The explosive success of the Internet in the 1990s led to a historical transition from the industrial age of the past two centuries to an economy and society increasingly based on global, digital interactions. This transition has continued to advance over the past two decade with the advent of billions of smartphones, hundreds of billions of IoT devices, a wide variety of online applications and mobile apps, and huge amounts of data, all connected via Internet-based broadband networks.
Then came Covid-19. A recent McKinsey survey found that the pandemic has accelerated the overall adoption of digital technologies and applications by three to seven years in just a few months.
At the same time, cybersecurity threats have been growing. Large-scale fraud, data breaches, and identity thefts have become far more common. As we moved from a world of physical interactions and paper documents, to a world primarily governed by digital data and transactions, our existing cybersecurity methods have been far from adequate.
More recently, international cyberthreats have escalated, with a growing number of high profile attacks by criminal groups and adversarial governments. Cybersecurity is now invoked by governments as a major aspect of national security, as they focus on protecting their critical infrastructures and the overall wellbeing of their nations. In early June, for example, FBI Director Christopher Wray compared the danger of ransomware attacks on US firms by Russian criminal groups to the September 11 terrorist attacks. And, in a recent editorial, the NY times editorial board argued that ransomware attacks have emerged as “a formidable potential threat to national security,” given “their ability to seriously disrupt economies and to breach strategically critical enterprises or agencies,” urging governments that “It is a war that needs to be fought, and won.”
Beyond terrorism and national security, cyber threats have the potential to wreak havoc with international trade and the global economy. In a recent paper, Framework for Understanding Cybersecurity Impacts on International Trade, MIT professors Stuart Madnick and Simon Johnson and research scientist Keman Huang said that cybersecurity concerns have become a key issue for international trade policy.
“Governments around the word have begun to develop strategies to protect themselves against cyber threats,” wrote the authors. “More than 50 countries have published a cybersecurity strategy to define the security of a nation’s online environment. … However, different policies are implemented to fulfill these strategic goals. One typical example, that has been informally suggested, is that potentially dangerous products coming from questionable countries should be excluded from import. But this raises many policy issues, such as (1) what is a questionable country considering the globalized supply chains for almost every product, (2) what products are of most concern, and (3) assuming such restrictions quickly become worldwide policies with retaliations, what might be the impact on international trade and the economy?”
Cybersecurity concerns have led to growing allegations, commercial disputes and barriers to international trade and investing. History shows that breakdowns in international trade can lead to very serious economic crises. In the aftermath of the 1929 stock market crash, the US imposed the Smooth-Hawley Tariff Act, which raised tariffs on over 20,000 imported goods to reduce pressure on the growing trade deficit. In response, over 25 US trading partners increased their own tariffs. Global trade plummeted by 67%, significantly worsening the effects of the Great Depression.
To understand the impact of our present cybersecurity concerns on international trade, the research team at Cybersecurity at MIT Sloan (CAMS) collected and analyzed data from 33 real-world cases, including the nature of the concerns, the actions taken, and their impact. In addition, the research team conducted over 10 in-depth interviews with domain experts and held a workshop with more than 30 senior executives, managers and researchers involved in cybersecurity.
The CAMS team then developed a framework to organize their research findings. The framework provides a high level overview to help assess the impact of cybersecurity concerns on international trade, as well as the potential actions that companies and governments can take in response to their concerns. It’s not intended for advocating for or against any specific regulations, policies or operations. “Instead, we intend to offer a systematic framework to study these cybersecurity related actions and advocate for creating standards for international trade in cyberspace.”
The framework led to three overriding conclusions:
Cybersecurity concerns are rising. Given the wide adoption of digital technologies across economies and societies, cybersecurity has become increasingly important to a country’s national security. National cybersecurity is a multi-dimensional concept, including military security, political security, economic security and cultural security. At the same time, business as well as government institutions are increasingly reliant on global supply chains. Supply chains have become a significant cyber attack threat for many organizations, further deepening their cybersecurity concerns.
Countries are taking action in response to their national cybersecurity concerns. Countries are increasing their offensive and defensive capabilities to protect their societies, organizations and individuals from potential cyber attacks. “There is no doubt that these policies and regulations will impact cyberspace, not only for the countries themselves, but the broader globalized Internet society, resulting in an impact on international trade, including the import and export of IT goods and services.” The countries’ actions generally fall into one of four categories: ignore or express concerns, develop import trade barriers, develop export-related trade barriers, and collaborate to mitigate conflicts.
Impacted organizations are taking actions based on their cybersecurity concerns. Organizations need to carefully manage their cybersecurity risks to secure their physical and digital supply chains. This will definitely impact their decisions about supplier and market selection, including where to purchase goods and services and in what countries to do business in. Generally, organizations will collaborate with their government on policies that may impact international trade. But in some specific cases, the organization will try to encourage both sides to compromise and avoid the potential of a trade war that ends up hurting everyone.
The framework clearly highlights that national and supply chain cybersecurity concerns interact with and impact each other. Nations and organization can choose from a number of different actions for dealing with these concerns. After examining the potential actions, the CAMS research team identified three different scenarios for thinking about the impact of cybersecurity on international trade: regulation compliance, supply chain management, and geopolitical.
Regulation compliance: In this scenario, the initiating nation will implement cybersecurity related trade policies and regulations, which will impact international trade. Organizations will comply with these regulations which will guide their global supply chain risk management. In some cases, organizations can try to negotiate with the initiating nation to lessen the negative impact of the trade regulation.
Supply chain business strategy: In this scenario, organizations consider the impact of cybersecurity risks on their supply chains as an important aspect of their business strategy. Companies will develop guidelines for the cybersecurity management of their global supply chains. They may also try to influence nations to implement import/export trade regulations that could further impact international trade. “These influences will work together to reshape the global supply chain.”
Cybersecurity geopolitics: This scenario considers the impact of cybersecurity on international trade from a geopolitical perspective. “Considering national cybersecurity concerns, the initiating nation will use import/export trade regulations to impact international trade, which will definitely impact the other nations. The coping nation will take different actions in reaction to newly initiated trade regulations.”
Cybersecurity will play an increasingly critical role in international trade, given the accelerated development of the digital economy. This role isn’t just about policies and compliance, but can also be a major business strategy and geopolitical issue. Governments need to consider how to avoid unnecessary confrontations to mitigate the negative impact of trade wars and improve outcomes for everyone.
“From the organization’s perspective, ignoring cybersecurity is no longer an option,” note the authors in conclusion. “This is especially true for the companies that rely heavily on Internet technology or global, physical, and digital supply chains. The impact of cybersecurity on these companies will become more and more significant in the future. Instead of only considering cybersecurity a regulation issue and trying to comply with the emerging policies and regulations, organizations should … become involved in the regulation process, not only during the comment periods but also during the regulation draft process. Since right now there are still no cybernorms in international trade, there is still a long way to go.”
Comments