26 September 2019

Cybersecurity and digital trade: Getting it right

Joshua P. Meltzer and Cameron F. Kerry

INTRODUCTION: THE INTERACTION OF CYBERSECURITY AND TRADE

Trade and cybersecurity are increasingly intertwined. The expansion of the internet globally and use of data flows globally by businesses and consumers for communication, e-commerce, and as a source of access to information and innovation, is transforming international trade.[1] The spread of artificial intelligence, the “internet of things,” and cloud computing will work to increase global connectivity of businesses, governments, and supply chains. [2]

As global interconnectivity grows, however, so does exposure to the risks and costs of cyberattacks. For example, formjacking—using JavaScript to steal credit card details from e-commerce sites—or supply chains hacks which exploit third party services and software to compromise a final target, undermine business and consumer trust in using the internet for commerce.[3] The WannaCry ransomware attributed to North Korea infected more than 200,000 computers across 153 countries, costing hundreds of millions of dollars damage. What is clear is a lack of cybersecurity is costly and can undermine the trust of consumers and business in engaging in digital trade. Protecting trust in a digitally connected world necessarily involves collaboration across borders between the public and private sectors because global networks, organizations, and supply chains rely on the same systems and software, most of it supplied by enterprises, and they face the same threats.


The importance of cybersecurity is leading countries to adopt cybersecurity policies.[4] According to one estimate at least 50 countries have adopted cybersecurity policies and regulation. Some of these cybersecurity policies recognize a need for international cooperation: the EU identified “a need for closer cooperation at a global level to improve security standards, improve information, and promote a common global approach to network and information security issues ….” [5]and the most recent U.S. Cybersecurity Strategy reaffirms the need to “strengthen the capacity and interoperability of those allies and partners to improve our ability to optimize our combined skills, resources, capabilities, and perspectives against shared threats. [6]

A common approach can enhance cybersecurity and protect digital trade. Conversely, divergent or obstructive approaches risk creating barriers to digital trade. These can include unique standards, requirements for localization of data or technology supply, and overreaching national security protections may violate obligations under the WTO and free trade agreements. A recent Brookings roundtable among cybersecurity and trade experts from government, civil society, and the private sector identified a need to unpack broad or restrictive measures from reasonable practices and policies designed to enhance the security of network infrastructure.

This brief will discuss how trade policy can be an instrument to support good cybersecurity practices and to build cooperation on cybersecurity among governments. We explore ways that trade agreements and trade policy can be used to unpack meaningful cybersecurity from artificial trade barriers. In particular, we look at the extent to which these can differentiate between cybersecurity and more restrictive measures in the name of national security. The challenge of adapting trade rules developed in an analog era to today’s digital world economy is an ongoing project, and managing cybersecurity effectively needs to be part of that project.
CYBERSECURITY, THE WTO NATIONAL SECURITY, AND OTHER WTO EXCEPTIONS

The WTO security exception. Article XXI of GATT allows for a number “security exceptions” from WTO obligations. Until recently, this exception has been used infrequently, not only because parties have been reluctant to put national security interests to the test of dispute settlement but in part out of concern that the exception could blow a very large hole in the trading system. [7]

Now, however, the growth in connectivity and parallel rise in cybersecurity concerns presents a real risk that cybersecurity becomes a catch-all to justify political control or to protect domestic industry from online competitors. For instance, Vietnam’s cybersecurity law prohibits, among other things “distorting history, denying revolutionary achievements, or destroying the fine tradition and customs of the people, social ethics or health of the community.” [8] A statement by the Shanghai Cooperation Organization on Cooperation in the Field of International Information Security considers as a threat the “dissemination of information harmful to social and political, social and economic systems, as well as spiritual, moral and cultural sphere of other states.” [9] The vague definition in China’s cybersecurity law of what constitutes critical infrastructure could be used to limit access of foreign firms to key sectors or require access to source code under the justification of security as a condition of entering a market, yet exposing foreign companies to IP theft. [10 ]

The Trump administration’s decision to use a national security rationale to justify tariffs not only on imports of steel and aluminum but also possibly tariffs on automobiles heightened concerns over abuse of the national security exception. Russia relied on the national security exception to justify blockages on goods from Ukraine transiting its territory, and the UAE is relying on the exception to justify barriers on imports from Qatar.

