Cybersecurity and the TPP

Here's one more surprise in the newly released TPP. It could have a big impact on cybersecurity. That's because the deal prohibits nations from asking mass market software companies for access to their source code. See TPP article 14.17 http://www.mfat.govt.nz/downloads/trade-agreement/transpacific/TPP-text/14.%20Electronic%20Commerce%20Chapter.pdf The ban doesn't apply to code run on critical infrastructure, which will make for endless disputes, since there's very little mass market software that doesn't run on computers involved in critical infrastructure.

Right now, this is a measure US software companies want. That's because we make most of the mass market software in the market. But that's likely to change, especially given the ease of entry into smart phone app markets. We're going to want protection against the introduction of malware into such software. The question of source code inspection is a tough one. If other countries can inspect US source code, they'll find it easier to spot security flaws, so the US government would like to keep other countries from doing that. But I doubt US security agencies are comfortable letting Vietnam write apps that end up on the phones of their employees without the ability to inspect the source. In short, this is a tough policy call that is likely to look quite different in five years than it does today.

Which is why it's a bad topic for a trade deal. Trade negotiations have sprawled out of simple tariff deals and into "nontariff trade barriers"—which can be anything international business doesn't like about other countries' policies.

In practice, this is a challenge to our normal democratic processes. To begin with, the US Trade Representative's office is an unapologetic advocate for the interests of US companies; its negotiators ask what US businesses want from other countries and then go out to get it. Of course, whatever deal USTR brings back inevitably pleases some industries more than others, so USTR has to assemble a coalition in support of its package deal, which means a festival of log-rolling, but only for those lucky enough to have a seat at the table. (In this administration, unions and environmentalists have had a seat too, but expanding the table hasn't changed the process,)

Once negotiated, the whole messy package is presented to Congress for and up-or-down, take-it-or-leave-it vote, no amendments allowed. A vote against the deal becomes a vote against the entire business community, if not against the modern era of increasing international trade. And the product of that dubious style of lawmaking is is not just unamendable on the floor. It's unamendable more or less forever, because any change at a later time violates the trade treaty, and invites trade sanctions from every other country that signed the deal. It makes a more permanent change in US law than anything short of a constitutional amendment.

That's one reason the left has already bailed out on trade deals. Approval of the TPP will depend almost entirely on Republican votes. If the source code provision leads GOP national security hawks to rethink their support for the deal, the deal will be in real trouble on the Hill.