This essay addresses the challenges of the digital economy in the context of cybersecurity threats that have growing implications for national security. It analyzes cybersecurity-related exceptions to international trade rules to explore whether and how these exceptions protect the state's digital policy space. The essay argues that the pre-digital era exceptions to trade rules are too narrowly framed to address cybersecurity concerns. This is in contrast to trends in the new generation of international trade agreements that create expansive security exceptions that are designed to reset the balance between international trade and national security. These new approaches must, however, be carefully guarded against potential abuses.
Digital Economy and Cyber Risks
Digital technologies have significantly transformed the way we live our lives. The performance of both the public and private sectors is reliant on a resilient digital infrastructure that facilitates cross-border data flows. The rapid development of “smart cities,” in conjunction with progress in the internet of things and artificial intelligence, has increasingly transformed social and economic activities into data, which has in turn produced new forms of vulnerabilities: the multiplication of cybersecurity risks. In our daily lives, digital technology suppliers—ranging from mobile phone manufacturers to social media platforms—have the ability to build “back doors” into hardware or software and thus gain access to computer systems that bypass standard security mechanisms.
At the national level, cybersecurity threats have become a major concern for policymakers.Footnote 1 Specifically, critical infrastructure is “increasingly if not exclusively controlled by computers.”Footnote 2 Cyber-attacks can damage critical infrastructure in various ways, including, for example, through directly taking control of industrial processes to block the functioning of power plants or water distribution systems. Due to the relatively low cost and wide availability of digital technologies, cyber-attacks now represent a popular method of warfare.Footnote 3 High-profile, hostile incidents over the yearsFootnote 4 and the recent war in Ukraine provide powerful lessons to other countries about the importance of a cyber defense.Footnote 5 In particular, cyber risks in the supply chains of critical industries are perceived as threats to the integrity of a state's critical infrastructure. Due to their role as the infrastructural central nervous system for the digital economy, the 5th generation (5G) networks face acute challenges as a result of cyber espionage, surveillance, and other cybersecurity risks, creating an intertwined relationship between digital trade,Footnote 6 cybersecurity, and national security.
Escalating Trade-Restrictive Cybersecurity Measures
The cyber arms race and digital reprisal have intensified geopolitical frictions. Major geopolitical players in the digital economy have adopted increasingly comprehensive cybersecurity measures. 5G supply chain security has been at the center of national security strategy in the United States under both Presidents Trump and Biden. Stressing that the backbone of the digital economy must be trustworthy and reliable, the Biden administration has accelerated the implementation of a set of trade measures to diversify supply chains and secure the infrastructural resilience of 5G networks.Footnote 7 At the infrastructural level, following Trump's “Clean Network” and “Clean Path” initiatives,Footnote 8 the current Federal Communications Commission (FCC) has cited the same national security grounds to order U.S. telecommunications companies to remove Huawei equipment (e.g., cell towers) and services (e.g., cloud services) from their networks.Footnote 9 At the digital platform level, although the Biden administration has withdrawn Trump's executive orders that ban transactions with eight Chinese software applications, the FCC has continued to request that U.S. digital platforms remove TikTok from their app stores.Footnote 10
Across the Atlantic, recognizing that digital technologies constitute a vulnerable target, the European Union (EU) has put the implementation of measures to protect against cybersecurity threats at the forefront of its cybersecurity policies. The EU's adoption of the 5G Toolbox of Risk-Mitigating Measures, which delineates potential risk areas and remedial measures connected with suppliers of 5G infrastructure, seeks to achieve diversity among suppliers and reduce Chinese companies’ (especially Huawei's) participation in the 5G roll-out.Footnote 11 Along this policy path, the proposed EU Cyber Resilience Act is expected to “bolster cybersecurity rules to ensure more secure hardware and software products.”Footnote 12
At the same time, China's cybersecurity regime has become even more complex and strict since its cybersecurity law was implemented,Footnote 13 primarily due to its lack of tailored definitions. The broad scope and vague language of China's cybersecurity law gives the government even wider latitude to facilitate its political and economic agendas.Footnote 14 The Chinese government has issued implementation measures for its cybersecurity law, including the “cybersecurity review” which imposes restrictions on foreign information technology goods and services based on “potential national security risks” related to the reliability of supply chains. Moreover, the Chinese Cryptography Law also contains trade-restrictive rules for commercial encryption products that involve national security.Footnote 15 Under the Chinese regulatory framework, loosely defined “encryption products” encompassing a wide range of information technology (IT) goods and services, must mandatorily undergo a cybersecurity risk assessment.Footnote 16
Contextualizing Cybersecurity-Related Exceptions
Cybersecurity-based trade restrictions have the potential to clash with international trade rules in many ways, at both the World Trade Organization (WTO) and free trade agreements (FTAs) levels. Country-specific bans on IT goods and services may violate the most-favoured-nation principle that generally prohibits discrimination between “like” products from different countries. Arguably, major competitors of Huawei from Europe (Nokia and Ericsson) and South Korea (Samsung) will be the beneficiaries of the Huawei ban in the United States.Footnote 17 Cybersecurity measures may also be inconsistent with national treatment obligations if the domestic IT good or service and the banned foreign good or service are “like” products or services.Footnote 18 In cases where the cybersecurity standards constitute “technical regulations,” unique cybersecurity standards that accord imported products less favorable treatment than that accorded to “like” products of national origin may also breach non-discrimination obligations.Footnote 19 Moreover, non-discrimination provisions in the electronic commerce/digital trade chapters of FTAs also require parties to ensure the non-discriminatory treatment of “like” digital products.Footnote 20 Thus, if domestic and foreign digital platforms are treated as “like” digital services, the adverse treatment of foreign digital platforms may be considered discrimination.
