to really concentrate on the federal agencies instead of being part of a larger commercial company. We get to focus solely on federal needs, and adjust products based on their needs.”
Under the new structure, SafeNet Assured Technologies is an offshoot of the larger commercial firm SafeNet Inc. which reports to Gemalto USA. “We took 55 people out of SafeNet,” Spring said. It was an adjustment for employees who had been working for the 1,600-employee SafeNet to move to a smaller startup-size firm, Spring said.
The government contracting arm of SafeNet can still tap the innovation developed by the commercial parent company, he said. “What we can’t do is share back. We can’t tell them what we are doing with the federal customer but we still interchange ideas and technology.”
Foreign ownership of U.S. defense contractors is not unusual as the industry becomes more globalized. But the SafeNet acquisition illustrates the dilemma the government faces when suppliers upon which it depends for key technologies are bought by multinational corporations.
David N. Fagan, a partner and national security law expert at Covington & Burling, said the rules governing foreign acquisitions of defense contractors have been around for decades and work very effectively. “There are very prominent defense contractors that operate under these structures,” Fagan said. They are designed to make sure the contractor is truly a U.S. company.”
The Committee on Foreign Investment in the United States is chaired by the Department of Treasury with eight other voting members, including the Defense Department. When an acquisition or partial foreign investment is ruled too risky, the law authorizes the president to block the transaction.
Pentagon contractors with access to classified information are regulated under the National Industry Security Program Operating Manual. The Pentagon’s Defense Security Service has authority over most companies with facility security clearances. By law, NISPOM prohibits foreign ownership, control or influence over U.S. companies that hold clearances, but allows for the influence to be “mitigated” via proxy or special security agreements. “Each agreement generally requires the foreign-owned or controlled shareholder and the cleared company to implement certain corporate governance requirements to address U.S. national security concerns related to the protection of U.S. government classified information,” said Fagan.
The standard proxy agreement calls for at least three proxy holders, he noted. The parent company may select the initial proxy holders, subject to U.S. government approval. Special security agreements are more common than proxy arrangements, Fagan said. “The test is whether the transaction threatens to impair national security.”
SafeNet’s acquisition was under a proxy agreement, in which the foreign parent vests its voting power over the cleared subsidiary’s shares with proxy holders, who are security-cleared U.S. citizens with no prior ties to the foreign parent company.
More acquisitions are happening in the cyber security market, Fagan said. “It’s an attractive area for mergers and acquisitions. You may see more transactions in cyber.”
Business are becoming more globalized, he said, and the regulations need to be able to deal with that. “Generally the Defense Department is very attuned to that. They have worked out models to address this as well as their interests.”