Robert Brown, Chair of the National District Export Council, and Vice Chair, Section of International Law, of the American Bar Association, spoke at the TALK Cybersecurity Summit 2017 in Louisville, KY on "Cybersecurity and Its Implications on Trade."

1. Cybersecurity and Its Implications
for Trade and Investment
Cybersecurity Summit
Louisville, Kentucky
June 15, 2017
Robert L. Brown
Lynch, Cox, Gilman & Goodman, P.S.C. Chair, National District Export Council
500 W. Jefferson St., Suite 2100 Vice, Chair, ABA Section of International Law
Louisville, KY 40202
T: 1-502-403-1011 T: 1-502-594-4767
E: rbrown@lynchcox.com E: rbrown@globallawbusiness.com

2. Introduction
• ICTs suddenly become relevant to national security
• Role of national security in trade and investment policy
• Rules affecting trade and investment based on
national security-related concerns

3. Actions by Governments
• In 2007, Russian cyberattacks disrupted Estonia’s Internet
• Russia accused of attacking Georgian government websites in 2008
• In 2008, cyberwar accompanied Russia’s military bombardment of Ukraine
• In 2016, Russia accused of cyber program influencing U.S. elections

4. Lead to Accusations by Opposing
Governments
• U.S. suspicious of Dubai Ports World bid to manage six U.S. ports
• U.S., Austria and India accuse Huawei Technologies
(Chinese company) of cyberespionage
• Chinese concerns about Microsoft products
• Chinese engineers working for Huawei in Bangalore
Accused of developing state-of-the-art telephone surveillance equipment
For Taliban regime in Afghanistan
• U.S. suspicion of Huawei’s close ties to
Chinese Communist Party and military

5. Lead to Reactions from Actors in
Firm’s Nonmarket Environment
Interest groups
Intelligentsia
Public:
• Amnesty International accuses Google, Microsoft and Yahoo
Violating Universal Declaration of Human Rights
By censoring Internet use in China

6. And to Government Reports
• 57 were covertly trying to obtain advanced technologies from the U.S (FBI’s 1990s
analysis of 173 nations)
• Cybercrime fastest growing problem for China-US corporations (1990s FBI Report)
• 108 countries developed offensive cyberwarfare capabilities (2007 FBI Report)
• U.S. House Intelligence Committee 2012 Report:
o Huawei and ZTE pose threat to U.S. national security

7. Leads to Lawsuits
Western companies’ compliance with cybercontrol in authoritarian regimes
Chinese dissidents filed suit against Yahoo and its Chinese subsidiary

8. And New Laws and New Applications
of Old Laws
• U.S. Alien Tort Claims Act of 1789
Allows foreigners to sue in U.S. for injuries abroad
• Foreign Intelligence and Surveillance Amendments Act of 2008
Require U.S. companies to hand over to EU citizens’ stored data
• Economic Espionage Act of 1996
Criminalizes trade secret thefts including by US citizens/corporations
overseas or if any action in U.S.
• EU General Data Protection Regulation of 2016, effective 2018
Supersedes Data Protection Directive of 1995
European Union adopts strict data privacy laws

9. Types of Actions
Political espionage
Economic espionage
Privacy and security of citizens’ information

10. Types of Reactions
Direct Barriers
Legal inflow and outflow restrictions of goods, services and capital
Indirect Investment Barriers
Availability of information
Differential accounting standards
Concern related to investor protection
Liquidity risk
Macroeconomic instability
Political risk

11. Cybersecurity Factors Determining
Trade and Investment Barriers
Factor 1: Close ties to state in home country
Concern:
foreign company spying for its home country
Examples:
• Huawei’s deep ties with Chinese military resulted in its proposal to buy 3Com
given “elevated attention” and subject to 45-day investigation by CFIUS
• Lenovo’s ties to Chinese government became roadblock to its acquisition of
IBM PC division
Conclusion:
Firm’s perceived closeness to state in home country leads to cybersecurity
barriers to trade and investment due to political espionage-related concerns
in the host country

12. Factor 2: Home and host country differences in cybersecurity goals
Concern:
Foreign company based in country with different Cold War military alliance
Country examples:
• Cybersecurity major issue in formation and structure of international alliances
o Council of Europe (CoE) Convention on Cybercrime
• Concern that Western countries monopolize software and hardware ICT products
o Shanghai Cooperation Organization (SCO)
• China express suspicion it is under cyber-attack from U.S.
Company examples:
• Barriers faced by Chinese firms in U.S., Australia and India
• Barriers faced by Microsoft in China and Russia: suspected spy on users by back doors
• Russia-originated cyber-attacks on Estonia, Georgia and Ukraine
Conclusion:
Home and host countries’ differences in membership in major international political
alliances lead to cybersecurity-related barriers to trade and investment due to political
espionage-related concerns in host country

13. Factor 3: Differences in economic development
levels of home and host countries
Concern:
Foreign company based in country with lower economic development less
protective of IP
Country examples:
• U.S. lawmakers expanding ‘national security’ to include ‘economic security’
in evaluating FDI
• China vice minister of science, “Technology affects national security thru
economic security”
• Western analysts argue lack of IP protection in China raises cybersecurity
risks by China
• Pentagon Cyber Command: IP thefts from U.S., “greatest transfer of wealth
in history”
o Valued at $250 billion year
Conclusion:
Firms from a country with lower economic development level likely to face
cybersecurity-related barriers to trade and investment due to economic
espionage-related concerns in a host county with higher economic
development level

14. Factor 4: Differences in strictness of data privacy regulations
of home and host countries
Concern:
Companies based in less strict data-privacy countries violate host country
data-privacy rules
Country examples:
• U.S. has stricter privacy laws than economies in Eastern Europe and Latin America
• EU has more strict privacy laws than U.S.
• U.S. relies on voluntary self-regulation while EU relies on legislation
Company examples:
• EU companies less likely to outsource data-related work outside EU
• U.S. companies more likely to do so
• Indian companies more likely to manage data for U.S. companies
• Business process outsourcing (BPO) from EU to India is low value-added work
• BPO from U.S. is higher-end, such as clinical trials, legal documents, credit/equity
analysis

15. Conclusion:
Firms with strict data-privacy regulations in home country face
cybersecurity-related barriers to trade and investment due to privacy and
security of citizens’ information-related concerns when doing business in
country with lower degree of strictness

16. Implications
• Home country support for cybersecurity increasingly
important in trade and investment
• Companies must protect their digital assets while balancing cybersecurity
goals of consumers, interest groups, governments and others
• Companies must develop cybersecurity strategy specific to barriers facing them
o Microsoft opened Windows XP, Windows 2000 and other programs
to security experts in China, Russia and U.K.
• Cybersecurity-related barriers are often established on
basis of perception rather than reality
• Decision makers must weigh costs and benefits of compliance
with various actors’ cybersecurity demands

17. Lynch, Cox, Gilman & Goodman, P.S.C. Chair, National District Export Council
500 W. Jefferson St., Suite 2100 Vice, Chair, ABA Section of International Law
Louisville, KY 40202
T: 1-502-403-1011 T: 1-502-594-4767
E: rbrown@lynchcox.com E: rbrown@globallawbusiness.com
Robert L. Brown