ARTICLE
15 January 2026

Privacy And Data Security Recap 2025—National Security

PC
Perkins Coie LLP

Contributor

Perkins Coie LLP logo

Perkins Coie is a premier international law firm with over a century of experience, dedicated to addressing the legal and business challenges of tomorrow. Renowned for its deep industry knowledge and client-centric approach, the firm has consistently partnered with trailblazing organizations, from aviation pioneers to artificial intelligence innovators. With 21 offices across the United States, Asia, and Europe, and a global network of partner firms, Perkins Coie provides seamless support to clients wherever they operate.

The firm's vision is to be the trusted advisor to the world’s most innovative companies, delivering strategic, high-value solutions critical to their success. Guided by a one-firm culture, Perkins Coie emphasizes excellence, collaboration, inclusion, innovation, and creativity. The firm is committed to building diverse teams, promoting equal access to justice, and upholding the rule of law, reflecting its core values and enduring dedication to clients, communities, and colleagues.

Explore Firm Details
In 2025, technology companies and critical infrastructure providers faced a range of cybersecurity and data security threats from nation states and affiliated threat actors.
United States Technology
Todd M. Hinnen,David Aaron, and Sarah Grant

2025 saw a range of activity at the intersection of privacy, data security, and national security, including new types of threats, significant U.S. regulatory actions by multiple agencies, legislative lapses and new priorities, and judicial approval (at least for now) of the EU-U.S. Data Privacy Framework. 

Threat Landscape

In 2025, technology companies and critical infrastructure providers faced a range of cybersecurity and data security threats from nation states and affiliated threat actors. Notably, a range of threat actors have proven adept at leveraging generative AI tools to enhance the effectiveness of their operations.

Continuing a major cybersecurity storyline from last year, 2025 brought additional insight into the scope and techniques of the People's Republic of China (PRC)-linked Salt Typhoon cyber espionage campaign targeting global telecommunications and internet service providers, as well as other sectors. PRC-affiliated threat actors were also assessed to be behind a range of other cyberthreats, including a wave of attacks targeting on-premises SharePoint servers; deployment of malware targeting VMware vSphere and Windows environments on the systems of victims in the government services and facilities and IT sectors; and the first reported AI-orchestrated cyber espionage campaign, which targeted large tech companies, financial institutions, chemical manufacturing companies, and government agencies.

North Korean-affiliated cyber actors also remained active in 2025 in pursuit of opportunities both to generate revenue to support the heavily sanctioned North Korean regime and to gather intelligence on Western governments and businesses. A major development this year was a surge in North Korean workers fraudulently obtaining remote employment with U.S. companies, primarily in the technology, critical manufacturing, and transportation sectors, by leveraging AI tools to evade detection in the hiring processes and once employed. North Korean actors successfully gained employment with more than 100 U.S. companies and, in some cases, stole sensitive information including export-controlled U.S. military technology and virtual currency.

Reported cyberthreat activity by Russian state and affiliated actors has largely targeted critical infrastructure in the United States and Europe, as well as industries that are involved in supporting Ukraine's defense of its territory, including the defense, transportation, and IT sectors.

Ransomware activity also reached new levels in 2025, with threat actors increasingly targeting critical infrastructure sectors, such as manufacturing, healthcare, energy, transportation, and finance.

Regulatory Action

DOJ Data Security Program Implementation

The Department of Justice (DOJ) rule governing international transfers of Americans' sensitive personal information and government-related information, which is codified at 28 C.F.R. Part 202 and implements Executive Order 14117, went into effect on April 8, 2025. DOJ implemented a 90-day "good faith efforts" transition window, through July 8, for individuals and entities to come into full compliance before DOJ would begin enforcement of violations. Three aspects of the rule with a longer implementation timeline—affirmative due diligence and audit obligations for all restricted transactions, reporting requirements for certain restricted transactions, and reporting requirements for rejected prohibited transactions—came into force on October 6.

