The Increasing Importance of Cybersecurity in International Trade
Cybercrimes have accounted for $2 trillion in losses this year – a good reminder that companies large and small need to ensure even the basic level of cybersecurity hygiene to protect both themselves and their customers. But in the international trade world, it’s as critical as ever to tighten up your digital infrastructure to protect important data.
With so much of international trade reliant on digital systems to ensure cargo is tracked, computerized systems are among the most vulnerable to infiltration and subversion – especially if the cargo is considered valuable to thieves.
While many would consider high-valued cargo to include things like electronics, pharmaceuticals, and precious metals, the most targeted cargo thefts include things like food, clothing, and alcoholic beverages. Because these items are easier to resell or are perishable, the second-hand, black market for these types of cargo are easier to exploit and don’t draw the same level of interest from authorities as do items with high value and visibility.
The Governing Bodies Over Cybersecurity in International Trade
At present, there are no internationally recognized bodies for protecting nations or businesses from cyber intrusions related to trade. Because of this misinformation and confusion, the dangers associated with protecting trade secrets is high – and the probability that cybersecurity concerns in trade may result in conflicts is even greater.
Making the matter even more complex, were the WTO to adopt a standardized baseline for international trade cybersecurity standards, changing relationships between countries may render them impossible to enforce. Because most cybersecurity techniques are implemented by private institutions, a sanction against the country in which that firm is based could make it impossible for other countries to utilize their technology to ensure their cybersecurity without violating trade sanctions.
As published in the Duke Journal of Comparative and International Law,
“The current, de facto distribution of power appears to have ignited a competition for influence likely to disrupt rather than to enhance cyber security. An agreed redistribution of responsibilities that is acceptable to all stakeholders could ensure constructive cooperation in a highly complex undertaking.”
But WTO standards are nearly 20 years old and a major shift in trade policy would be required to provide a unified, non-state system to ensure unified cybersecurity standards between all trade partners.
How Trade Affects Cybersecurity
A major sticking point of the trade war between the United States and China has to do with one factor: theft of intellectual property from the United States linked to Chinese state-sponsored companies. That’s why in 2018, Congress mandated that the Department of Commerce, the Department of Justice, NASA, and the National Science Foundation may not buy or use information systems built by certain Chinese companies. Over fears of spyware and cyber infiltration methods encoded in hardware, Congress pushed for federal organizations to eliminate their use of Chinese-made products associated with computer and mobile systems.
This highlights a key component of the difficulty in distinguishing between trusted trade partners and the ability of the U.S. government to protect important trade secrets, state department policies, and – most importantly – mission-critical military and defense technologies that could be exposed to foreign governments. Even if these scenarios were not related to a state-sponsored effort, this information could be bought and sold on the dark web to hostile actors looking for opportunities to weaken U.S. trade and defense strategies.
In 2018, the United States blocked Huawei, a Chinese telecom company, from providing services to the federal government over fears of surveillance on U.S. trade secrets and government agencies. And in 2019, the Department of Commerce added Huawei (among other foreign companies) to its entity list under the Export Administration Regulations, meaning U.S.-based companies would be barred from doing business with Huawei without government approval.
As a result, companies like Intel, Qualcomm (both of which supply chips to Huawei), Verizon, and Google were forced to comply. Verizon responded by removing Huawei devices from its offerings. Huawei, whose Android phones run the Android Open Source Project (AOSP), were forced to develop its own operating system, as U.S.-based Google originally created AOSP.
In seeming retaliation, China has drafted new cybersecurity rules aimed at U.S. technology companies, sparking fears that cybertechnology would be used as leverage in future trade deals between the two countries.
Using Trade Policy to Improve Cybersecurity Standards
Powerful trade partners can responsibly influence cybersecurity standards and practices against malicious actors to prevent data loss in the future. In 2016, the North Korea Sanctions and Policy Enhancement Act imposed additional sanctions on North Korea for its cyberintrusions into Sony Pictures Entertainment and allowed for secondary sanctions on those who support their cyber activities.
