Trade Secrets

The U.S.-EU free trade agreement could be a boon for the global economy, but confidential negotiations are a dangerous threat to democracy.

The winners of the 2012 and 2009 Nobel Peace Prizes are hooking up. At the G8 summit on June 17, President Barack Obama announced that the United States and the European Union would begin trade talks in Washington in July. British Prime Minister David Cameron predicted that if negotiations for the Transatlantic Trade and Investment Partnership (T-TIP) succeed, the trade agreement would bring millions of jobs to the nations bordering the Atlantic and could be "the biggest bilateral trade deal in history." But as important as an EU-U.S. trade union would be for the global economy -- and the resulting free trade area could amount to as much as 40 percent of global gross domestic product (GDP) -- it has even more important implications for the future of democracy.

Trade diplomats from both the United States and the 27 member states of the European Union say they want to create a 21st century trade agreement. They stress that in order to achieve that goal, they must not only reduce visible barriers to trade such as tariffs, but also achieve coherence among a wide range of social and environmental regulations -- everything from food safety and data protection to banking, labor, and environmental standards. Diplomats note that although these regulations have legitimate objectives, they may without intent increase costs for foreign vs. domestic producers. Firms selling to both markets potentially have to comply with regulations from the United States, the 27 EU countries, and the European Community (the bureaucracy governing the EU). However, if the United States and European Union can find common ground on these regulations, firms would have one set of common rules, the costs of production could decrease, more jobs could be created, and trade would expand. So far, however, neither side has made clear whether the end goal for regulatory coherence is harmonization, convergence, or some form mutual recognition where both parties accept the other's regulations without demanding change.

American and European trade negotiators may find that regulatory coherence is difficult to achieve. First, both the European Union (at the national and European Community-wide level) and the United States have honed these regulations over time based on public and business preferences. Regardless of their impact on trade efficiency, the public on both sides of the Atlantic accepts these regulations as democratically determined and hence, legitimate. But U.S. and EU citizens may not feel the same about regulatory compromises developed in secret by trade negotiators. Second, the United States and European Union have very different approaches to designing and implementing such regulations -- differences that stem from two equally different approaches to democratic capitalism and governance. In general, the European Union focuses on risks to society that stem from under-regulation -- such as injury or death from unsafe food, medicine, or working places. The United States, by contrast, is more concerned about the cost effectiveness of regulations. Hence U.S. regulators weigh whether the costs of regulating outweigh the benefits, and whether market forces can better achieve these goals. .

Not surprisingly, the two trade giants also have different regulatory strategies. The European Union tends to regulate in a top down, state-controlled manner with labor, business, and civil society input. The United States, meanwhile, tries to encourage business self-regulation or, when directly regulating, tries to use regulation that encourages market forces (such as transparency) rather than the visible hand of government. Given these fundamental differences, trade diplomats may find that some citizens oppose the T-TIP on both sides of the Atlantic, whether because they believe attempts to achieve regulatory coherence mean deregulation or because they see them as defining regulations downward. At the same time, given the EU's stronger regulatory regime, some trade critics also see opportunity in the T-TIP. According to Leo Gerard, head of the United Steel Workers, because European workers have achieved higher workplace standards and maintained greater union clout, "An agreement, properly designed and implemented, could be a force for progress." The obvious solution to this problem is to facilitate direct public input into the negotiations. Yet that is not the current strategy.

Trade policymaking in both the United States and European Union remains stuck in a 19th century time warp of opacity and secrecy. While trade negotiators require secrecy to discuss sector-specific tariffs or business confidential information, it's hard to understand why such secrecy should apply to the negotiation of chapters on regulatory issues like labor rights, data protection (what the U.S. calls privacy), or the environment. Diplomats have long argued that secrecy builds trust between countries, as they must count on counterparts to keep information confidential. But in this type of negotiation, there is little to be gained from keeping the objectives, strategy or progress secret. On the contrary, by keeping so much of the negotiation behind closed doors, they may engender public distrust.

The United States has sought public comments on the negotiation and the European Parliament has given its assent to the actual negotiating draft. (Although individual members of Congress have weighed in on the agreement, Congress has not yet held hearings on the talks.) But neither the United States nor the EU  has clearly delineated how they might incorporate public comments  into the negotiation process.

