Do New Cybersecurity Restrictions Amount to Regulatory Protectionism?

Protectionism masquerading as regulation in the public interest is the subject of an excellent new paper by my colleagues Bill Watson and Sallie James.  As tariffs and other border barriers to trade have declined, rent-seeking domestic interests have turned increasingly to regulations with noble sounding purposes – protecting Flipper from the indiscriminating nets of tuna fishermen, fighting the tobacco industry’s efforts to entice children with grape-flavored cigarettes, keeping U.S. highways safe from recklessly-driven, dilapidated, smoke-emitting Mexican trucks, and so on – in order to reduce competition and secure artificial market advantages over you, the consumer.

The paper documents numerous examples of this “bootleggers and Baptists” phenomenon, where the causes of perhaps well-intentioned advocates of health and safety regulation were infiltrated or commandeered by domestic producer interests with more nefarious, protectionist motives, and advises policymakers to:

be skeptical of regulatory proposals backed by the target domestic industry and of proposals that lack a plausible theory of market failure. These are red flags that the proposal is the product of privilege-seeking special interests disguised as altruistic consumer advocates.

After reading this incisive paper, you might consider whether a new law restricting U.S. government purchases of Chinese-produced information technology systems in the name of cybersecurity fits the profile of regulatory protectionism.  A two paragraph section of the 574-page “Consolidated and Further Continuing Appropriations Act of 2013,” signed into law last week, prohibits federal agency purchases of IT equipment “produced, manufactured or assembled” by entities “owned, directed, or subsidized by the People’s Republic of China” unless the head of the purchasing agency consults with the FBI and determines that the purchase is “in the national interest of the United States” and then conveys that determination in writing to the House and Senate Appropriations Committees.

Sec. 516. (a) None of the funds appropriated or otherwise made available under this Act may be

used by the Departments of Commerce and Justice, the National Aeronautics and Space

Administration, or the National Science Foundation to acquire an information technology system

unless the head of the entity involved, in consultation with the Federal Bureau of Investigation or

other appropriate Federal entity, has made an assessment of any associated risk of cyberespionage

or sabotage associated with the acquisition of such system, including any risk associated

with such system being produced, manufactured or assembled by one or more entities that are

owned, directed or subsidized by the People’s Republic of China.

 

(b) None of the funds appropriated or otherwise made available under this Act may be used to

acquire an information technology system described in an assessment required by subsection (a)

and produced, manufactured or assembled by one or more entities that are owned, directed or

subsidized by the People’s Republic of China unless the head of the assessing entity described in

subsection (a) determines, and reports that determination to the Committees on Appropriations

of the House of Representatives and the Senate, that the acquisition of such system is in the

national interest of the United States.

Congress and the administration have already effectively blacklisted Chinese telecom companies Huawei and ZTE by advising U.S. carriers not to purchase their wares and by blocking Huawei’s acquisitions of U.S.-based firms.  And none of the evidence that these companies are bad actors posing U.S. national security threats has been made public.   We are to trust that Huawei’s and ZTE’s U.S. competitors and their representatives in Washington have no ulterior motives in keeping the Chinese telecoms out of the market.

The new law would seem to ensnare many more Chinese companies, as “IT equipment” is a much broader category than just telecommunications equipment.  Notwithstanding any legitimacy to the concern that IT equipment made by Chinese companies fitting the statutory description could pose higher-than-average cyber threats, the law will undoubtedly have the effect of reducing demand for all Chinese-made or assembled IT equipment because the costs in time and money of enduring an FBI approval process, as well as the costs – for U.S. agencies and U.S. companies selling in the federal IT market – of ascertaining every potential Chinese suppliers’ relationship with the Chinese government will prove too daunting.  And, of course, among the significant beneficiaries of this diverted demand will be U.S.-based producers of IT equipment.

The fact that included among the restricted group of suppliers are companies “subsidized” by the Chinese government should raise eyebrows about the real motives of this law.  Are companies that receive subsidies more likely to be a cyber threat?  Or is this more score settling for Chinese industrial policies? If improved cybersecurity – and not protectionism – is the true aim of policy, there are better approaches that carry a much reduced risk of inspiring retaliatory measures from China and a proliferation of unilateral policies around the world.