From Harvard Business Review
Cybersecurity as a key issue for trade policy is a relatively new development. In the last few years there have been a number of news reports about various governments’ incorporating spyware, malware, or similar programs into computer-based products that are exported around the world. The governments typically have worked with private companies in their countries to do it. In the internet-of-things era, almost all products can be connected to the internet, and most of them can also be used for spying and other malicious activities. Furthermore, since data is considered a critical asset, services, from international banking to payment systems to consumer websites, are part of this too.
In late 2016 and 2017, for example, the voice-activated My Friend Cayla doll made headlines for its technology, which could be used to collect information on children or anyone in the room. In 2017 Germany banned the doll, alleging that it contained a surveillance device that violated the country’s privacy regulations. Another famous example is the 2010 Stuxnet attack on the Natanz nuclear enrichment facility in Iran. It was accomplished by planting malware, including Stuxnet, into industrial control systems that were shipped to Iran, resulting in the destruction of many centrifuges.
Although trade conflicts involving the U.S. and China, or the U.S. and Russia, have received much attention in the press, cybersecurity-related trade conflict is a truly global phenomenon. As part of our initial research on this topic, we identified 33 cases of a country blocking the import of a product or service due to cybersecurity concerns. In each one, different circumstances and actions led to different outcomes. The cases involved 19 countries all over the world, and in the future it’s likely that these kinds of trade conflicts will involve almost all developed countries.
Since it is not feasible to thoroughly examine the software, firmware, and hardware of every single product, what should countries and companies do to prevent cyber intrusions? One seemingly obvious approach is to exclude from import potentially dangerous products from questionable countries. But this approach requires identifying which products are dangerous and which countries are questionable — a formidable task. And such restrictions can quickly become policies, with implications for international trade and the world economy.
Countries and companies need to consider their options. At present, there is no framework for understanding and categorizing the cybersecurity concerns involved in trade. Without a clear understanding, governments may implement policies that result in cyber conflicts, while businesses will struggle to keep up with how cybersecurity concerns and restrictions are evolving. We have developed a framework to systematically organize these cases, basing it on our in-depth interviews with domain experts.
Read the full post at Harvard Business Review.
Stuart Madnick is the John Norris Maguire Professor of Information Technologies at the MIT Sloan School of Management, a Professor of Engineering Systems at the MIT School of Engineering, and the Founding Director of Cybersecurity at MIT Sloan: the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity.
Simon Johnson is the Ronald A. Kurtz (1954) Professor of Entrepreneurship at the MIT Sloan School of Management, where he is also head of the Global Economics and Management group and chair of the Sloan Fellows MBA Program Committee.
Keman Huang is a Postdoctoral Associate at the MIT Sloan School of Management.