Digital trading is critical for practically every business, but it also adds new complexities. When items or services that have a computer or can be connected to the internet – which practically every product or service does – cross borders, cybersecurity threats develop. Growing concerns that foreign states or corporations may exploit digital products to collect privacy data, plant vulnerabilities, or otherwise cause harm to mean that digital products sold across borders are subject to increased scrutiny and controls, and may be targeted for bans – fairly or unfairly – by host governments. Navigating and minimizing these risks is an essential component of any multinational corporation’s digitalization strategy.
Failure to appropriately account for these risks is a recipe for disaster. In 2017, Germany prohibited the sale and possession of the voice-activated “My Friend, Cayla” doll created in the United States, claiming that it had a hidden surveillance device that breached German federal privacy standards and might be used to spy on and gather personal data. Many nations have prohibited or limited the use of Huawei’s 5G equipment due to worries that the Chinese government may be able to install backdoors to monitor crucial communications networks.
This isn´t just paranoia – examples that motivate real concerns. For example, Crypto AG, a manufacturer of encryption devices, was owned by the U.S. CIA and German BND. From 1970 until 2018 (or the 1990s, in the BND´s case), the agencies used backdoors to break into encrypted messages of allies and enemies.
To understand how businesses might become embroiled in controversy – and how they can negotiate these circumstances – we can look at 75 instances that show it is already a worldwide phenomenon encompassing over 31 nations, including all major economies such as G20 and OECD members. Observing various cases that include (but are not limited to) computers and networking equipment, medical devices, video-conference services, security software, social media, security cameras, banking IT systems, drones, smartphones, smart toys, AI software, and international fund transfers and payment systems.
A patchwork – and political – set of rules.
Technically, all governments face the same cybersecurity dangers when using international digital products. Governments, on the other hand, use a variety of measures to address these issues, such as imposing import restrictions, pre-regulations for market access, and post-sale service requirements to handle any cybersecurity threats. As a result, multinational enterprises must negotiate a fragmented system of regulations and procedures that vary by country and, in some cases, by day – posing enormous dangers to organizations attempting to traverse it.
Therefore, technical considerations aren´t the only ones that shape policy. Companies should also consider these critical factors when thinking about their international digital strategy.
The capability of the government to manage cybersecurity risks. The ability of a government to manage cybersecurity risks, such as cybersecurity laws and regulations; the implementation of technical capabilities through national and sector-specific agencies; the organizations implementing cybersecurity; and awareness campaigns, training, education, and partnerships between agencies, firms, and countries, shape its reactions. Governments with strong cybersecurity capabilities may view cybersecurity risk as more controllable, making them more inclined to implement less stringent digital commerce laws.
Trust between Governments and Businesses.
A government cannot inspect the millions of lines of software or firmware contained within every digital device and service supplied within its boundaries. Decisions are based on perceived risks, which are heavily influenced by trust between governments and enterprises, as well as commercial connections. Trust and business loyalty built over time might inspire local governments to adopt a cyber risk-management-oriented strategy, depoliticizing cyber threats. Our research also reveals that such trust and company loyalty increase a corporation’s negotiating leverage with the local government, particularly in governments with low government performance and corruption control.
Geopolitics.
Consider Huawei’s 5G goods as an example. Given the outstanding quality and low cost of Huawei’s equipment, as well as the necessity to modernize the United States communications networks for 5G, the United States has every reason to welcome Huawei. Risks might have been reduced, as with practically any vendor, by monitoring and discovering any vulnerabilities. However, the prohibition on Huawei devices persisted, owing primarily to geopolitical rivalry. Given their close strategic links with the US, Japan, and Australia followed suit. Similarly, the installation of new Huawei equipment was eventually prohibited in the United Kingdom. On the other hand, Germany´s capability to balance between China and U.S. politics resulted in a relatively balanced 5G market environment for all vendors, including Huawei. Switzerland, a neutral country not involved in armed or political conflicts with other states, concluded that Huawei´s equipment posed no significant risks and built a 5G network using Huawei´s devices.
