In 2009, the Centre for Economic Policy Research published a 100-page collection of essays on the rise of trade barriers and “murky protectionism” following the financial crisis.[1] The word “technology” appears only once in that report. Information technology has often been seen as a huge success story in global trade, but its rapid diffusion has introduced new risks. Modern economies, developed and developing, are increasingly reliant on their IT-supported infrastructure for almost every aspect of daily life. Yet, as the headlines attest, this infrastructure is less than perfectly secure, and the rapidly evolving threat landscape exposes the dependent societies to dramatic risks. The interdependence of systems and institutions means that a security failure can have dire consequences.
Governments around the world have begun to develop strategies to protect themselves against cyber threats while trying to promote the benefits of a cyber-enabled world. NATO’s Cooperative Cyber Defense Center of Excellence has identified over 50 countries that have published a cybersecurity strategy “defining what security means to their future national and economic security initiatives.”[2] Scholars have identified common themes across most declared strategies, indicating that the generalized risks faced by all of us are not that different.[3]
It is one thing to propose broad goals. It is another to work towards enacting these strategies. It is the policies that fulfill these strategic goals that will shape the digital future, defining cyberspace not just for the countries themselves, but the broader globalized Internet society. As countries begin to implement policy and “the focused application of specific governmental levers and information assurance principles,”[4] the differences can inform us about what works and what does not.
Perhaps equally important, studying cybersecurity policies can help us understand the secondary consequences of seeking a more secure cyberspace. This paper will survey the nascent but burgeoning area of cybersecurity policy and identify how public policies will interact with the private provision of the IT products they seek to regulate. In particular, how do cybersecurity policies affect the globalized trade of information technology and the growth and development these technologies have promised?
After reviewing the arguments for government involvement in securing information systems, this paper will review different types of initiatives that have emerged from countries around the world, and explore their potential impact on improving security. In addition to their impact on risks, some government actions can distort the market for IT goods and services. The second half of this paper examines the economic impact of security-motivated policies that serve as barriers to trade. Given the magnitude and importance of the topic, I lay the foundation for a larger research agenda, and offer a set of policy recommendations for governments and IT stakeholders.
[1] Baldwin, Richard, and Simon Evenett. The Collapse of Global Trade, Murky Protectionism and the Crisis: Recommendations for the G20. CEPR (2009).
[2] Klimberg, Alexander (ed). “National Cyber Security Framework Manual.” NATO CCD COE Publications. (December 2012). http://www.ccdcoe.org/publications/books/NationalCyberSecurityFrameworkManual.pdf
[3] Organisation for Economic Co-operation and Development. Cybersecurity Policy Making at a Turning Point. (2012). http://www.oecd.org/sti/ieconomy/cybersecurity%20policy%20making.pdf
[4] Klimberg 2012.
