Trade and cybersecurity are increasingly intertwined. The global expansion of the internet and increased use of data flows by businesses and consumers—for communication, e-commerce, and as a source of information and innovation—are transforming international trade. 1 The spread of artificial intelligence, the “internet of things,” (IoT) and cloud computing will accelerate the global connectivity of businesses, governments, and supply chains.2
As this connectivity grows, however, so does our exposure to the risks and costs of cyberattacks.3As the President’s National Security Telecommunications Advisory Council observed, the U.S. is “faced with a progressively worsening cybersecurity threat environment and an ever-increasing dependence on internet technologies fundamental to public safety, economic prosperity, and overall way of life. Our national security is now inexorably linked to cybersecurity.”4
Not only are traditional defense and other national security targets at risk of cyberattack, so too is the broader economy. This includes critical infrastructure—such as telecommunications, transport, and health care—which relies on software to network services. There is also cybertheft of intellectual property (IP) and manipulation of online information. More broadly, these risks undermine business and consumer trust in the internet as a basis for commerce and trade.5
Many countries are adopting policy measures to respond to the threat.6 According to one estimate, at least 50 percent of countries have adopted cybersecurity policies and regulations. 7 Some of these policies recognize a need for international cooperation: the EU identified “a need for closer cooperation at a global level to improve security standards, improve information, and promote a common global approach to network and information security issues … ”8 and the most recent U.S. Cybersecurity Strategy reaffirms the need to “strengthen the capacity and interoperability of those allies and partners to improve our ability to optimize our combined skills, resources, capabilities, and perspectives against shared threats.” 9
Cybersecurity policy is also increasingly risk-based, requiring governments, organizations, and businesses to assess the risk of attack, determine potential harm, and develop appropriate measures to reduce the risk or impacts.10This includes addressing cybersecurity risk over global supply chains. Some proposed measures are likely to constitute barriers to data flows and digital trade. These include data-flow restrictions, data-localization requirements, and import restrictions on information technology (IT) products, including software from countries or supply chains where cyber risk is high. Countries may also resort to import restrictions including higher tariffs as a means of punishing and deterring cyberattacks.
By treating goods, services, or data from high-risk countries less favorably than those from countries where cyber risk is lower, cybersecurity measures may violate various World Trade Organization (WTO) and free trade agreement (FTA) commitments. Where a government is in breach of such commitments, they can seek to justify the cybersecurity regulations under the security or general exception provision of the relevant treaty.
Until recently, governments have largely avoided relying on the security exception to justify trade restrictions. There had been no WTO case dealing with the security exception provision prior to 2018. This was largely because of the potential for abuse of this provision to justify trade restrictions. However, changes in the global security environment, in particular the end of the notion that major powers would converge and stop treating each other as rivals,11 has revealed once again that economic integration can be a source e of vulnerability,12 Digital connectivity over the internet and through cross-border data flows has expanded opportunities for trade and integration more broadly. In parallel, this has created vulnerability to cyberattacks. This includes use of cyber methods to attack another government’s defense and industrial base, or steal its IP or trade secrets or manipulate online information to sow discord.
These developments are underpinning a broader turn by governments to economic instruments to promote or defend what are seen as national security, leading to greater reliance on the WTO security exception to justify these measures.13 The Trump administration’s reliance on national security to justify tariffs on steel and aluminum, and potentially on imports of automobiles, points to this trend. U.S. tariffs on Chinese imports is also in part an effort to deter Chinese cyber theft of U.S. IP and trade secrets.14 This administration is not alone in resorting to security to justify trade barriers. Russia relied on a WTO security exception to justify restrictions on the transit of Ukrainian goods and services, leading to the first WTO case on the security exception. The UAE is also using the WTO security exception to justify trade restrictions with Qatar as part of its broader dispute.
The rising need for cybersecurity creates two distinct challenges for the rules-based trading system. The first is the role of the security or general exceptions provision in the WTO and in FTAs in distinguishing between genuine cybersecurity measures taken by governments and those that are merely disguised protectionism. The second is that as economies become more digital and connected, there is likely to be significant growth in trade restrictions for legitimate cybersecurity purposes.