A common and shared philosophy to cybersecurity between trading nations would be a good start in order to protect digital trade. On the flip side, obstructive approaches can be seen to create barriers, logjams, or an unwillingness to comply with stringent – and perhaps costly – cybersecurity standards. Implementing unique standards may also violate obligations under the World Trade Organization and other free trade agreements, making the effort to protect supply lines even more difficult to adopt.
Because of the complex and ever-changing nature of both international trade and the world of technology – and how to circumvent it – it’s more important now than ever for the international trade community to create effective baselines for cybersecurity in order to prevent major incidents between trade partners.
Important Steps to Take to Improve Your Cybersecurity
Everything is run digitally. From data storage, sales, logistics, user-end interfaces, financial transactions, bills of lading, U.S. Customs Bonds and compliance, communications, and everything in between, any breach in the supply chain of a single trade transaction could threaten the entire network of interconnected systems.
Another complication is the fact that many companies have data in multiple countries, where security protocols and regulations differ. The European Union’s recent adoption of General Data Protection Regulation (GDPR) aims to create a uniformity of regulation, but the adoption outside of the EU risks compromising personal data. Experts say this may lead to an increase in ransomware, phishing schemes, and identity forgeries that could compromise systems within larger organizations where these individuals have access.
Here’s what companies working in international trade should do to improve their firm’s cybersecurity:
- Check your insurance policy
Digital assets are generally included in a business policy, but as with larger, more sophisticated techniques and the complications that arise in international business, not every insurance policy is designed to accommodate these specific aspects. Check your policy to ensure it protects you from damages incurred overseas, whether it covers data breaches and cyberthreats, physical damage to servers, and continuity of business associated with cyberattacks.
- End-to-end security
When most people think of end-to-end cybersecurity, they typically think of encryption – which is essential. But true end-to-end cybersecurity has more to do with organizational buy-in than an encrypted email server.
90% of all cybersecurity breaches are due to human error, meaning an employee with access to a company’s proprietary information falls victim to phishing, identity spoofing, or malware contained within a false email or webpage. Ensuring your employees have a basic level of cybersecurity training or certification in addition to locking down your software, data, and infrastructure is essential to preventing bad actors from accessing your critical systems.
- FIPS Compliant
While not a standard in the corporate world, the Federal Information Processing Standards (FIPS) 140-2 is the cybersecurity basis by which third-parties (and especially regulated industries) must comply if they want to do business with the U.S. government. Because of the high benchmark, healthcare, finance, and trade industries often adopt and adhere to FIPS 140-2 standards – and cybersecurity firms must comply if they want to sell their services to government agencies, vendors, or companies that do business with the U.S. government.
- Recognized as a risk management imperative
Most companies simply offset their cybersecurity strategies to a single department: IT. The unfortunate reality is, that aside from the personnel strain this places on a branch of your company already responsible for wearing multiple hats, cybersecurity isn’t simply an IT problem – it’s a risk management issue.
Cyber risk mitigation is as (if more) complex as another other non financial risk. In implementing a cybersecurity strategy, a company needs to prioritize relevant threats, identify risk appetite, and define risk minimization initiatives. Crucially, companies must address cybersecurity risks in a business context, recognizing that there’s a financial and organizational benefit in implementing protections. Rather than simply throwing money in technical solutions and hoping for the best, a comprehensive solution across the whole value chain is the only way to properly protect your digital assets.
- Regular reviews and improvements
No matter how secure your systems and processes may be, every organization will someday be affected by a cybersecurity incident. As threats evolve and weaknesses are exploited, companies need to update, adapt, and implement changes to their strategy in order to fully mitigate potential risks. Furthermore, companies should periodically update their business continuity and crisis-management solutions to meet cyberthreats as they come.
As companies continue to build their cyberdefenses against an ever-growing threat, it’s important to consider not only how your company will implement its solutions, but who will be empowered to champion them. International trade continues to change, and if 2019 was any indicator of the industry’s volatility, 2020 should be an interesting year.