Cybersecurity Meets the WTO

The continuing resolution that I wrote about yesterday could have a big impact on the federal government’s procurement of IT equipment from Chinese companies. As described in an earlier post, the resolution includes a provision that bars purchases of an “information technology system” that was “produced, manufactured or assembled” by entities “owned, directed, or subsidized by the People’s Republic of China” unless the head of the purchasing agency consults with the FBI and determines that the purchase is “in the national interest of the United States.” 

While the provision doesn’t prohibit purchases of Chinese-government-influenced systems, it makes such purchases politically difficult. How will China react?  Not well.  China has spent years trying to curtail its own purchases of IT from outside its borders, but that won’t stop it from calling the bill protectionist and claiming a violation of US WTO obligations.  Legally, China may have trouble making such a claim stick. China has not signed on to the WTO’s government procurement code; it is just an observer.

But China may not have to make the claim stick in its own right.  That’s because the provision doesn’t hit China directly.  Instead, it restricts purchases from Chinese-government-influenced entities, no matter where those entities manufacture their products.  This means that the provision could prevent purchases of Lenovo computers manufactured in Germany, or Huawei handsets designed in Britain. Both of these countries have joined the WTO government procurement code, which obliges its members not to discriminate against other member countries in procuring data processing software and hardware. This means the US could see WTO challenges to the provision from its own allies (unless they’re so sick of Chinese hacking that they decide to emulate the new provision rather than attack it).  

Would such claims prevail?  You might think that they would face an uphill fight; most WTO undertakings have an exemption for national security measures, and the procurement code is no exception. What’s more, there’s no doubt that buying commercial IT products from an untrusted source does raise serious security issues.  Indeed, we can thank China’s hackers for demonstrating to the world just how serious those security issues are.

But when I dug out the national security exemption, I was surprised to see that the US Trade Representative’s office had negotiated a strikingly weak security exemption for the WTO procurement code. The first paragraph of the exemption (article XXIII) only allows the US to restrict procurements that are “indispensable for national security or for national defence purposes.” In other words, the exemption is based on the nature of the goods being bought, and not on the nature of the threat. The US can make a good case that attacks on the Commerce Department or the Justice Department information systems threaten national security, but it’s hard to argue that the IT systems those departments buy are themselves indispensable for national security. 

There’s a second security provision in the code that might help the US defend the provision.  It allows “measures necessary to protect public morals, order or safety” but only if they are “not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination between countries where the same conditions prevail or a disguised restriction on international trade.” I think the US could defend the provision on the ground that it protects order and safety, but it would have the burden of showing that in application it is not an “unjustifiable discrimination” or a “disguised restriction” on trade.  These words virtually invite a highly subjective inquiry by a WTO panel, and there’s no telling how that would turn out.

Having stacked the deck against security in negotiating the code, USTR is no doubt now lobbying strenuously inside the administration for an interpretation that will make the continuing resolution meaningless.  

On first look there are a couple of ways it might do that.  For one, it could take the provision at face value.  “National interest” waivers are permitted under the law, and the President could require agencies to consider the nation’s WTO obligations in determining the national interest, setting the stage for numerous waivers.  That won’t be attractive to the White House, though.  It will expose the President to two rounds of criticism, first when he announces the national interest standard and again when each waiver is granted. 

So the administration may look for another way out, perhaps by narrowing the definition of an “information technology system.”  Borrowing from interpretations of the Buy American Act, the administration could decide that a new information technology “system” is created whenever an English-language manual is shrinkwrapped to a Chinese-sourced router.  As long as the shrinkwrapping is done by an American contractor, the newly minted “system” might fall outside the scope of the law. But that interpretation so clearly flouts the intent of the provision that it could raise serious political problems on both sides of the aisle for the administration, which could find itself painted as an apologist for Chinese cyberespionage — something it has worked hard to avoid in the past.