DOJ issued compliance guidance and a "frequently asked questions" document in April shortly after the rule went into effect. DOJ added one additional FAQ in September but has not otherwise provided additional guidance. To date, DOJ has not publicly announced any enforcement actions or individually designated any covered persons under § 202.701.

FCC Measures

The Federal Communications Commission (FCC) continued to expand its national security-oriented regulatory activities in 2025. Consistent with the government's approach in other spheres, the FCC's actions were largely geared towards reducing U.S. exposure to Chinese goods and services and incentivizing domestic production and investment. In May, the FCC issued a report and order addressing national security risks related to ownership, control, and direction by the Chinese government and affiliated entities (among other "prohibited entities") of FCC-authorized private labs responsible for testing and certifying telecommunications equipment and related lab accreditation bodies.

A report and order implementing rules related to licensing of submarine cable infrastructure followed in August. The rules aim to strengthen U.S. control over the communications cables that carry most global internet traffic and to mitigate assessed "foreign adversary" threats to the security of this infrastructure. Closing out the year, in late December, the FCC added all new foreign-produced drones and related components to the "Covered List" of communications equipment and services deemed to pose an unacceptable risk to the national security of the United States or the safety and security of U.S. persons, thereby effectively banning them from the U.S. market. The National Security Determination supporting the ban cited the need to reduce the risk of unauthorized surveillance and sensitive data exfiltration, among other threats.

DoD CMMC Program Implementation

On November 10, the Department of Defense's (DoD) final rule implementing the Cybersecurity Maturity Model Certification Program went into effect, imposing a variety of cybersecurity obligations on defense contractors and subcontractors. The rule's requirements for safeguarding federal contract information and controlled unclassified information will be phased into all DoD contracts—except for those solely for the acquisition of commercially available off-the-shelf items—by November 10, 2028.

Cybersecurity Legislation

The Cybersecurity Information Sharing Act of 2015 (CISA 2015) expired on October 1, 2025, creating uncertainty regarding legal protections for companies that share cybersecurity information with governmental entities. In November, as part of the appropriations package to reopen the government, Congress passed a short-term extension of the law through January 30, 2026.

In current form, CISA 2015:

  • Exempts entities engaging in such sharing from antitrust liability for disclosing cybersecurity information among private entities; liability for monitoring internal systems for cybersecurity purposes; liability for disclosing personal information related to a cybersecurity threat; and disclosure under federal, state, tribal, or local freedom of information laws, open government laws, open meetings laws, open records laws, or sunshine laws related to shared information
  • Prevents entities from waiving privilege and trade secret protection for shared information
  • Limits federal agencies' use of shared information to cybersecurity purposes

Bills currently pending in both the House and Senate would enact a 10-year extension of the legislation in some form, but the proposals differ in whether they would enact a clean reauthorization or modify the legislation to, for example, update definitions and assign additional responsibilities to the Department of Homeland Security. To date, the White House has publicly expressed its support for a clean 10-year reauthorization.

Additionally, in November, the House of Representatives passed the Strengthening Cyber Resilience Against State-Sponsored Threats Act, which would create an interagency executive branch task force to coordinate responses to Chinese state-sponsored cyber actors. The bill is now pending in the Senate.

National Defense Authorization Act

Signed into law on December 18, the National Defense Authorization Act (NDAA) for Fiscal Year 2026 contains numerous provisions related to cybersecurity and AI. As relevant for industry, the law directs the development of policy and security requirements for AI/ML systems procured by DoD, including secure-by-design practices, cybersecurity and physical security standards, independent assessment and oversight, and restrictions on certain AI technologies. Contractors are generally prohibited from using any AI tools developed in adversary nations, such as DeepSeek models, unless the secretary of defense grants a waiver.

Section 6601 further orders the director of the National Security Agency to develop AI security guidance that:

  • Identifies vulnerabilities in advanced AI technologies, with a focus on cybersecurity risks and security challenges unique to protecting such technologies from theft or sabotage by nation-state adversaries
  • Identifies elements of the AI supply chain or development or product lifecycle that, if accessed by nation-state adversaries, would contribute to progress made by nation-state adversaries on advanced AI or would provide opportunities to adversaries to compromise the confidentiality, integrity, or availability of AI systems or associated supply chains
  • Identifies strategies for AI technologies to identify, protect, detect, respond, and recover from nation-state adversary cyber threats

The director is authorized to collaborate with research entities and industry in the development of the guidance, and to share the finalized guidance with such entities as appropriate.