A 2019 WTO panel in the Russia/Ukraine case made clear that the GATT national security exception is not self-judging and that panels will make an objective assessment as to whether there were qualifying events such as “an emergency in international relations.”[11]This assessment is complicated in the cybersecurity context because the exceptions for national security and the general exceptions provisions in the WTO and in free trade agreements (FTAs) blur with a proliferation of cyber risks from state and non-state actors and where measures to address cyber risks are increasingly economy-wide. Setting boundaries will require a common global definition of the cybersecurity domain.

The U.S. National Institute of Standards and Technology (NIST) provides a reference point for such a definition. It defines cybersecurity as “the prevention of damage to, unauthorized use of, exploitation of, and—if needed—the restoration of electronic information and communications systems, and the information they contain, in order to strengthen the confidentiality, integrity and availability of these systems.” [12]In turn, the White House National Cyber Strategy focuses on increasing the security and resilience of the nation’s information and information systems. [13]

This definition reflects two key elements of cyberattacks: On information and on information systems. It does not differentiate between action by states as well as criminals and its impact on public and private information, networks, and infrastructure. Thus, for example, it includes Russian use of false accounts and addresses to seed false information as well as malware to intrude on systems.

Critically, this focus on the integrity of information and information systems does not encompass broader purposes such as development of national industries, preserving law enforcement access to information on citizens, regulation of information content, or social controls that are not directly related to these core elements. Such laws should stand or fall on aspects of trade agreements other than the security exception.

Other WTO exceptions. The global networks of trade are vulnerable to attacks along supply chains. In some cases, government may determine that the best policy response to this vulnerability is to prevent certain companies or governments from participating in the supply of key technologies. For instance, a recent White House Executive Order prohibits the importation of information and communication technology and services from entities controlled by a foreign adversary and where the import poses various risks—including of cyberattack. [14] Recent draft regulations out of China regarding its cybersecurity review process also identify services and products controlled by foreign governments as potentially being subject to cybersecurity review. [15]

Actions like these raise fundamental questions about consistency with WTO MFN commitments and would have to be justified as either necessary for national security or under the more general exceptions provision. While national security would seem the most logical exception, this provision was crafted in 1948 during the Cold War and its references to national security, such as trafficking in arms or relating to fissionable material, are not well suited to the cyber context, where the attacks might concern malware that affects how electrical grids operate. [16]

The WTO GATT Article XX and GATS Article XIV general exception provisions are also available to justify such trade restrictions for cybersecurity purposes, and measures to protect critical infrastructure and supply chains could be considered necessary for public order or to protect human life or health. [17] Yet, in these cases, the government would be subject to the more rigorous (compared to the national security exception) disciplines of these other provisions, which include requiring that the cybersecurity measures are least trade-restrictive and that there is a no less trade-restrictive alternative available to achieve the members desired level of protection. In addition, the chapeau to these exception provisions requires that the cyber measures are not arbitrary or unjustifiable or a disguised restriction on international trade. Applying such disciplines to cybersecurity measures that restrict trade would help distinguish between measures to protect information and information systems versus disguised restrictions on trade. However, whether governments are prepared to subject what they see as a national security measure to the disciplines of the general exception disciplines remains to be tested.

Yet, where governments seek to rely on the national security exception instead, the risk is this could lead to a large increase in trade restrictions. Given the step-up in aggressiveness in the cyber domain, it appears that cybersecurity will challenge how the trading system has traditionally balanced rights of access to markets with rights of governments to restrict trade for legitimate policy reasons. Fresh thinking and cooperation among like-minded trading partners on how to provide scope for legitimate cybersecurity policy that does not unnecessarily restrict trade is needed.

Although digital trade increases cybersecurity risks, trade and cybersecurity policy can also work in tandem to support growth in digital trade as well as strengthen cybersecurity outcomes.