The United States, in particular, has not met its promises to ensure transparent and accountable governance. During his first campaign for the presidency, then Sen. Obama promised to restore the American people's trust in government by making it more open and transparent. The president fulfilled this pledge, at least in part, with his Open Government Directive, issued in 2009, requiring government agencies to go public with their data. Nonetheless, the administration's approach to trade negotiations remains decidedly closed. For example, the website for the Office of the U.S. Trade Representative -- charged with negotiating on behalf of the United States -- is essentially a dissemination device, rather than an interactive forum on which citizens can register their input. At a minimum, the website should be used facilitate a broader dialogue with Americans concerned about trade issues; it should be interactive with staff designated to respond to citizen comment.

In general, trade policies in both the United States and the European Union are dictated by senior government officials who are generally responsive to a small group of concerned citizens and business interests. The U.S. Trade Representative does allow some individuals greater insights into the negotiations. For example, cleared advisors, including some members of Congress and congressional staff, are allowed to see up to date information about the negotiations -- but they are required to have a secret clearance and to keep this information confidential. The bulk of these advisors represent commercial and economic interests -- or are individuals with connections to the current administration. Neither the United States nor the European Union has developed an advisory committee infrastructure to examine how to achieve regulatory coherence in a transparent, accountable manner -- so here are two suggestions:

First, Congress and the EU Parliament should keep a close watch on the negotiations. Both bodies should also clarify whether achieving regulatory coherence means harmonization, mutual recognition or some other approach. Second, the U.S. Trade Representative and other agencies involved in the negotiations should become more proactive as well as more interactive online. The Obama administration should develop a website encouraging consistent public feedback and dialogue on the T-TIP throughout the course of the negotiations, rather than solely at the beginning and end. The website should clearly delineate the objectives of negotiations on regulatory coherence as well as the administration's desired outcome. The website should also include regular updates on the negotiations for each chapter of the proposed agreement, particularly those that relate to environmental and social regulations.

Given the economic and political import of these negotiations, neither the United States nor the EU can afford to lose public trust in these negotiations. Policymakers cannot long proceed with secretive negotiations over policies that are not accountable to citizens as the very public scuttling of the Anti-Counterfeiting Trade Agreement and the Multilateral Agreement on Investment reveal. In fact, in its required Open Government Plan, USTR agreed that it needed to change its culture and become more responsive to the public at large, but it is struggling to figure out how to do just that.

Regulatory coherence is an important objective for the United States and the European Union. If the two trade behemoths can find common ground on regulations, their shared standards will set the bar for the global economy and facilitate high standards worldwide. They will also enhance the clout of the world's oldest and largest democracies in the global economy. But policymakers must negotiate these regulations in a transparent and accountable manner that reflects 21st century standards for democratic governance. After all, even in the 18th century, policymakers such as James Madison recognized that a "popular government without popular information, or means of acquiring it, is but a Prologue to a Farce or a Tragedy, or perhaps both."



The Attribution Revolution

A five-point plan to cripple foreign cyberattacks on the United States.

The Obama-Xi summit in Sunnylands ended without any Chinese concessions on cyber-espionage. This came as no surprise; cyber spying has been an indispensable accelerant for China's military and economic rise. And though Beijing may someday agree that international law governs cyberspace, that won't help the victims of espionage, which is not regulated by international law. So if negotiation won't work, what will? Not a strategy that relies entirely on defense. That's like trying to end street crime by requiring pedestrians to wear body armor.

The good news is that there has been a revolution in our ability to identify cyberspies. It turns out that the same human flaws that make it nearly impossible to completely secure our networks are at work in our attackers too. And, in the end, those flaws will compromise the anonymity of cyberspies.

Call it Baker's Law: "Our security sucks. But so does theirs."

As numerous recent reports show, attackers are only human. They make mistakes when they're in a hurry or overconfident. They leave bits of code behind on abandoned command-and-control computers. They reuse passwords, email addresses, and physical computers. Their remote access tools are full of vulnerabilities. These are openings that we can exploit to trace cyberattacks first to the command and control computers used to carry them out, then to the homes and offices of the hackers that perpetrate them and then, hopefully someday soon, to the customers that sponsor them.

