Cybersecurity, Trade on Collision Course How Decisions on IT Security Can Influence Global Trade

National policies regarding cybersecurity can have a positive or negative effect on global trade efforts, says Allan Friedman, research director of the Brookings Institution's Center for Technology Innovation.

Take, for example, a congressional report from 2012, which recommends that government systems, particularly sensitive IT systems, refrain from using equipment and component parts manufactured by two Chinese companies, Huawei and ZTE, the world's largest and fifth-largest telecom equipment makers, respectively (see House Panel: 2 Chinese Firms Pose IT Security Risks).

"To name-check a country of origin ... is actually a pretty egregious thing to do in international trade, in diplomatic circles, because it really does invite other countries to retaliate in time," Friedman says in an interview with Information Security Media Group (see transcript below).

Friedman recently wrote a paper, Cybersecurity and Trade: National Policies, Global and Local Consequences, which addresses the intersection of two of the largest dynamics shaping the cyberworld today - the connectivity arising from global trade and data networks and the risk introduced by that connectivity.

An example of how IT security can have a positive impact on global trade is the voluntary cybersecurity framework that's part of President Obama's executive order (see Obama, CEOs Meet on Cybersecurity Framework).

"The philosophy behind the voluntary framework is [the government] said it isn't going to be in the business of regulating specific standards," Friedman says.

The framework recommends assessing what standards exist, conducting gap analysis to encourage various industrial sectors to adopt those standards and working toward developing new standards for areas that are neglected.

"That has the potential to promote a positive impact on trade because it really is drawing in companies that potentially have an international audience to say, 'We need to have some sort of way of demonstrating security; find a general partner solution that you can then export,'" Friedman says.

"It gives companies an incentive to find a way to make the solutions that they find something that's globally shareable and won't discriminate against any country or any set of companies."

In the interview, Friedman:

  • Outlines the challenges nations face in implementing cyber-protection policies without interfering with global trade (see Securing the Network Supply Chain);
  • Explains why revelations of National Security Agency electronic snooping on foreign allies could harm U.S. manufacturers (see Did NSA Influence Taint IT Security Standards?);
  • Explores the motivation behind China's cyber-protection and trade policies.

Before joining Brookings, Friedman was a fellow at the Center for Research on Computation and Society at Harvard's computer science department, where he worked on cybersecurity policy, privacy-enhancing technologies and the economics of information security. Friedman also was a fellow at the Belfer Center for Science and International Affairs, where he worked on the Minerva Project for Cyber International Relations.

Cybersecurity and Trade

ERIC CHABROW: Please take a few moments to summarize the highlights of your paper.

FRIEDMAN: There are a number of questions surrounding the merits of cybersecurity regulation in general, but independent of the question of the role of the state versus the market in securing cyberspace is the question of how states will interact. The challenge is because we have a global network, we have global flows of information, and the infrastructure that we're using is inside global companies, when one country decides to create a set of standards or policies, or even just mandatory testing regimes, it really can interfere in this flow. This paper was the first attempt to try to characterize the scope of the problem, touching on everything from encryption policies to cloud to some of the stronger national standards that have been proposed, and try to identify what the major threats are.

Now, I try to be neutral about the question of the merits of regulation in general. If you want to regulate, that should be a separate question, but we need to think about what the impact is going to be on global trade. The real worst-case scenario is if all of these large countries - the U.S., China, India, Brazil, major players in global trade for information technology - decide that this stuff is critical to national security, they will invoke their right to abrogate their responsibilities under the World Trade Organization, which requires a certain amount of free flow of goods and services. If they throw out these national security exceptions, that's going to escalate into a global trade war that could make it much harder to not only import and export but even build the stuff because our supply chains these days are global. If one country starts to create rules that say, "We're only going to allow certain types of goods into our country or there has to be a domestic IP," then that can have real ramifications on where things are built, how they're built, how they're developed and the speed of development.

U.S.'s Impact on Global Trade

CHABROW: How could what our government here in the United States is doing have an impact on global trade?

FRIEDMAN: There are two great examples that we've seen from American policy. At one extreme, we have a cause in the recent continuing resolution for the budget, which in an effort to counter what Congress saw as dangerous supply chain from China, Congress told four government agencies - the Department of Commerce, the Department of Justice, NASA and the National Science Foundation - that they're not allowed to buy any information systems that are built by Chinese companies, and the legal language makes it even stronger. But the long and short of it is it's really hard to buy any information systems that aren't at least in part built in China. Now, what did that do? On one hand, that only applies to government procurement, but it isn't quite as bad as something that applies to all imports. But first, the American government is quite a large consumer of information technology; and second, to name check a country of origin in a bill is actually a pretty egregious thing to do in international trade, in diplomatic circles, because it really does invite other countries to retaliate in time.

