Cybersecurity, digital trade, and data flows: Re-thinking a role for international trade rules

An image of Israeli soldiers is seen on a computer screen with colourful markings of a face recognition programming script, during a cyber security training course, called a Hackathon, at iNT Institute of Technology and Innovation, at a high-tech park in Beersheba, southern Israel August 28, 2017. Picture taken August 28, 2017. REUTERS/Amir Cohen - RC1DE502FAB0
Editor's note:

This working paper was updated in May 2020.

Trade and cybersecurity are increasingly intertwined. The global expansion of the internet and increased use of data flows by businesses and consumers—for communication, e-commerce, and as a source of information and innovation—are transforming international trade. Global data flows enable artificial intelligence, the “internet of things,” (IoT) and cloud computing. Such digital technologies accelerate the global connectivity of businesses, governments, and supply chains.

As digital connectivity grows, however, so does exposure to the risks and costs of cyberattacks. Moreover, the potential costs of cyberattack have underpinned a turn to conceiving cybersecurity risk as a national security threat. As President Trump’s National Security Telecommunications Advisory Council observed, the U.S. is “faced with a progressively worsening cybersecurity threat environment and an ever-increasing dependence on internet technologies fundamental to public safety, economic prosperity, and overall way of life. Our national security is now inexorably linked to cybersecurity.” The scope of potential cybersecurity threats includes the digital space such as cybertheft of intellectual property (IP) and personal data and manipulation of online information, as well as the physical space, such as critical infrastructure (e.g., telecommunications, transport, and health care) and IoT, which relies on software to network services.

Many countries are adopting cybersecurity policies. According to one estimate, at least 50 percent of countries have adopted cybersecurity policies and regulations. Some of these policies recognize a need for international cooperation: the EU identified “a need for closer cooperation at a global level to improve security standards, improve information, and promote a common global approach to network and information security issues … ” and the U.S. Cybersecurity Strategy reaffirms the need to “strengthen the capacity and interoperability of those allies and partners to improve our ability to optimize our combined skills, resources, capabilities, and perspectives against shared threats.”

This paper is focused on U.S.-China cybersecurity risks, measures taken to address these risks, and the implications for the bilateral trade and investment relationship. The U.S. and China are conceiving of cybersecurity risk broadly, potentially affecting large parts of the economy, including critical infrastructure, digital content, information, and interconnected goods—the IoT. In parallel, the emerging U.S. view of China as a strategic threat and competitor has highlighted how economic integration can be a source of vulnerability. There are two consequences to this development. One is the reduced scope for the U.S. and China to resolve cybersecurity concerns diplomatically. The other is the turn to using trade and investment restrictions as a preferred tool for addressing cybersecurity threats. These developments are undermining the post-World War II approach to dealing with trade-related security issues largely outside the GATT (and then the WTO). Yet, current trade rules are completely inadequate in addressing the challenges that cybersecurity measures will bring to international trade.

Many U.S. and Chinese cybersecurity measures are likely to restrict cross-border data flows and digital trade. These include data-localization requirements and import and investment restrictions on data and information technology (IT) products, particularly from countries or along supply chains where cyber risk is high. Import restrictions including higher tariffs are also being used to punish and deter cyberattacks.

Treating goods, services, or data from high-risk countries like China less favorably than those from countries where cyber risk is lower, cybersecurity measures may violate various World Trade Organization (WTO) and free trade agreement (FTA) commitments. Where a government is in breach of such commitments, it can seek to justify the cybersecurity regulation under the treaty’s security or general exception provision. Until recently, governments have largely avoided relying on the WTO security exception to justify trade restrictions. There had been no WTO case dealing with the security exception prior to 2018, when a WTO panel issued a decision on the scope of the GATT national security exception. The lack of WTO cases until recently reflected broad concern amongst WTO members of the potential for abuse of the national security exception to justify trade restrictions, and a preference for addressing the impact of national security measures on trade using negotiation and diplomatic channels. However, and as noted, deteriorating U.S.-China relations have reduced the scope for the U.S. and China to security resolve security/trade tensions diplomatically. This reflects not only a deteriorating bilateral relationship, but changes in the global security environment, including the extension of what constitutes national security to large segments of the economy, and the end of the notion that major powers would converge and stop treating each other as rivals.

The conception of cybersecurity as a national security threat and the use of trade policy to address cybersecurity threats creates two distinct challenges for the rules-based trading system. The first is the capacity for trade rules in the WTO and in FTAs to distinguish between genuine cybersecurity measures taken by governments and those that are merely disguised protectionism. The second is that as economies become more digital and connected, there is likely to be significant growth in trade restrictions for legitimate cybersecurity purposes, which also raises difficult questions for trade policy. Here, the trade policy challenge is to distinguish legitimate cybersecurity from protectionism, as well as to minimize the impact of legitimate cybersecurity regulation on digital trade.

As this paper will discuss, current trade rules in the WTO are not fit for purpose. The WTO security exception was designed to address a more traditional set of security measures: it is not well designed to deal with measures that restrict trade to address cybersecurity risk. For instance, the approach in the WTO to determining what is a security issue, and the requirement that security measures be taken in response to a security issue, is at odds with how governments are responding to the diffuse, longer-term nature of cyber risk. FTA security exceptions provide more flexibility. Yet here, the risk is that growth in cybersecurity regulation will blow a hole in FTA digital trade commitments.

The alternative to relying on the security exception is to justify cybersecurity regulation under the WTO and FTA general exceptions. Yet, governments are unlikely to tolerate the higher levels of third-party scrutiny that goes with seeking to justify what they see as increasingly important security measures. Moreover, the complexity of the issues, and the mix of economic and security concerns that leads government to rely on classified information, will present significant hurdles to using the general exceptions provision as a way to discipline disguised protectionism.

Addressing these issues requires a new way of thinking about the trade rules for cybersecurity. What is needed is a more fine-grained understanding of the types of cybersecurity risk. Consideration should be given to developing a new set of cybersecurity-specific trade rules. This could include using trade policy to support the development of cybersecurity standards, commitments to good regulatory practice and to using risk assessments as a basis for cybersecurity regulation. In the absence of cooperation, cybersecurity policy risks becoming the core organizing principle for the digital economy, leading to increasing trade with trusted partners and less exposure to countries presenting cyber risk.

While this paper focuses on the cybersecurity and trade implications through the prism of the U.S. and China relationship, the legal and policy implications outlined in this paper are relevant for all countries as they address cybersecurity threats while also maximizing opportunities from data flows and digital trade. This paper proceeds as follows:

  • Part 1 outlines the importance of data and the internet for economic growth and international trade, including with respect to the fifth generation of cellular network technology (5G).
  • Part 2 discusses what cybersecurity is, its components, and various risks to national security and the economy.
  • Part 3 provides an overview of the cybersecurity policies of the U.S. and China.
  • Part 4 discusses how international developments have affected the interaction between security and trade and how cybersecurity creates new risks from integration.
  • Part 5 outlines how the WTO and FTA security exception and general exception apply to cybersecurity and where the current internal trade law framework falls short in relation to cybersecurity.
  • Part 6 makes the case for new trade rules on cybersecurity and provides some initial thoughts on what these might comprise, such as commitments to basing cybersecurity measures on a risk assessment.
  • Part 7 concludes the paper.