But attribution is only half the battle if we want to deter cyber-espionage. The other half is retribution. Once we identify the attackers, we need to persuade them to choose another line of work. If we're serious about stopping cyberespionage, there are plenty of tools at our disposal:

1. Expose and isolate nations

Naming and shaming is a commonly used method of deterring bad conduct by other nations. The U.S. may be reticent about releasing hard won intelligence about the activities of foreign governments. But some of the most explosive -- and convincing -- recent allegations against foreign governments have in fact been made by private entities. A report released earlier this year by a company called Mandiant offered extensive evidence of the People's Liberation Army's role in hacking into U.S. companies over a number of years. The report placed an embarrassing spotlight on state-sponsored hacking in China and sparked bitter but unconvincing denials from the Chinese government.

Of course, it's not clear that embarrassment alone will stop countries like China or Iran from supporting cyberattacks against U.S. companies and agencies. But it's a start. It raises the cost of what has been a relatively low-risk, asymmetric strategy. And it sets the stage for further action in the future.

China may seek to do some naming and shaming of its own, of course. It claims to have "mountains of data" about U.S. cyber spying. Perhaps so. But the United States already does a pretty good job of exposing its own secret cyber exploits, so it's unlikely that the world will learn much from the Chinese effort. Perhaps more importantly, neutral exposure is an asymmetric tactic that helps the United States. Our intelligence is focused on government, not commercial targets. The more the world learns about the two nations' approach, the more its concern is likely to center on China, not the United States.

2. Sanctions for spies

The U.S. government may not be able to reach hackers located on the other side of the world. And even if we could catch them, we might not want to risk compromising intelligence sources and methods by taking them to court. But that does not mean the United States cannot punish them. The government already uses classified information to label terrorist supporters and drug kingpins as "specially designated nationals" and to impose sanctions on them -- seizing their bank accounts and assets, for example, and prohibiting U.S. citizens from doing business with them. The United States even has such programs for sanctioning Belarusian kleptocrats and conflict diamond purveyors. Maybe it makes sense for Washington to use sanctions to punish misdeeds in Belarus or West Africa, but shouldn't it first use these measures to punish people who are invading homes and offices in, you know, the United States?

It's unclear why the president hasn't done this already -- he's already got all the authority he needs to impose sanctions on cyber spies and their enablers. Under the International Emergency Economic Powers Act, the president could determine that cyber spying poses "an unusual and extraordinary threat" to the United States and declare it a "national emergency." He could then publish a list of hackers who would be subject to sanctions. In keeping with past practice, he could rely heavily on classified data to make the designations -- without disclosing any of it.

3. Prison break meets prisoner's dilemma

Sometimes carrots work better than sticks, and visas can certainly play that role as well.

The Justice Department is authorized to issue up to 250 "S" visas each year to foreign nationals "in possession of critical reliable information concerning a criminal organization or enterprise." The visa allows family members to enter as well, and it becomes a permanent residency if the witness's "information has substantially contributed to the success of an authorized criminal investigation."

Systematically hacking U.S. companies and agencies surely constitutes a criminal enterprise under domestic law, and even an investigation can be deemed a success without leading to a criminal conviction. If a witness's cooperation helps us to thwart other countries' cyber spying campaigns, that surely counts as a success.

So under current law, the Justice Department could send text messages to all the guys who've already been identified as Chinese hackers, saying: "The first one of you who shows up at a U.S. consulate with a flash drive full of your employer's data will get an S visa and $1 million. The second one will get an S visa and $100,000. The third will get an S visa and $10,000. And the rest of you will be indicted with the evidence supplied by the first three."

4. Deny visas to enablers

On the flip side, the U.S. government has the power to deny visas and other perks to entities that act as enablers to hackers.

For example, late last year Trend Micro released a report that unmasked "Luckycat," a Chinese hacker who had attacked the Dalai Lama, U.S. aerospace firms, and other targets. His real name was Gu Kaiyuan, formerly a student at Sichuan University's Information Security Institute and at least at the time an employee at a major Chinese Internet company. Now it may be that the U.S. government can't do much to reach Mr. Gu in China, but why haven't the officials investigating those intrusions gone to his employer and his alma mater and asked them to cooperate in the investigation? Unlike Mr. Gu, those institutions need to maintain good relations with the United States government. Sooner or later, every Chinese university wants its students and faculty to get visas to work and study in the United States. And every Chinese company that does business here is subject to U.S. investigative authority. They have many reasons to cooperate, particularly if the government has evidence that they may have condoned or enabled cyberspying. At a minimum, taking a hard look at these institutions will make them think twice before they support or turn a blind eye to hackers in their midst.