Access to data. As cybersecurity defense becomes more sophisticated, use of analytics and machine learning to monitor network activity plays a growing role in the analysis of risks and anomalies.[18] In fact, requiring data to be localized reduces opportunities for companies to use big data analytics to assess risk across global operations and supply chains. Forcing data into specific locations also increases the risk and cost of a data breach.The CPTPP and USMCA commitments to information flows across borders (subject to appropriate exceptions) and to avoiding data localization requirements, advances digital trade opportunities and cybersecurity outcomes.[19]

Information sharing. As reflected in the U.S. Cybersecurity Information Sharing Act, real-time sharing of information on threats and vulnerabilities to promote awareness, plan responses, and help targets adapt and respond has become an important feature of cybersecurity policies. The trust issues in sharing proprietary or classified information in the domestic context are compounded when dealing with governments or organizations across national borders. Nevertheless, the U.S. is seeking to improve information sharing with international partners and allies and along supply chains. Trade agreements can include commitments to building public and private sector information sharing mechanisms. For example, the U.S.-Mexico-Canada trade agreement includes a commitment to sharing information and best practices as a means of addressing and responding to cyberattacks. [20 ]

Cybersecurity standards. Cybersecurity standards can build a common approach to addressing cybersecurity risks based on best practice. For instance, the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC) have developed a number of cybersecurity-related standards, including the jointly developed ISO/IEC 27000 series as well as sector specific-standards for electric utilities, healthcare, and shipping. [21] Standards are most effective when they don’t proscribe a particular approach but instead are frameworks for managing risk, relying on business and government to design cybersecurity measures most suitable to their business practices and risk profiles. In turn, the NIST Cyber Framework relies on international standards such as ISO 27001 as references for its cyber risk management framework, with the result that the framework is not U.S. specific and can be adopted globally.[22]Trade agreements can be used to reinforce the role of consensus-based standards with commitments to develop international standards and to use international standards where they exist as a basis for domestic regulation, which also supports the development of globally consistent and least trade-restrictive approaches to cybersecurity. Using international standards as a basis for cybersecurity policy can also help address concerns that cybersecurity regulation is a disguised restriction on trade aimed instead at supporting domestic industry.

Certification of compliance with cybersecurity standards. Compliance certification can give consumers and business confidence in the cybersecurity of organizations and government. Under the EU Cybersecurity Act which came in to force in June 2019, the European Union Agency for Cybersecurity (ENISA) will establish an EU-wide cybersecurity certification scheme. [23] NIST has developed a different approach in the Baldridge Performance Excellence Program, which encourages self-assessment of compliance. Trade agreements can support conformity assessment regimes and seek to minimize such regimes becoming unnecessarily burdensome on trade by requiring governments to allow other parties to demonstrate and undertake in the country of export conformity assessment of products with the country of imports cybersecurity regulations. In addition, commitments that conformity assessment requirements are non-discriminatory and not disguised restrictions on international trade provide additional disciplines that lead to the consideration of trade impacts on the development of cybersecurity regulation.

Risk-based approach to cybersecurity. According to the OECD, cybersecurity should “aim to reduce the risk to an acceptable level relative to the economic and social benefits expected from those activities, while taking into account the legitimate interests of others.”[24] Similarly, the NIST framework relies on risk assessments tailored to each organization’s needs, and the EU’s Network and Information System Directive requires security measures “appropriate and proportionate … to manage the risks posed to the security of network and information systems.” A risk assessment should then inform decisions as to what measures to adopt, what risk reduction can be expected, and at what cost. The rapidly changing nature of cybersecurity threats means that addressing risk is a dynamic process that requires regular reassessment of risk and consideration of what else might be needed to reduce risk to acceptable levels. By contrast, an overly prescriptive regulation can become quickly outdated or lead to box-checking instead of thoughtful assessment whether the steps taken are in fact reducing risk.

Building an effective approach to cybersecurity also requires engaging government and business leaders and building cyber risk management into the core of corporate and government practice.[25]The USMCA includes a recognition of the importance of taking a risk-based approach to cybersecurity instead of proscriptive approaches, including risk-based approaches that rely on consensus-based international standards and best practices.[26]
CONCLUSION

The scope for trade policy to support cybersecurity outcomes presents a complex set of issues that are only beginning to be explored. Today, cybersecurity risk is growing more acute as business, government, and people become more interconnected and reliant on technology. On the one hand, the risk that governments increasingly will restrict access to data and networks merits attention, since it could potentially result in adverse consequences for digital trade and impair the potential for the free flow of data to drive growth and welfare. On the other hand, getting cybersecurity policy wrong will undermine trust in the digital economy. Therefore, new trade rules that can both support risk based effective cybersecurity regulation, build bridges between the cybersecurity policy in different countries to maximize synergies, and minimize barriers to trade are needed.

No comments: