UC Berkeley

Ensuring the cyber security of the private sector requires both the

production of and consumption of cyber security technology.

States vary in the degree to which they promote production and consumption.

Taking an institutionalist approach, I argue that the difference

between states can be explained as the result of two policy

legacies. States with a policy legacy of maintaining strong

traditional national security capabilities have the instruments

necessary to promote production of cyber security technology, as well

as actors---the military and intelligence agencies---who are motivated

to do so. States with a policy legacy of economic guidance have the

instruments to promote the consumption of cyber security technology,

and economically-oriented bureaucratic actors who see it as their

responsibility to do so.

To provide evidence for my hypotheses, I do a comparative case study

of Japan, the U.S., and South Korea. Japan, with a policy legacy of

restrained traditional security capabilities and a legacy of economic

guidance, does little to promote production but is active in promoting

consumption. The U.S., with a legacy of maintaining strong traditional

security capabilities but without a legacy of economic guidance, is

active in promoting production but does little to promote

consumption. South Korea, which has a policy legacy of maintaining

strong traditional security capabilities and a legacy of economic

guidance, promotes both.

The key implication of this research is that a state's ability to

promote cyber security in the private sector is heavily determined not

only by past policies, but past policies that were unrelated to cyber

security. States without the proper policy legacies will have to find

ways to build substituting institutions in order to promote both

production and consumption of cyber security.