Toward Cybersecurity Without Trade Protectionism

Information and communications technology (ICT) products are to the modern economy what iron and coal were to the industrial revolution: building blocks essential to innovation and progress. But with this productivity-enhancing, living standards-boosting technology comes parallel potential for nefarious goals. Protecting critical economic and national security infrastructure from cyber-malfeasance is a legitimate responsibility of government. But, as with other areas in which governments are obligated to protect the public, success requires proper identification of the sources and nature of the threats, as well as recognition that risk mitigation brings its own set of costs.

Efforts undertaken by the U.S. and Chinese governments in the name of cybersecurity have become some of the most serious sources of trade policy tension in recent years. Both Washington and Beijing have been heavy-handed, choosing absolutist approaches that seem more befitting a program of economic protectionism than cybersecurity.

Following a decade of evolving indigenous innovation policies intended to catapult China into a position of global technological preeminence, the Chinese government has begun implementing a set of new laws that effectively require imported ICT products and components to be “secure and controllable.” U.S. companies anticipate this will cause supply chain disruptions and that they will be forced to provide Chinese authorities with proprietary information about their products, which could compromise their intellectual property and deter trade, investment, and the scope for collaboration in these industries.

Meanwhile, Chinese ICTs have been blacklisted, effectively, by the U.S. government, which advises U.S. telecommunications firms to avoid purchasing their products. Since 2013, U.S. appropriations legislation has included provisions that effectively prevent certain federal agencies from procuring or using ICT products made by Chinese companies. On more than one occasion, the Committee on Foreign Investment in the United States raised security concerns over prospective acquisitions of U.S. companies by Chinese suitors, ultimately preventing those transactions from taking place.

The weakness in that approach is that all major ICT manufacturing companies produce in China or rely on inputs manufactured there. Most suppliers to global network infrastructure source their components from their Chinese facilities or through second and third-tier Chinese suppliers. The stretching of supply chains to include more entities operating in more countries has increased vulnerabilities, which means that all firms in the vast ICT ecosystem can present risk, or be exposed to it. Targeted risk mitigation policies provide a false sense of cybersecurity, reduce the scope for innovation, collaboration, and economic growth, and threaten the global trading system. To have more effective, less innovation-impeding cybersecurity, the United States and China can and should adopt policies that wed valid statistical methods with best business practices.

During the Obama administration, the federal governments spent tens of billions of dollars to identify cyber threats and solutions, and the National Institute of Standards and Technology developed a framework to help organizations manage cybersecurity risk. PricewaterhouseCoopers publishes annually the results of its Global State of Information Security Survey, which is essentially an inventory of best business practices in cybersecurity. Last year, the East-West Institute published a buyers’ guide for purchasing secure ICT products, which seems to leave no stone unturned in its identification of all of the questions that must be asked, all the internal and external systems that must be in place, and all the additional safeguards that should be taken for a given enterprise to minimize threats.

In other words, the private sector and government, in collaboration and operating independently, have created a reasonable set of best practices that companies in the ICT supply chain should be expected to implement. It should serve as the basis for creating a comprehensive set of best practices with which companies should comport in order to import, purchase, or sell ICT products in the United States.

Compliance with these best practices can be demonstrated to the U.S. Department of Homeland Security (DHS), for example, not only by confirming that all of the necessary boxes have been checked, but by demonstrating that the company has implemented automated, auditable systems that are shown to be statistically reliable in identifying vulnerabilities and mitigating the associated risks.

As incentives to invest in the development of these systems and to stand ready for spot checks or more comprehensive audits, participating companies would earn something akin to a seal of approval and, ultimately, would not be held accountable if a product that breaches cybersecurity passes through their supply chains. Companies that chose not to develop secure systems would not receive a seal of approval and would be subject to heavy fines if breaches were to occur. Of course, the specific program details would follow from an expert assessment of these best practices.

This compliance concept isn’t especially new to the U.S. government. U.S. Customs and Border Protection, an agency within DHS, has been administering a program for 25 years called “Informed Compliance,” which was developed in collaboration with the private sector to incentivize accurate classification and valuation of imported and exported merchandise. It is premised on the idea that the private sector can be deputized to self-monitor its compliance if the appropriate balance of carrots and sticks are deployed.

Many of the elements of the Informed Compliance program could be incorporated into an efficacious, nondiscriminatory cybersecurity program on the basis of best business practices using applied statistics without unnecessarily impeding trade, investment, and innovation. In fact, all ICT components and end-user equipment (imported and domestic) destined for application in critical infrastructure could be subjected to this kind of risk mitigation effort.

That approach would protect critical infrastructure from cyber malfeasance better than banning Chinese ICT companies and their products does, with the added benefit of encouraging collaboration, innovation and economic growth.