For companies that sell digital products internationally, cybersecurity concerns can have a devastating impact on business — companies can be barred from national markets, get tangled up in politics, and have their reputations maligned across the globe. It isn’t easy to navigate this issue however. Rules and anxieties differ country to country. In general, how a country might react is driven by: national capability in managing cyber risks, the level of trust between the government and business, and geopolitics. Companies can’t control these factors, but they can prepare for them. Specifically a good strategy should involve: building a strong cybersecurity governance culture; preparing to play politics and burnish your cybersecurity image; developing an exit plan for markets, and a re-entrance plan; helping host governments improve their cybersecurity capabilities; and building up your bargaining powers.
Digital trade is crucial for almost every company, but it also introduces new complications. When products or services that contain a computer or can be connected to the internet — which nearly every product or service does — cross borders, cybersecurity risks emerge. Growing concerns that foreign states or corporations can abuse digital products to collect privacy data, plant vulnerabilities, or otherwise cause harm mean that digital products sold across borders are subject to increased scrutiny and controls, and can be targeted for bans — fairly or not — by host governments. Navigating and mitigating these risks needs to be a part of every transnational company’s digitalization strategy.
Failing to properly account for these risks means courting disaster. For instance, Germany banned both the sale and ownership of the U.S.-made voice-activated “My Friend, Cayla” doll in 2017, on the basis that it contained a concealed surveillance device that violated German federal privacy regulations and could be used to spy and collect personal data. Huawei’s 5G equipment has raised concerns that the Chinese government might be able to plant backdoors to monitor critical telecommunication networks, in response many countries banned or restricted the usage of Huawei’s 5G equipment.
This isn’t just paranoia — examples that motivate real concerns. For example, Crypto AG, a manufacturer of encryption devices, was owned by the U.S. CIA and German BND. From 1970 until 2018 (or the 1990s, in the BND’s case), the agencies used backdoors to break into encrypted messages of allies and enemies.
To understand how companies can get caught up in controversy — and how they can navigate these situations — we looked at 75 cases that demonstrate that it is already a global phenomenon involving over 31 countries, including all the major economies, such as G20 and OECD members. We have observed cases including (but not limited to) computers and networking equipment, medical devices, video-conference services, security software, social media, security cameras, banking IT systems, drones, smartphones, smart toys, AI software, and international fund transfers and payment systems. Getting caught up in cybersecurity concerns is not a question of whether but rather of when and how for transnational companies.
A patchwork — and political — set of rules
Technically speaking, the inherent cybersecurity risks within transnational digital products are the same for all the states. But governments take various strategies to address these concerns, such as implementing import limitations, pre-requirements for market access, and post-sale services requirements to manage the potential cybersecurity risks. As a result, international businesses must negotiate a fragmented system of rules and requirements that change country by country, and often day by day — and which creates significant risks for companies seeking to navigate it.
Therefore, technical considerations aren’t the only ones that shape policy. Companies should also consider these critical factors when thinking about their international digital strategy.
Government Capability in Managing Cybersecurity Risks. A government’s reactions are shaped by its capability to manage cybersecurity risks, such as: the laws and regulations on cybersecurity; the implementation of technical capabilities through national and sector-specific agencies; the organizations implementing cybersecurity; and the awareness campaigns, training, educations, and partnerships between agencies, firms, and countries. Governments with a high cybersecurity capability may consider the cybersecurity risk more manageable, so they are more likely to adopt less restrictive digital trade policies.
Trust between Governments and Businesses. It’s functionally impossible for a government to examine the millions of lines of software or firmware within every digital product and service sold in its borders. Decisions are made based on the perceived risks, which will be significantly impacted by the trust between governments and businesses, as well as in business to business relationships. Trust and business loyalty developed over time can encourage an adoption of a cyber-risk-management-oriented approach by local governments and depoliticalizes the cyber risks. Our research also shows that such trust and business loyalty enhance a corporation’s bargaining power with the local governments, especially for governments with a relatively low government effectiveness and control of corruption. In such a case, corporations have more chance to negotiate with the government to avoid, or at least alleviate, the impact of potential restrictions related to cybersecurity concerns.
Geopolitics. Take Huawei’s 5G products as a typical example. The U.S. had every reason to accept Huawei, given the high quality and low costs of its products and the need to upgrade the U.S. communications networks for 5G. Risks, as with almost every vendor, could have been mitigated by monitoring and detecting any vulnerabilities. However, the ban of Huawei’s devices still happened — largely because of geopolitical rivalry. Japan and Australia followed the United States’ lead, given their close strategic relationships with the U.S. Similarly, the UK ultimately banned on the installation of new Huawei equipment. On the other hand, Germany’s capability to balance between China and the U.S. politics resulted in a relatively balanced 5G market environment for all vendors, including Huawei. Switzerland, a neutral country not involved in armed or political conflicts with other states, concluded that Huawei’s equipment posed no significant risks and built a 5G network using Huawei’s devices.
Notably, it is a challenge for companies to predict how individual countries will react to the cybersecurity risks from digital trade, but businesses need to understand and accept this new reality. In our research, we have developed a method to anticipate outcomes — and identified actions companies can take to mitigate unfavorable outcomes.
