Cybersecurity and digital trade: What role for international trade rules? – Brookings Institution

Trade and cybersecurity are increasingly intertwined. The global expansion of the internet and increased use of data flows by businesses and consumersfor communication, e-commerce, and as a source of information and innovationare transforming international trade. 1 The spread of artificial intelligence, the internet of things, (IoT) and cloud computing will accelerate the global connectivity of businesses, governments, and supply chains.2

As this connectivity grows, however, so does our exposure to the risks and costs of cyberattacks.3As the Presidents National Security Telecommunications Advisory Council observed, the U.S. is faced with a progressively worsening cybersecurity threat environment and an ever-increasing dependence on internet technologies fundamental to public safety, economic prosperity, and overall way of life. Our national security is now inexorably linked to cybersecurity.4

Not only are traditional defense and other national security targets at risk of cyberattack, so too is the broader economy. This includes critical infrastructuresuch as telecommunications, transport, and health carewhich relies on software to network services. There is also cybertheft of intellectual property (IP) and manipulation of online information. More broadly, these risks undermine business and consumer trust in the internet as a basis for commerce and trade.5

Many countries are adopting policy measures to respond to the threat.6 According to one estimate, at least 50 percent of countries have adopted cybersecurity policies and regulations. 7 Some of these policies recognize a need for international cooperation: the EU identified a need for closer cooperation at a global level to improve security standards, improve information, and promote a common global approach to network and information security issues 8 and the most recent U.S. Cybersecurity Strategy reaffirms the need to strengthen the capacity and interoperability of those allies and partners to improve our ability to optimize our combined skills, resources, capabilities, and perspectives against shared threats. 9

Cybersecurity policy is also increasingly risk-based, requiring governments, organizations, and businesses to assess the risk of attack, determine potential harm, and develop appropriate measures to reduce the risk or impacts.10This includes addressing cybersecurity risk over global supply chains. Some proposed measures are likely to constitute barriers to data flows and digital trade. These include data-flow restrictions, data-localization requirements, and import restrictions on information technology (IT) products, including software from countries or supply chains where cyber risk is high. Countries may also resort to import restrictions including higher tariffs as a means of punishing and deterring cyberattacks.

By treating goods, services, or data from high-risk countries less favorably than those from countries where cyber risk is lower, cybersecurity measures may violate various World Trade Organization (WTO) and free trade agreement (FTA) commitments. Where a government is in breach of such commitments, they can seek to justify the cybersecurity regulations under the security or general exception provision of the relevant treaty.

Until recently, governments have largely avoided relying on the security exception to justify trade restrictions. There had been no WTO case dealing with the security exception provision prior to 2018. This was largely because of the potential for abuse of this provision to justify trade restrictions. However, changes in the global security environment, in particular the end of the notion that major powers would converge and stop treating each other as rivals,11 has revealed once again that economic integration can be a source e of vulnerability,12 Digital connectivity over the internet and through cross-border data flows has expanded opportunities for trade and integration more broadly. In parallel, this has created vulnerability to cyberattacks. This includes use of cyber methods to attack another governments defense and industrial base, or steal its IP or trade secrets or manipulate online information to sow discord.

These developments are underpinning a broader turn by governments to economic instruments to promote or defend what are seen as national security, leading to greater reliance on the WTO security exception to justify these measures.13 The Trump administrations reliance on national security to justify tariffs on steel and aluminum, and potentially on imports of automobiles, points to this trend. U.S. tariffs on Chinese imports is also in part an effort to deter Chinese cyber theft of U.S. IP and trade secrets.14 This administration is not alone in resorting to security to justify trade barriers. Russia relied on a WTO security exception to justify restrictions on the transit of Ukrainian goods and services, leading to the first WTO case on the security exception. The UAE is also using the WTO security exception to justify trade restrictions with Qatar as part of its broader dispute.

The rising need for cybersecurity creates two distinct challenges for the rules-based trading system. The first is the role of the security or general exceptions provision in the WTO and in FTAs in distinguishing between genuine cybersecurity measures taken by governments and those that are merely disguised protectionism. The second is that as economies become more digital and connected, there is likely to be significant growth in trade restrictions for legitimate cybersecurity purposes.

As discussed in this paper, the WTO security exception was designed to address a more traditional set of security measures: it is not well designed to deal with measures that restrict trade to address cybersecurity risk. In particular, the approach in the WTO to determining what is a security issue, and the requirement that security measures be taken in response to a security issue, is at odds with how governments are responding to the diffuse, longer-term nature of cyber risk. FTA security exceptions provide more flexibility. Yet here, the risk is that growth in cybersecurity regulation will blow a hole in FTA digital trade commitments.

The alternative to relying on the security exception is to justify cybersecurity regulation under the WTO and FTA general exceptions. Yet, governments are unlikely to tolerate the higher levels of WTO scrutiny that goes with seeking to justify what they see as increasingly important security measures. Moreover, the complexity of the issues, and the mix of economic and security concerns that leads government to rely on classified information, will present significant hurdles to using the general exceptions provision as a way to discipline disguised protectionism.

Addressing these issues requires a new way of thinking about the trade rules for cybersecurity. What is needed is a more fine-grained understanding of the types of cybersecurity risk. Consideration should be given to developing a new set of cybersecurity-specific trade rules.

It is also necessary to build cooperation on cybersecurity: this paper outlines areas where this can happen, including around sharing and access to data and the development of cybersecurity standards. Indeed, where the ethics of cybersecurity are about reducing harm and building trust, cybersecurity can be a vital part of the digital economy and trade. Yet, in the absence of cooperation, cybersecurity risks becoming a core organizing principle for the digital economy, leading to increasing trade with trusted partners and less exposure to countries presenting cyber risk.

This paper proceeds as follows:

View post:
Cybersecurity and digital trade: What role for international trade rules? - Brookings Institution

Related Posts

Comments are closed.