Furthermore, in terms of market access, cybersecurity measures can simultaneously constitute quantitative restrictions on international trade in goods and violate obligations to eliminate quantitative restrictions.Footnote 21 Similarly, these measures may restrict cross-border data flows and violate market access obligations for trade in services.Footnote 22 Additionally, cybersecurity-based restrictions in the public procurement of network equipment may also breach a state's market access schedules of commitment under the Government Procurement Agreement, which list the procurement activities open to international competition.
Nonetheless, general and security exceptions to trade rules provide a normative framework to balance free trade obligations against national policy interests. Thus, the key issue here relates to whether and how these exceptions protect a state's policy space to adopt regulatory actions directed at cybersecurity matters. In this context, the discussion below distinguishes between the types of exception clauses related to cybersecurity in international trade agreements along two dimensions. The first dimension is the nature of the necessity element required by the exception, which asks whether the “necessity test” or the “good faith standard” applies. The second dimension is the scope of situations allowed by the exception, which addresses whether the exception contains open-ended language or is limited to enumerated grounds. This essay argues, on the one hand, that the “conventional” general exceptionsFootnote 23 and security exceptionsFootnote 24 that were drafted in the pre-digital era are too narrowly framed to address cybersecurity objectives. On the other hand, trends to create open-ended or digital sector-specific security exceptions may also be problematic for being excessively unrestrained if due process and good faith are not accorded. Both perspectives are respectively discussed below.
Pre-Digital Era Exceptions: Not Fit for the Purpose
Conventional exception clauses that were drafted in the brick-and-mortar age are not properly formulated to address today's cyber threats. Taking General Agreement on Trade in Services (GATS) Article XIV General Exception as an example, although none of the grounds enumerated under the general exception explicitly refer to cyber risks, a WTO panel may find that the “public morals” exception affords an avenue to protect cybersecurity. The parties in dispute, however, must present evidence—most likely involving classified documents—to demonstrate whether alternative measures, such as cybersecurity certifications or conformity assessment procedures, are less intrusive but equally effective in protecting public morals. The panel would then have to assess whether such alternative measures should be regarded as WTO-consistent measures that are reasonably available to the responding party. Arguably, the necessity test can serve as a tool that guides states to take targeted actions necessary to address cybersecurity concerns and refrain from creating unnecessary barriers to international trade.Footnote 25 In litigation, however, it would be unrealistic to expect two hostile states to present intelligence information for or against the cybersecurity measures at issue. The confidential and politically sensitive nature of security matters makes it legally impractical to perform an evidence-based necessity test.
Conventional security exceptions, which can be found in the WTO and in most FTAs, represent another form of pre-digital era exceptions that are out of touch with cybersecurity policies. The determination of what constitutes “essential security interests” and thus qualifies as an exception to trade rules is a self-judging process by the invoking state, but “good faith” obligations apply. Namely, a “plausible link” must be established between the invoking state's “essential security interests” and the trade-restrictive measures in dispute.Footnote 26 More importantly, in both Russia—Traffic in Transit and U.S.—Steel and Aluminum Products, WTO panels have adopted the view that the subparagraphs (“fissionable materials,” “traffic in arms,” and “war or other emergency in international relations”) of Article XXI(b) to the General Agreement on Tariffs and Trade (GATT) exhaustively enumerate the circumstances in which a state may “take the action which it considers necessary for the protection of its essential security interests.”Footnote 27 Additionally, an “emergency in international relations” within the meaning of GATT Article XXI(b)(iii) must be “at least comparable in its gravity or severity to a war” in terms of its impact on international relations.Footnote 28 In this regard, an emergency may be difficult to establish where the cybersecurity risks are routine and ubiquitous. Moreover, the temporal link that requires the measures to be “taken in time of” the “emergency in international relations” is also problematic when addressing a long-lasting cybersecurity matter,Footnote 29 which, as Heath argues, is of a permanent nature and must be systematically addressed over time.Footnote 30 It is apparent that conventional security exceptions must be modernized to meet the policy needs of this digital era.