Developing an active strategy
Given how fragmented the global system of cybersecurity governance is, corporations need to take an active approach to refine their global digital strategy. Although these efforts may not always pay off, they will prepare companies to address cybersecurity concerns when they inevitably come up. Some actions include:
Build an Effective Cybersecurity Governance Culture. Building cybersecurity features into digital products is becoming a de facto pre-requirement of market accesses for many transnational digital products, especially for critical infrastructures like financial IT systems or 5G networks. Companies should cultivate a cybersecurity culture within their organizations, including both leaderships and product development teams, to promote the awareness of importance of cybersecurity for their market success. Beyond following international standards, companies should develop a flexible cybersecurity governance system which can effectively adapt to and comply with the different cybersecurity policies and regulations within the target markets.
Be Prepared to Play Politics and Create a Cybersecure Image. Since it is not feasible to thoroughly examine the software, firmware, or hardware of every single product, reputation is critical regarding cybersecurity concerns. Customers will believe that a company with a high reputation will do their best to enhance the cybersecurity features in a digital product, not do harm to their customers by intently exploiting the vulnerability, and handle a cybersecurity incident responsibly if it happens. Hence, corporations should actively defend their market reputations by showing their commitment to cybersecurity. No one wants to make “insecurity” a part of corporate brands in the digital age. Importantly, such a high reputation can help a company to avoid being caught by the politicization of cybersecurity concerns.
Be Willing to Step Out and Prepare to Step Back In. In a market where cybersecurity concerns have been politicized and it is too costly for corporations to comply with the cybersecurity requirement, temporarily exiting the market can be a good option. But even when a company is blocked from a market, like Huawei was blocked from the U.S. market or Google’s withdrawal from China, defending the reputation can help maintain its partnership with other countries.
Additionally, corporations should pay attention to the re-entry strategy after exiting the market, especially when the market prohibition only covers a subset of a corporations’ business or is driven by external political influences. It is increasingly common for global firms to re-enter foreign markets, so an effective re-entry strategy such as maintaining the knowledge learning of the markets, preparing the re-entry model with new cybersecure products, and monitoring the politicization environment in the target markets, is critical when corporations can return.
Teach Host Governments to Fish. As cybersecurity risks from digital offerings are unavoidable, corporations should take an active approach to help the host government build capability to manage the potential risks. For example, launching a transparency center for customers, including governments, to verify that cybersecurity risks are minimal is becoming a best practice. It both demonstrates the business’ confidence and enhances the customers’ trust with the cybersecurity embedded in the products.
Importantly, sufficient cybersecurity capability can help the host government implement policies that can mitigate cybersecurity risks without introducing unreasonable barriers. For example, with a high cybersecurity commitment, Germany was willing to take some risks with its 5G network deployment, but minimized those risks by providing a “clearly defined security catalog” to specify the security requirements for all vendors.
Additionally, helping the host government with cybersecurity capability development pays off as sufficient protection measures can be in place when it comes time to pilot or test the provided services in that market.
Build Your Bargaining Power. With such a fragmented cybersecurity governance situation, the same cybersecurity concern can result in radically different outcomes in different countries. Therefore, developing and maintaining trust and collaboration mechanisms is critical. Many approaches, such as beefing up lobbying teams, committing to local cybersecurity activities, and acting as a good corporate citizen, have been suggested and adopted.
Notably, the complexity of cybersecurity is making corporations more powerful in cyberspace. Like Google, Amazon, and Meta (formerly Facebook), some corporations firmly control the global cyber-physical infrastructure, code, algorithms, or data. Though they face increasing political pressure, they have the de facto power to set cybersecurity rules, including refusing certain governments’ requests. For example, WhatsApp and Telegram have declined to create backdoors requested by some governments to access the encrypted message content, which would have invaded their customers privacy.
Corporations can also build up their influence through consortiums to represent them before governments or international markets, recommend cybersecurity policies, and promote international cybersecurity standards. International businesses have initiated dialogues and accords, such as Digital Geneva Convention and Paris Call for Trust and Security in Cyberspace to promote global cybersecurity governance principles.
In many cases, governments may have the authority but lack sufficient cybersecurity capability, and so are more open to taking inputs from global consortiums. For example, the inputs from the Software Alliance (BSA), and the Information and Technology and Innovation Foundation (ITIF) contributed to removing the data localization requirements for adopting foreign cloud computing services in Brazil’s financial institutions.
***
Every company whose digital products cross borders needs an effective cybersecurity governance plan that balances technology, geopolitical relationships, government capability, market reputation, and public-private collaborations. If such capability does not exist now, executives should train themselves in the preparation or seek out new directors who have such capacity to add to the board. All companies that provide or rely on transnational digital products will likely face cybersecurity concerns sooner or later. And even though preparation can’t keep them out of the hot seat, it may make all the difference once they’re there.
Acknowledgement: This research was supported, in part, by funds from National Natural Science Foundation of China and from the members of the Cybersecurity at MIT Sloan (CAMS) consortium. Fang Zhang is the corresponding author.