That's an example of something that's very disruptive and sets a dangerous precedent for governments directly interfering in where they're buying things, not focusing on the security. It's not saying you must pass these tests and everything must these tests in a country of origin.

I want to contrast this procurement rule that I see - as focused poorly on security, that doesn't understand the trade implications of security - with what we've seen in the voluntary framework that's part of the executive order. The philosophy behind the voluntary framework is they said the government isn't going to be in the business of regulating specific standards, and the government isn't even going to be coming up with a standard. The first part of the voluntary framework has been to assess what standards are out there and do gap analysis to try to encourage various industrial sectors to adopt standards that are out there and work toward standards where we don't have anything. That [has] the potential to promote a positive impact on trade because it really is drawing in companies that potentially have an international audience to say, "We need to have some sort of way of demonstrating security. Find a general partner solution that you can then export." It gives companies an incentive to find a way to make the solutions that they find something that's globally shareable and won't discriminate against any country or any set of companies.

Why Security Pros Should Care

CHABROW: Our audience includes security professionals in the trenches in government agencies, financial institutions, healthcare organizations and other businesses. Why should they care about this intersection between global commerce and cybersecurity policies?

FRIEDMAN: One of the reasons that I started writing about it was that there really is very little intersection between the people who think about international trade and the people who are thinking about security. The challenge is we're not talking with each other, and it's particularly important for government policymakers to have an understanding of what's going on around the world for a couple of reasons. First, by highlighting the idea that if every country goes it alone and ignores what other countries are doing, we're going to have this adverse trade-off come, this potential for very serious trade wars. But I think that from the perspective of a government IT manager, we can actually learn a lot from each other. We shouldn't assume that every country is going to have the best solution. We should be reaching out and finding out what's going on: What's the director general proposing in Europe? What are the different solutions out there? How can we learn from each other?

This is something that the U.S. government has been the traditional leader in for a number of spaces, whether it's medical safety or transportation safety. The Department of State has been very active in coordinating international expertise so that everyone can learn from each other. This is very important in cybersecurity, for people to realize that the problems they face aren't just unique to their agency, that there are people who are thinking about this around the world and finding ways of sharing solutions.

Narrow Outlook?

CHABROW: As you look at this, as government looks at developing these regulations, are you finding that they tend to be fairly parochial, that they're looking after their own self interests? Or do some organizations actually have a broader outlook and understand some of the challenges of global trade?

FRIEDMAN: That's an excellent question because it really depends on the government and what their other goals are. There's a lot of discussion on both sides of the Atlantic right now on transatlantic trade and information partnership, and this is going to be a trade deal between the EU and the United States. There are many people on the EU side - we're going to veer into the data side for a second - who really want to have data protection built into this. This is privacy protection, a set of regulations that EU officials take very seriously, whereas on this side of the Atlantic we tend to believe that privacy regulation should focus on harms and be driven by particular applications. We treat our privacy for medical records differently than privacy of bank records, etc.

We're not talking to each other across the Atlantic. We talk to a number of people from Brussels and Berlin who say eventually Americans will understand that this is a deal-breaker for Europe. Meanwhile, when you talk to people in Washington who are on the trade negotiation front, they're like, "The Europeans think this is important, but eventually they'll realize that trade is more important than privacy." I think that's an example where we're seeing sort of a mismatch in understanding goals.

Navigating Cybersecurity Treaties

CHABROW: What would be the ramifications of something like this if a treaty doesn't take place because of these concerns?

FRIEDMAN: The general consensus is we can improve growth through free trade. For information technology in particular, the United States is a net exporter in that, and so it will probably hurt Europeans more than it will hurt Americans. The larger concern is this is one of a number of issues that have been flagged in the IT space that remind leaders in Europe that they are at the mercy of American technology and production. Combine that with things like the NSA working with our Internet service providers to gain data [and you] start to get a narrative which reminds a lot of people that they should build their own technology, which could potentially down the road cause a trade war.

... This is bad news if you're trying to sell technology, not quite as important if you're trying to use it. On the other hand, if [a treaty is signed] that includes strong data protection, that'll transform the American IT market because we have to think about how to actually build in an understanding of how data is used and processed in our systems. If you thought that adapting an organization to deal with data breach notification laws was tricky, try doing that tenfold because now you have to understand exactly why data was collected to make sure that you're not using it for some other purpose, things like that. It's important for privacy, but it makes information systems harder to use and harder to design as well.