Expansive Security Exceptions: Balance (Re)set?
Trends in the new generation of international trade agreements suggest that “updated” exceptions—either via expansive, open-ended security exceptions or through a sector-specific exception—are designed to reset the balance between international trade and national security. Innovative clauses have been incorporated to reconcile conflicts between (digital) trade and (cyber) security, including the following:
First, the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP)-type broad security exceptions: Contrary to Article XXI(b) of the GATT, such security exceptions do not include a closed list of circumstances under which security exceptions could be triggered, but rather contains broad exceptions which states are allowed to implement according to their discretion. Similar provisions can be found in the United States-Mexico-Canada Agreement (USMCA).Footnote 31 This type of exception is similar to the self-judging element from the WTO security exceptions but does not contain the qualifications included in WTO law.Footnote 32
Second, Digital Economy Partnership Agreement (DEPA)-type broad security exceptions: In a similar vein, the security exceptions under the DEPA—a sector-specific framework that represents a new form of engagement for digital economy—accommodate open-ended exceptions, which are not followed by a closed list of situations.Footnote 33
Third, Regional Comprehensive Economic Partnership (RCEP)-type data localization exceptions: Another digital sector-specific security clause that merits attention are data localization security exceptions to the digital trade rules in the RCEP, which allow the parties to take any data localization measure they consider necessary for the protection of essential security interests.Footnote 34 The self-judging element has been strengthened with a subparagraph stating that such measures shall not be disputed by other parties,Footnote 35 effectively opening the doors for parties to restrict data flows to achieve a range of regulatory objectives including privacy protection.
Finally, RCEP-type critical infrastructure security exceptions: given that the risk of compromised critical infrastructure can cause massive disruptions to the well-being of citizens, the protection of critical infrastructure—whether publicly or privately owned—has been added to several FTAs as one of the enumerated situations under which security exceptions may be invoked.Footnote 36 Recent initiatives, including the EU-U.S. Trade and Technology Council and the Indo-Pacific Economic Framework, further represent policy reforms to strengthen cyber supply chain security.
Concluding Remarks
Taken together, the trends that create open-ended or digital sector-specific security exceptions represent directions to ensure that the exceptions to international trade rules are aligned with the policy needs of the digital economy. This essay contends, however, that these new approaches may risk being overly broad in application. In particular, should CPTPP/USMCA-type broad security exceptions become a template for future international trade negotiations, they may prove to be a fractious way forward in defining the boundary of national security, and particularly cybersecurity. In this age of digital capitalism, commercial and cybersecurity interests are intertwined. That said, fundamentally difficult questions, both legally and technologically, follow: to what extent are cybersecurity concerns legitimate? Further, how can we distinguish these concerns from illegitimate protectionist measures that primarily stem from considerations surrounding economic competition? This is particularly important because governments are moving toward risk-based approaches to protect cybersecurity.Footnote 37 Instead of adopting prescriptive rules, a risk-based approach provides national regulators with flexibility to encourage innovation that may otherwise be constrained under catch-all provisions. A risk-based approach to cybersecurity, however, carries the danger of abuse of decision-making powers. After all, the approach relies on policy judgements to provide tailored protection, depending upon the level of risk at stake for each specific situation.
How, then, can we curb the potentially expansive interpretations of “modernized” security exceptions? One possible future direction for trade and cybersecurity governance is to scrutinize the distinction between critical and non-critical infrastructure. Should social media platforms be considered “critical infrastructure?” Questions as to what constitutes “critical infrastructure” and how it should be designated require due process mechanisms to constrain discretionary abuse. Arguably, creating a commonly accepted definition of “critical infrastructure” would serve as a touchstone for determining the boundaries of “essential security interests.” Namely, the protection of critical infrastructure presents a much stronger case than non-critical infrastructure to meet a minimum requirement of plausibility in relation to a state's “essential security interests.” In this way, the concept of critical infrastructure may be a useful tool to filter out over-generalization of national security claims. Ultimately, a more proper balance may be sustained between free trade and national security, and particularly, cybersecurity.