What cybersecurity means for global trade

Cybersecurity is a sensitive and important issue, but it is also one that is open to inappropriate use by policy makers who choose to use it to inhibit free trade in ICT (Information and Communications Technology). Ironically, the internet and ICT may offer more benefits to the development of global trade than any single policy has managed to achieve.

Cybersecurity does not fall neatly into a single set of rules. Rather, it spans espionage and theft, privacy and data protection, cross-border trade and investment in ICT, and cross-border criminal enforcement. Because of this, it can be open to restrictive trade measures defined as ensuring national self-sufficiency to protect national security. When implemented for the wrong reasons, such policy making does little more than create the illusion of national security, and will tend to inhibit the vital flow of ICT products and services needed in order for countries and societies to leverage the advantages of the Digital Age and Digital Economy.

When originally established, the General Agreement on Tariffs and Trade (GATT) was intended to deal with the very technical issue of regulating trade between signatory countries. Other multilateral institutions created at the time in order to enhance international cooperation, most notably the United Nations, were created to address issues of national or international security and peace. The GATT was drafted in such a way so as not to unduly constrain signatories’ freedom of action in matters of national security, and this policy space has resulted in ambiguities that can be exploited in ways that are unhelpful.

For example, in 2010 a group of United States senators called for the private sale of telecommunications equipment from a Chinese company to a major US carrier to be blocked on the grounds that the carrier was also a supplier to the military. In a 2012 report, citing cybersecurity concerns, the US House Permanent Select Committee on Intelligence recommended that US telecommunications operators not do business with China’s leading network equipment suppliers, and that the government should block takeovers of US companies by the largest Chinese equipment manufacturers.

Those dynamics, enabling the US to take the ‘high road’ on cyber espionage, changed dramatically in 2013 when Edward Snowden, the former US National Security Agency (NSA) subcontractor, revealed that the NSA had been engaged in espionage on a massive and hitherto unprecedented scale. The irony became even more apparent when it was revealed that the NSA had been spying for years on the same Chinese companies which the US had targeted with commercial bans for fear of ‘espionage’.

Fast forward to 2014-2015: the US and other countries are concerned that China is using cybersecurity criteria in some of its legal and policy proposals, most notably in banking. The US complains that China’s legislative proposals are inconsistent with its WTO obligations while the Chinese government has been standing by its regulatory proposals, explaining that it is “necessary for all governments to strengthen security to protect public interests.” Others in China and elsewhere believe forced localization would interfere with free competition and innovation.

A separate issue is cyber theft. One type is the stealing of trade secrets and intellectual property rights. At least one government has decided to include the use of trade-law tools in its responses to cyber theft and cyber espionage, with the US arguing that China is violating its commitments under the WTO Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPs) by failing to protect trade secrets. The issues are not unique to these two countries, and problems of cyber theft are a double-edged security concern, with legal debate ensuing over whether a national security exception is available in such cases.

Yet while the US accuses China of cyber espionage, there was also disclosure that the NSA itself had penetrated a major Chinese company and its equipment worldwide, and had engaged in commercial espionage of its own.

One could argue that this type of economic espionage by a WTO member conforms with US national security interests, but the inconsistencies and double standards in such arguments are clear, and are not just a US-China issue. In addition to this, it is worth noting that, although widely practiced by many governments, espionage is in fact illegal under the domestic laws of most countries.

Snowden’s revelations prompted a particularly strong reaction in Europe, where relevant telecom operators started proposing measures to avoid routing European data across the Atlantic. Moreover, the EU has criticized the functioning of the EU-US Safe Harbour Agreement that allows for the transfer of data between the EU and the US.

Indeed, although the EU has requested assurances from the US on how the national security exception would be utilized with regard to data transfers– an issue blocking progress in TTIP negotiations – the US has steadfastly refused to elaborate.

The EU has taken this policy standpoint further, with the European Parliament’s leading lawmaker on this issue arguing that, in the WTO TISA negotiations, the US proposals to maintain an undefined national security exception are unacceptable, and that use of national security must be linked with “objective necessity criteria.”

In addition to the reactions in Europe, data localization debates and stricter privacy rules have also been discussed and proposed in countries such as India, Brazil, South Korea and Indonesia.

There are urgent actions that need to be considered:

1. There is merit in reviewing and refining the scope of the GATT with regard to issues such as cybersecurity, including the use of the national security exception.

2. Beyond the parameters of the WTO, the international community should reach a post-Snowden consensus on the need for, and boundaries of, true counter-terrorism and security espionage.

3. While data protection and privacy clearly require legal protection, ICT continues to open horizons faster than national regulators can control them; practical trade-facilitating frameworks need to be agreed. We need to:

a. Recognize the different approaches to regulating cross-border data transfers, and that differing mechanisms can ensure a similar desired level of data protection;
b. Move away from rigid one-size-fits-all regulations towards more outcome-focused regimes;
c. Clearly delineate between the issue of government access to data and the distinct issue of cross-border data transfers in a commercial context;
d. Review existing frameworks to ensure that those we are developing today are fit for tomorrow;
e. Implement strong, binding trade-agreement commitments that prohibit data localization requirements, support unimpeded data flows and encourage interoperability among privacy regimes.

4. State-sponsored cyber-theft and the failures of governments to prevent cyber-theft should be addressed in the context of international rules on intellectual property.

5. In the world of investment, the identification of objective necessity (before national security exceptions are invoked) would lessen both the chilling effect on cross-border investment and the tendency to block deals for political or protectionist purposes.

These issues need clarity before further disincentives are posed to delay the provision of cutting-edge ICT solutions for the global economy.

The World Economic Forum report, The High and Low Politics of Trade, is available here 

Author: James Lockett is Vice-President and Head of Trade Facilitation and Market Access, Huawei Technologies, China, and a member of the World Economic Forum’s Global Agenda Council on Trade & FDI 

Image: Security cameras are pictured on a building at the Bund in front of the financial district of Pudong in Shanghai March 6, 2015. REUTERS/Aly Song