Another concern with cybersecurity regulations is some people believe that countries are trying to create cybersecurity regulations to actually be a barrier for trade. It's not the craziest idea, but of course the truth is always somewhere in the middle. There are countries that say, "Listen, if we make it harder for western countries to export into our market, then that can protect our markets and help it grow." ... For example, India for the moment has a policy called preferential market access, PMA, which explicitly says in the telecommunications sector, in government-run networks and the privately run networks as well, it's important that we buy domestic products rather than importing foreign ones, and that's clearly a protectionist move. The challenge is to separate explicit protectionism, which, if a country wants to do, fine. But we're going to call you on that in the World Trade Organization because we have institutions to deal with that. We want to separate that from cybersecurity.

We need to have a conversation that says, "If you're trying to set up very rigorous standards and you say you're doing this for the reasons of security - for example, China has a set of regulations that's known as the multi-layer protection scheme - and one of the requirements for technology that's going to be used in critical infrastructure - more advanced, more serious sectors - says not only does it have to be built by a Chinese firm, but the intellectual property that supports this technology has to be owned by the Chinese firm, and that's a little tricky. It's much harder to defend that as saying that it's directly relevant to security.

Developing One's Own Technology

CHABROW: Do you know why the Chinese are doing that?

FRIEDMAN: There are lots of different speculations. If you're someone who thinks ill of the Chinese and you tend to go with the conspiracy theory, you say it's clearly part of a protectionist plan that fits in with a policy or strategy called indigenous innovation. They want to shift from being users of other people's intellectual property to developing their own, and the way you do that is you promote domestic growth and "Buy Chinese," the same way as we have "Buy American."

Another way of looking at it, which is also important, is to look at the history of China, and they have very clear rules around a number of different technologies, particularly telecommunications, because since the late 1800s or even earlier, one of the first things that foreign colonial powers did was interfere with the domestic communication system, a long history of saying there will never be foreign direct investment in the Chinese telecommunications sector, and you could look at the system as an application of that.

Unfortunately, the recent disclosures from the NSA have alluded to the idea that, occasionally, intelligent services may be interfering in the supply chain so that things that are being sold are legitimately insecure. That's why the final recommendation in my paper is that the forces that have traditionally not been involved in cybersecurity, particularly representatives of the trade community and the diplomatic community, need a seat at the table when we're talking about large-scale cybersecurity policy because it's one thing to say we can gain a temporary advantage if one country can compromise another country's technology through exports; but that's not a winning game. You gain a short-term advantage, but you lose a lot of other national benefits.

Impact of NSA Disclosures

CHABROW: So what do you see happening, especially after these NSA disclosures that have created a lot of mistrust toward the U.S.?

FRIEDMAN: It really has. This question of cybersecurity regulation fits in the same category as this question of the NSA. If we set aside the value of privacy, we set aside that normative question about whether or not what they're doing is right, and we look at the question of what do they gain versus what have we lost, the problem was for the NSA - and I think this is true for most intelligence agencies around the world - exploitation of technology and systems doesn't have a huge cost. You can insert vulnerabilities or identify new vulnerabilities that are already there and not patch them, and you gain information and knowledge that's useful for national strategic interests. There are legitimate national security interests in compromising other countries' systems.

The problem is no one inside the intelligence agencies has been making a reasonable tradeoff, doing this calculation and saying, "What are the risks if this comes out?" On one hand, everyone spies on everyone else; on the other hand, you try to be careful not to get caught spying because that's bad for public relations. Similarly, we could ship something to another country with a back door built into it or we could try to compromise a NIST standard, but, one, that makes us less secure, and, two, that really has the potential of interfering with American trade relationships and potentially destabilizing global trade entirely if countries realize or come to believe that they shouldn't trust each other. That will really undo a lot of the benefits that we've had from the global market.

CHABROW: You mentioned something in passing there, the idea of compromising NIST standards, one of the standards the NSA perhaps is manipulating. And NIST standards are respected around the world.

FRIEDMAN: They are. I don't know if we want to get into the history, but the NSA actually interfered in the past with a NIST standard to make it much more secure. NIST has standardized and promoted DES and then AES encryption standards, and the NSA identified a particular encryption analytic attack against these algorithms and found a way to fix them long before the public academic community knew about them. They went from being this force to help promote trust in this American institution to something that weakened trust in this American institution.

Working Together

CHABROW: Any final thoughts?

FRIEDMAN: I think there are a couple things: One, this isn't something that we should be running around pointing fingers and saying you're being protectionist; you're being an unfair trade partner. That's not a productive way to get things done because that's going to make every country defensive, and certainly will make Americans defensive. The solution really has to be to focus on identifying efficient ways that we can come up with national standardization and testing procedures and make sure that every country understands that we have to work together to secure cyberspace, that's it not a zero-sum game.

Around the Network