As discussed in this paper, the WTO security exception was designed to address a more traditional set of security measures: it is not well designed to deal with measures that restrict trade to address cybersecurity risk. In particular, the approach in the WTO to determining what is a security issue, and the requirement that security measures be taken in response to a security issue, is at odds with how governments are responding to the diffuse, longer-term nature of cyber risk. FTA security exceptions provide more flexibility. Yet here, the risk is that growth in cybersecurity regulation will blow a hole in FTA digital trade commitments.
The alternative to relying on the security exception is to justify cybersecurity regulation under the WTO and FTA general exceptions. Yet, governments are unlikely to tolerate the higher levels of WTO scrutiny that goes with seeking to justify what they see as increasingly important security measures. Moreover, the complexity of the issues, and the mix of economic and security concerns that leads government to rely on classified information, will present significant hurdles to using the general exceptions provision as a way to discipline disguised protectionism.
Addressing these issues requires a new way of thinking about the trade rules for cybersecurity. What is needed is a more fine-grained understanding of the types of cybersecurity risk. Consideration should be given to developing a new set of cybersecurity-specific trade rules.
It is also necessary to build cooperation on cybersecurity: this paper outlines areas where this can happen, including around sharing and access to data and the development of cybersecurity standards. Indeed, where the ethics of cybersecurity are about reducing harm and building trust, cybersecurity can be a vital part of the digital economy and trade. Yet, in the absence of cooperation, cybersecurity risks becoming a core organizing principle for the digital economy, leading to increasing trade with trusted partners and less exposure to countries presenting cyber risk.
This paper proceeds as follows:
- Part 1 outlines the importance of data and the internet for economic growth and international trade, including with respect to the fifth generation of cellular network technology (5G).
- Part 2 discusses what cybersecurity is, its components, and various risks to national security and the economy.
- Part 3 provides an overview of the cybersecurity polices of the U.S. and China.
- Part 4 discusses how international developments have affected the interaction between security and trade and how cybersecurity creates new risks from integration.
- Part 5 outlines how the WTO and FTA security exception and general exception apply to cybersecurity and where the current internal trade law framework falls short in relation to cybersecurity.
- Part 6 makes the case for new trade rules on cybersecurity and provides some initial thoughts on what these might comprise, such as commitments to basing cybersecurity measures on a risk assessment.
- Part 7 concludes the paper.
Report Produced by Global Economy and Development
- Meltzer, Joshua P. “Governing Digital Trade.” Vol. 18, Special Issue S1 World Trade Review (April 2019), 1-26.
- Michael Ferentina and Emine Elcin Koten 2019, “Understanding supply chain 4.0 and its potential impact on global value chains”, in Global Value Chain Development Report 2019 (WTO, IDE-JETRO, OECD, UIBE, World Bank).
- Ben Ze Yuan, “An Abbreviated Technical Perspective on Cybersecurity”, in Perspectives on Cybersecurity: A Collaborative Study, Eds. Nazli Choucri & Chrisma Jackson, MIT 2015.
- NSTAC, Report to the President on a Cybersecurity Moonshot, Draft.
- Symantec Internet Security Threat Report, April 2019.
- OECD 2012, “Cybersecurity Policy Making at a Turning Point” (OECD Paris 2012).
- ITU Global Cybersecurity Index 2017.
- Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.
- White National Cybersecurity Strategy 2018.
- NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 2018, p. 6-8; OECD (2015), Digital Security Risk Management for Economic and Social Prosperity.
- Tom Wright, “All Measures Short of War.” Yale University Press, 2017.
- White House. “United States National Security Strategy.” December 2017. www.whitehouse.gov/wp-content/uploads/2017/12/NSSFinal-12-18-2017-0905.pdf.
- Robert D. Blackwill and Jennifer M. Harris, War by Other Means, Geoeconomics and Statecraft”, Harvard University Press 2016, p. 20
- S.301 Report