FISA Oversight

Pursuant to statutes directing declassification and public release, to the greatest extent possible, of significant decisions and other materials concerning national security surveillance activities under the Foreign Intelligence Surveillance Act (FISA), the Office of the Director of National Intelligence (ODNI) released this year redacted versions of four opinions from the Foreign Intelligence Surveillance Court (FISC) and related materials.

In January, the FISC denied a request by the Federal Bureau of Investigation (FBI) to conduct electronic surveillance pursuant to Title I of FISA using a classified surveillance technique. The FISC appointed an amicus curiae to address novel or significant issues of law related to the request, including whether the technique constituted "electronic surveillance" as defined by FISA and whether there was probable cause for the surveillance as required by Title I. Ultimately, the FISC determined that the government failed to establish probable cause that "each of the facilities or places at which the electronic surveillance is directed is being used, or is about to be used, by a foreign power or an agent of a foreign power," and denied the application accordingly.

To collect foreign intelligence information pursuant to FISA Section 702, the government must obtain annual (or more frequent) FISC approval of its intended collection activities as well as its targeting, minimization, and querying procedures. In a March opinion, the FISC approved the government's renewal certifications and procedures related to collection of intelligence regarding international terrorism, weapons of mass destruction, and foreign governments. In April, on the government's second attempt, the FISC approved the inaugural certification and procedures related to the collection of intelligence regarding international production, distribution, or financing of illicit drugs. The FISC previously identified deficiencies in the government's proposed procedures and withheld approval in February. The Reforming Intelligence and Securing America Act (RISAA), passed by Congress in 2024, added counternarcotics as an approved collection category.

In October, the DOJ Office of Inspector General (OIG) released a report on the FBI's querying practices under Section 702 from April 20, 2024, through April 20, 2025, following the enactment of significant reforms in RISAA. The OIG found that the FBI implemented all RISAA-required querying reforms and substantially reduced the number of noncompliant queries, but the OIG nevertheless emphasized the need to maintain rigorous multiagency and multibranch oversight to ensure continued compliance.

2025 was otherwise a relatively quiet year with respect to Section 702, which is now due to expire in April 2026 if not renewed. If the last renewal cycle leading into 2024 is any indication, we can expect a lively debate on the Hill and among civil society groups in the coming months.

EU-U.S. Data Transfers

In September, the General Court of the European Union (the EU's court of first instance) dismissed a challenge to the EU-U.S. Data Privacy Framework (DPF) and confirmed the framework's validity based on the facts and law at the time of the European Commission's adequacy determination for the United States in 2023. The applicant, Member of French Parliament Philippe Latombe, challenged the independence of the U.S. Data Protection Review Court—established pursuant to Executive Order 14086 to independently review ODNI's handling of complaints alleging certain violations of U.S. law in the conduct of U.S. signals intelligence activities—as well as the sufficiency of safeguards governing data collection by U.S. intelligence agencies without prior authorization, among other claims. On October 31, Latombe filed an appeal to the European Court of Justice against the General Court's judgment.

Regardless of how the Court of Justice rules on the appeal of the dismissal, the European Commission retains authority to review and reevaluate the DPF's validity on an ongoing basis. Notably, the 2023 adequacy decision emphasized the role of the independent Privacy and Civil Liberties Oversight Board (PCLOB) in ensuring that U.S. intelligence practices align with the DPF's standards. The PCLOB has been without a quorum to take official action since January, when the Trump Administration dismissed three Democratic-appointed members.

This post is part of a series recapping privacy law developments in 2025.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Todd M. Hinnen
Todd M. Hinnen
Photo of David Aaron
David Aaron
Photo of Sarah Grant
Sarah Grant
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More