Japanese telecommunications company Softbank wants to buy Sprint Nextel for about $20 billion. One barrier to the deal is unusual: Softbank and Sprint are being pushed to spurn equipment made by specific Chinese companies, due to cyber espionage fears.

The fear is reasonable but the way the deal is being treated isn’t. Instead of being arbitrarily handled on a case-by-case basis, these concerns should be addressed in a much more transparent and standardized way, by reforming the Committee on Foreign Investment in the United States (CFIUS).

House Intelligence Committee Chairman Mike Rogers (R–MI) has been perhaps the most outspoken Member of Congress concerning cyber espionage, performing a service by bringing attention to a serious problem that has both military and economic dimensions. Chairman Rogers said last week that “I have met with SoftBank and Sprint regarding this merger and was assured they would not integrate Huawei in to the Sprint network and would take mitigation efforts to replace Huawei equipment in the Clearwire network.”

That’s the right outcome but it’s not the way for U.S. policy to be made. Individual Members of Congress, even those making an important point, should not be in the middle of commercial acquisitions.

It’s quite likely that even Chairman Rogers is a bit uncomfortable with this. He has also discussed introducing legislation to address part of the cyber espionage risk by modifying the CFIUS. As Heritage has previously indicated, this is exactly the way to go.

The CFIUS is supposed to evaluate foreign acquisitions of American companies for any national security risk. There are two major gaps in the CFIUS mandate: “greenfield” investments, where there is no American firm involved, and equipment sales. Even without cyber espionage as an issue, it makes little sense to exclude greenfield investments from the CFIUS evaluation, as demonstrated by a recent case involving Chinese wind power firm Ralls.

In addition, cyber has a two-way connection to the CFIUS. First, concerns over cyber espionage mean that equipment sales should also be subject to the CFIUS process. Sprint alone has faced two instances of ill-defined government interference along these lines, rather than clear regulatory steps.

Second, the risk assessment performed by the CFIUS should have an explicit cybersecurity component. Putting these together, conditions on the Softbank–Sprint deal should have been imposed by the CFIUS alone, communicated early in the process, and easy to anticipate by the two companies.

The cyber challenge will not be solved by one action. But a positive step can be taken on both cyber threats and foreign investment in the U.S. by ensuring that it is the CFIUS that assesses cyber espionage risks in commercial transactions like Softbank–Sprint and does so in a clear, consistent, and timely fashion.