The Internet of Things Cybersecurity Challenge to Trade and Investment: Trust and Verify?
This paper describes the problem of cybersecurity-based concerns regarding trade in IoT goods, and investment in manufacturing or distribution facilities for IoT goods, analyzes the applicable international law that would constrain national cybersecurity-based import or investment restrictions, and evaluates the availability of security or other exceptions to permit these defensive measures. Based on the defensive needs, and the legal constraints, it suggests some of the characteristics of a cooperative regulatory regime that can foster international trust or verification to allow trade and foreign investment in relation to IoT goods. Trade and investment in low risk consumer IoT products, such as household objects, will be manageable along traditional lines of other product standards, regulated by existing treaties such as the GATT and TBT Agreement to assure national treatment, MFN treatment, proportionality, and due respect for international standards. With respect to high risk industrial, infrastructural, medical or transportation IoT products, the path to liberal trade and investment is less clear, and will depend on the technical ability to surveil and confirm the safety of IoT products. It will be difficult to rely on trusted suppliers, whether on the basis of nationality or territoriality, because of the complexity of production and the magnitude of risk. States will restrict imports and investment in connection with high risk IoT products under security exceptions in trade and investment law, although the specific language of those exceptions do not necessarily support such restrictions. In some circumstances, restrictions will be based on protectionism or geoeconomic considerations, rather than cybersecurity per se. In order to avoid inefficient restriction, states will find it useful to identify means to verify security of high risk IoT products, as well as to establish trust in producers of high risk IoT products, and on the basis of sufficient combinations of verification and trust, to relax their use of security exceptions.