Institutional Determinants of Cyber Security Promotion Policies: Lessons from Japan, the U.S., and South Korea
Ensuring the cyber security of the private sector requires both the
production of and consumption of cyber security technology.
States vary in the degree to which they promote production and consumption.
Taking an institutionalist approach, I argue that the difference
between states can be explained as the result of two policy
legacies. States with a policy legacy of maintaining strong
traditional national security capabilities have the instruments
necessary to promote production of cyber security technology, as well
as actors---the military and intelligence agencies---who are motivated
to do so. States with a policy legacy of economic guidance have the
instruments to promote the consumption of cyber security technology,
and economically-oriented bureaucratic actors who see it as their
responsibility to do so.
To provide evidence for my hypotheses, I do a comparative case study
of Japan, the U.S., and South Korea. Japan, with a policy legacy of
restrained traditional security capabilities and a legacy of economic
guidance, does little to promote production but is active in promoting
consumption. The U.S., with a legacy of maintaining strong traditional
security capabilities but without a legacy of economic guidance, is
active in promoting production but does little to promote
consumption. South Korea, which has a policy legacy of maintaining
strong traditional security capabilities and a legacy of economic
guidance, promotes both.
The key implication of this research is that a state's ability to
promote cyber security in the private sector is heavily determined not
only by past policies, but past policies that were unrelated to cyber
security. States without the proper policy legacies will have to find
ways to build substituting institutions in order to promote both
production and consumption of cyber security.