In late 2016 and 2017, for example, the voice-activated My Friend Cayla doll made headlines for its technology, which could be used to collect information on children or anyone in the room. In 2017 Germany banned the doll, alleging that it contained a surveillance device that violated the country’s privacy regulations. Another famous example is the 2010 Stuxnet attack on the Natanz nuclear enrichment facility in Iran. It was accomplished by planting malware, including Stuxnet, into industrial control systems that were shipped to Iran, resulting in the destruction of many centrifuges.
Although trade conflicts involving the U.S. and China, or the U.S. and Russia, have received much attention in the press, cybersecurity-related trade conflict is a truly global phenomenon. As part of our initial research on this topic, we identified 33 cases of a country blocking the import of a product or service due to cybersecurity concerns. In each one, different circumstances and actions led to different outcomes. The cases involved 19 countries all over the world, and in the future it’s likely that these kinds of trade conflicts will involve almost all developed countries.
Since it is not feasible to thoroughly examine the software, firmware, and hardware of every single product, what should countries and companies do to prevent cyber intrusions? One seemingly obvious approach is to exclude from import potentially dangerous products from questionable countries. But this approach requires identifying which products are dangerous and which countries are questionable — a formidable task. And such restrictions can quickly become policies, with implications for international trade and the world economy.
Countries and companies need to consider their options. At present, there is no framework for understanding and categorizing the cybersecurity concerns involved in trade. Without a clear understanding, governments may implement policies that result in cyber conflicts, while businesses will struggle to keep up with how cybersecurity concerns and restrictions are evolving. We have developed a framework to systematically organize these cases, basing it on our in-depth interviews with domain experts.
There are various possible actions that governments can take. Each of the following should be carefully considered:
Do nothing. Governments can accept the potential risk of a cybersecurity situation and choose to ignore it. In 2004, for example, the German Federal Intelligence Service (BND) discovered that the hardware company NetBotz, then based in the U.S., was selling security cameras with a backdoor that sent videos to U.S. military servers. The BND did not disclose that fact until 2015, only after a magazine had discovered and revealed the situation.
Develop import trade barriers. Some nations will take actions to implement trade policies or regulations which will directly restrict the import of international trades, such as Germany’s banning of the My Friend Cayla doll.
Restrict government procurement. Governments can prohibit their use and purchase of certain products. For example:
Develop norms of behavior. Countries can agree to not engage in certain types of behavior, such as when the U.S. and China agreed not to conduct the cyber theft of intellectual property for commercial purposes.
Amplify the conflict. On the other hand, some nations can choose an opposite option and escalate the conflict. The U.S. and Russia, for example, have developed a tense relationship, which has been referred to as the “Cold War 2.0.”
Although government actions and concerns are often more visible, companies need not play a passive role. They can anticipate these concerns and take actions to reduce or mitigate the consequences. There are various options available:
Recommend action. For example, on August 9, 2017, 10 major cybersecurity companies in the U.S. wrote to Robert Lighthizer, the U.S. trade representative, to urge that he “incorporate cybersecurity trade issues in the upcoming modernization of the North American Free Trade Agreement (NAFTA).”
Acquiesce. As noted earlier, Germany took action against the My Friend Cayla doll, due to concerns about privacy. The company acquiesced and stopped selling it in Germany.
Compromise. Telegram, the end-to-end encrypted messaging app, was threatened with a ban in Russia, so the company agreed to register under the new Russian Data Protection Laws; however, it will not store citizens’ information on Russian servers. As another example, Google exited the Chinese market eight years ago to avoid having to censure its search results to meet Chinese government rules. The company has recently decided to reenter, with modest changes to its search engine operation. It is not yet clear that this compromise will be accepted by both parties.
Avoid. Typical examples include Google’s withdrawal from China in 2010 and Huawei’s withdrawal of its network hardware products from the U.S. in 2014. The latter occurred after the products were removed from U.S. government procurement lists and private telecommunications companies were advised not to purchase Huawei products.
Defy. An organization may challenge or attack cybersecurity regulations. For example, in 2016 LinkedIn challenged the Russian Data Protection Laws, stating that it would not move Russian user data to the country. As a result, Russia blocked LinkedIn in 2017.
Collaborate. Finally, organizations can choose to work with countries to mitigate the negative impact of regulations, or even to be involved in the regulation-making process. An example of this is how Huawei has worked with the UK government.
In 2011, worried about potential spying, the U.S. government rejected a bid from Huawei to build a new national wireless network for first responders. This was followed by further government restrictions on Huawei. Finally, in 2014, Huawei decided to exit the U.S. market.
The UK, on the other hand, does use the company’s technology in national infrastructure. In 2010 it opened the Huawei Cyber Security Evaluation Centre to monitor concerns about the technology’s use. This was followed in early 2014 by the establishment of an oversight board, which every year releases a report about any risks from Huawei’s involvement in UK’s critical networks. It should be noted, however, that the oversight board’s 2018 report raised serious new concerns about Huawei’s technology and the security risks it could pose to UK security.
As the digital economy continues to develop, cybersecurity will play a critical role in international trade. Instead of considering security only a regulation issue, governments need to consider ways to avoid unnecessary confrontations, and organizations should become proactively involved to address concerns and influence policy to improve outcomes for everyone.