The 'computing hardware' sector and the NS&I Act
By Vik Khurana
Vik Khurana assesses the implications of the National Security and Investment Act 2021
The National Security and Investment Act 2021 (the Act) requires acquirers of entities operating in any of 17 “sensitive areas” of the economy to notify the government of its intention and allows the government to scrutinise and intervene in the proposed transaction if it believes it could be detrimental to the UK’s national security.
The 17 sectors are: advanced materials, advanced robotics, artificial intelligence, civil nuclear, communications, computing hardware, critical suppliers to government, critical suppliers to the emergency services, cryptographic authentication, data infrastructure, defence, energy, military and dual-use, quantum technologies, satellite and space technologies, synthetic biology (formerly known as engineering biology) and transport.
This article looks at one of those sensitive areas – computing hardware – and covers what the Act means for operators of businesses in this sector and their potential investors.
What is ‘computing hardware’?
A business is in the ‘computing hardware’ space if it creates, supplies or exploits intellectual property relating to central processing units (CPUs) or their design or code, memory or if it is involved in fabrication or packaging of computer processing chips or memory or management of roots of trust (a key security component of a connected device).
CPUs enable computers to interact with all of the applications and programs installed on it. A CPU interprets the program's instructions and creates the output that you interface with when you use a computer, a tablet or a smartphone.
The sophistication, power and speed of today’s CPUs (and associated transistors) are the fundamental reason the smartphone you carry in your pocket today has far more computing power than, perhaps, the entire planet did when we first went to the moon. The Act’s definition is clearly designed to capture the kind of computing hardware that powers all those new products and services that have the potential to transform business and society – the internet of things, advanced robotics, artificial intelligence and quantum computing included.
However, the regulators wrote a definition broad enough to encompass the hardware that powers everyday consumer devices like smartphones, laptops and PCs, servers and all manner of electronic devices commonly found in the home and the workplace. It also captures businesses that may not consider themselves as directly involved in the CPU sector.
For example, a cybersecurity company developing ‘roots of trust’ (ways to ensure the identity and authenticity of devices) may cater for a wide range of security needs at a hardware or software level, but a transaction involving it is likely be within the remit of the Act.
A software company whose code can interpret instructions from another software program could also be caught.
A sensitive area
Including computing hardware within the scope of the Act was clearly driven by the wish to prevent hostile actors from obtaining access or control to IT products that could be used to cause harm or to identify vulnerabilities in them. But why use such a broad definition that catches things like consumer device hardware and software code?
Was the government trying to prevent acquisitions like the one of leading British chipmaker ARM by Japanese investment firm SoftBank in 2016? Processors made by ARM (which was the subject of a failed bid by US chipmaker Nvidia earlier this year) are extensively used in consumer electronic devices like smartphones, tablets and wearables, and the company plans to become the ‘Intel for artificial intelligence’, the primary producer of chips and processor units for the burgeoning AI industry.
ARM was for a time one of the UK’s only technology unicorns and a significant British industrial success story – now in the hands of foreign ownership.
Computing hardware is a central aspect of national security – think about the computer systems that underpin missile defence systems or critical energy infrastructure. In the context of a global technology arms race and wider geopolitical issues, it makes sense that the government would be interested in potential transactions involving businesses in this sensitive sector.
However, the definition is so broad it captures the whole range of hardware whether it is used for national security or critical infrastructure or not. For example, acquisitions of businesses working on hardware powering consumer smartphones and smart personal assistants (which seem relatively benign in national security terms) would be subject to the Act’s notification regime.
The government’s argument as to why a very broad definition is needed is likely to be the concept of ‘dual-use’ applications, i.e. the possibility that computing hardware products that are built for a benign or low-risk purpose, could be adapted and used in higher-risk or sensitive settings. Also, the supply chain and product development work in this area is broadly the same whether or not the hardware is used in, say, a mobile phone or a nuclear reactor system – so a hostile actor gaining access to hardware in a consumer market segment could give that actor knowledge or expertise that could be used to undermine national security.
Computing hardware businesses and their investors will need to consider carefully whether the transactions they are involved in would bring them under the remit of the Act and follow the notification process.
However, looking carefully at the ‘computing hardware’ definition in the context of their transaction, may not be enough: the definition refers to other sections of the Act which apply to other sensitive areas of the Act – so the Act applies in a cross-cutting way.
For example, the Act gives an example of a CPU as being “a specialist processor for Artificial Intelligence applications” – working out whether this example applies requires a reading of the separate ‘Artificial Intelligence’ sector definition in the Act. So, a company involved in developing hardware for the AI industry would first need to work out whether what they are doing is ‘computing hardware’ under this sector definition, then look at the ‘artificial intelligence’ section to work out whether their chips would be used for AI for the purposes of the Act.
Similarly, a manufacturing business must first work out whether they are ‘fabricating CPU’ as per the ‘computing hardware’ section of the Act, then also look at the ‘advanced materials’ sector definition to see if they are using these kinds of materials in their manufacturing process. This is because the Act describes ‘fabrication’ of CPUs as “the process of producing a microelectronic circuit… using… advanced materials”.
While the intent of the inclusion and broad definition of computing hardware within the Act is clear, much will depend on how the government decides to respond to notifications of potential transactions in this sector.
If, as it has indicated more generally, the government does not intervene in a large proportion of cases, perhaps the definition strikes about the right balance between safeguarding national security and minimising the burden on industry.
Vik Khurana is a partner at Bristows bristows.com