5. Criminal and civil suits for final customers

But punishing individual hackers is only part of the story. What if the United States applied all of these measures not just to the hackers themselves but to companies that benefit from the data they filch from U.S. networks? There's no difference in criminal responsibility between a thief and the customer he's stealing for. But there could be all the difference in the world between hackers who do their work from the safe environs of a protective government and the hackers' customers, who can't be truly successful in today's world if they aren't part of the global marketplace. And going global means exposing their companies, executives, and assets to the legal systems of the United States, Europe, and a host of other countries that are furious at the wholesale espionage aimed at their companies. If a few big companies in China find that having a cozy relationship with hackers means criminal prosecutions and asset seizures, they're a lot more likely to say "Thanks, but no thanks" to offers of stolen data.

Of course, to bring those cases, the government will have to have those companies dead to rights, and so far it doesn't. U.S. security researchers have done a great job of tracking the thieves back home. But they've had trouble identifying the companies who ultimately benefit from cyberspying.

That too is an attribution problem -- the next one we have to solve if we want to really discourage commercial cyber-espionage. It will be difficult, but no harder than the first attribution problem looked five years ago. Given the stakes, improving cyber-attribution should be at the top of U.S. intelligence priorities. And now that private researchers have demonstrated how much attribution can be accomplished without all the resources and authorities of the CIA and NSA, those agencies should be embarrassed by their poor record to date. And they may not have much time before someone -- Iran, North Korea, Hezbollah -- causes a power outage or other control system failure in the United States. If they can't tell the president who did that, the heads of those agencies will be looking for new jobs. As part of the attribution effort the United States needs for defense, it shouldn't be that hard to identify the customers who benefit from cyber-espionage.

* * *

While the technical challenges remain with U.S. intelligence and law enforcement agencies, there have nonetheless in recent months been hopeful signs from an unexpected place: Congress. Of course, past legislative efforts aimed at improving our passive cyber-defenses (e.g., regulating critical infrastructure security, information sharing) have struggled to take off. Business groups have resisted measures that might result in more regulation, and privacy groups have opposed measures that might weaken protection of personal data. But the political calculus may be different when it comes to imposing pain on the hackers themselves. In recent months, the Hill has been buzzing with new ideas for identifying and punishing cyberspies and the companies that benefit from them.

At a recent hearing before the Senate Judiciary Committee's Subcommittee on Crime and Terrorism, I testified about some of these ideas. Senators Sheldon Whitehouse (D-RI) and Lindsey Graham (R-SC) expressed particular interest in measures to impose sanctions on countries that support hackers as well as potential visa restrictions.

Another example is the Deter Cyber Theft Act (S. 884), which has been sponsored by a bipartisan group of senators, that includes Senators Carl Levin (D-MI), John McCain (R-AZ), Tom Coburn (R-OK), and Jay Rockefeller (D-WV). This bill would require intelligence agencies to annually report to Congress on countries and entities that engage in cyber-espionage as well as to identify intellectual property that has been stolen as a result of hacking. It further permits the president to prevent the importation into the United States of products that are linked to foreign cyber-espionage activities, such as articles that have been manufactured using stolen IP or that have been produced by companies that have benefited from it. In short, the bill would nudge the government towards broader attribution, greater naming and shaming, and some efforts to deny companies the fruits of using stolen information.

If these measures result in the punishment of Chinese companies, there is no doubt but that China will seek to reciprocate. But once again, asymmetry is likely to complicate their task. U.S. intelligence agencies do not steal commercial secrets for U.S. companies so it will be hard for China to mirror these measures without faking the evidence. In short, a focus on the beneficiaries of commercial espionage could cause real pain for cyber spies and their customers. With luck, this may allow us to add a corollary to Baker's Law about cyberspies: Not only does their security suck, but maybe soon it will suck to be them.

Adam Berry/Getty Images