Notably, it is difficult for businesses to foresee how specific nations will respond to cybersecurity threats associated with digital trade, but firms must grasp and embrace this new reality. In our research, we established a framework for predicting outcomes and highlighted strategies that businesses might take to avoid bad consequences.
Developing an active strategy
Given the fragmentation of the global cybersecurity governance structure, firms must take an active role in refining their global digital strategy. Although these efforts may not always pay off, they will equip businesses to deal with cybersecurity issues when they arise. Among the actions are:
Build an Effective Cybersecurity Governance Culture.
Building cybersecurity elements into digital products is becoming a de facto market access requirement for many multinational digital products, particularly vital infrastructures such as banking IT systems or 5G networks. To increase understanding of the need of cybersecurity for market success, businesses should establish a cybersecurity culture inside their companies, encompassing both leadership and product development teams. Companies should establish a flexible cybersecurity governance framework that can successfully adapt to and comply with the various cybersecurity policies and regulations inside the target markets, in addition to adhering to international standards.
Be prepared to Play Politics and Create a Cybersecure Image. Since it is not feasible to thoroughly examine the software, firmware, or hardware of very single product, reputation is critical regarding cybersecurity concerns. Customers will believe that a company with a high reputation will do its best to enhance the cybersecurity features in a digital product, not to harm its customers by intently exploiting the vulnerability and handling a cybersecurity incident responsibly if it happens. Hence, corporations should actively defend their market reputations by showing their commitment to cybersecurity. No one wants to make “insecurity” a part of corporate brands in the digital age. Importantly, such a high reputation can help a company to avoid being caught by the politicization of cybersecurity concerns.
Teach Host Governments to Fish.
Because cybersecurity risks associated with digital products are inescapable, firms should play an active role in assisting the host government in developing the capabilities to handle the inherent hazards. Launching a transparency center for clients, including governments, to verify that cybersecurity risks are minimal, for example, is quickly becoming a best practice. It both indicates the company’s confidence and increases customers’ faith in the cybersecurity built into the goods.
Importantly, adequate cybersecurity capabilities can assist the host government in implementing regulations that reduce cybersecurity risks without imposing unjustified hurdles. Germany, for example, was ready to accept certain chances with its 5G network implementation because of its strong cybersecurity commitment, but it mitigated those risks by offering a “clearly defined security catalog” to describe the security standards for all providers.
Build your bargaining power.
With such a fragmented cybersecurity governance situation, the same cybersecurity concern can result in radically different outcomes in different countries.
Therefore, developing and maintaining trust and collaboration mechanisms is critical. Many approaches, such as beefing up lobbying teams, committing to local cybersecurity activities, and acting as good corporate citizens, have been suggested and adopted.
Notably, the complexity of cybersecurity is empowering companies in cyberspace. Some firms, such as Google, Amazon, and Meta, firmly dominate the worldwide cyber-physical infrastructure, code, algorithms, or data. Despite increased political pressure, they have de facto authority to adopt cybersecurity regulations, including the refusal of some government demands. WhatsApp and Telegram, for example, have denied developing backdoors demanded by some governments to access encrypted communication content, which would violate its customers’ privacy.
Corporations can also increase their influence by forming consortiums to represent them before governments or international markets, make cybersecurity recommendations, and advocate worldwide cybersecurity standards. To promote global security governance principles, international firms have started conversations and accords such as the Digital Geneva Convention and the Paris Call for Trust and Security in Cyberspace.
In many circumstances, countries have the power but lack the necessary cybersecurity capabilities, thus they are more willing to accept assistance from global consortiums. The Software Alliance (BSA) and the Information and Technology and Innovation Foundation (ITIF), for example, led to the removal of data localization rules for implementing foreign cloud computing services in Brazil’s financial institutions.