EtiAmmos / Shutterstock

Ideas

The US Needs an Industrial Policy for Cybersecurity

Government intervention is needed to fend off the steady barrage of attacks on the digital infrastructure of U.S.-based companies and public agencies.

Vinod K. Aggarwal and Andrew W. Reddie

|
By Vinod K. Aggarwal and Andrew W. Reddie

President Trump’s recent Executive Order restricting the use of Huawei's telecommunications equipment was hardly the first time the U.S. government has intervened in the private sector for purposes of national security. During World War II, for example, the U.S. government pumped investment into the American steel industry to ensure the military had a sufficient supply to build tanks, ships, and other armaments. 

In the ensuing decades, however, other industries made more far-fetched claims for intervention. The American wool industry argued in the 1950s for government protection of domestic production by claiming that up to 200 million woolen blankets could help the population survive an atomic war. Oil industry lobbying in the 1950s led the government to impose oil quotas, which ended up draining American reserves and contributing to the oil spike of 1973. Just last year, Trump’s tariffs on steel made by U.S. allies, levied in the name of national security, drew protests from the American defense industry.

The 2018 tariffs notwithstanding, industrial policy—actions taken by governments to grow sectors of the economy that are deemed to be strategically important, but in which market dynamics have led to an under-provision of a good or service—has largely fallen out of favor. But in recent years, the steady barrage of attacks on the digital infrastructure of U.S.-based companies and government agencies suggests that one key sector has a far more plausible claim to make for government intervention: the cybersecurity industry.

Related: The People of Baltimore Are Beginning Their Fifth Week Under Electronic Siege

Related: Trump Signs Executive Order to Boost Federal Cyber Workforce

Related: The US Needs a Cybersecurity Civilian Corps

Industrial policies are appropriate when market failures have led to the underprovision of a good or service. The cybersecurity industry’s growth has been held back for several reasons, including intractable labor shortages. Both the United States and United Kingdom suffer from a documented shortage of skilled programmers and computer scientists working on cybersecurity issues, and the U.S. alone is projected to have a shortage of 1.2 million professionals by 2022, according to the Center for Strategic and International Studies. The market has also been hindered by so-called “information problems,” as firms are often not aware of their own vulnerabilities and avoid sharing information about data breaches given the reputation costs associated with disclosure.

So what can the government do about it? The White House’s move to restrict Huawei's telecommunications equipment offers one approach for reducing the reliance on foreign IT components and expertise. What most analyses of this approach miss, however, is that there are a large number of alternative mechanisms that states can use to bolster domestic industry. 

With support from the University of California, Berkeley’s Center for Long-Term Cybersecurity, we recently published a report that assesses the costs and benefits of various industrial policy measures, based on an analysis of industrial cybersecurity policies in the United States, China, Taiwan, Japan, the EU, Britain, France, and Finland.

Our analysis found that, while the federal government has taken an array of approaches—ranging from direct procurement of services from U.S.-based firms to the creation of government-linked venture capital arms, such as In-Q-Tel, a self-described “strategic investor for the U.S. intelligence and defense communities”—much more could be done. Given the scope and complexity of the challenge, policymakers should be thinking more broadly about an industrial policy framework that better supports cybersecurity products and services. It’s time for the U.S. federal government to take the lead and bolster cybersecurity spending, providing more funding for research and training and creating a more transparent regulatory context, particularly around information sharing. 

Implementing effective industrial policy for cybersecurity won’t be easy. Firms may be reluctant to share proprietary information, import and export rules can impede knowledge flows and limit the potential for firms to learn from more experienced firms abroad, and such regulations can limit the pursuit of comparative advantage. Divergent national regulatory frameworks globally can lead to regulatory arbitrage, in which businesses operate in the most permissive regulatory environments and eschew business from countries with more regulations. Different players in the private and public sectors may hold different values and interests, which presents another obstacle to developing one-size-fits-all policy and regulatory solutions.

Despite these challenges, building an effective framework for intervention should be a priority, particularly as the complicated nature of interactions between the public and private sector in cybersecurity markets could affect other emerging technologies, including artificial intelligence, quantum computing, and robotics. The government’s role will only grow more important as digital technologies expand and the need to create a robust cybersecurity sector and workforce grows more urgent.

NEXT STORY: The People of Baltimore Are Beginning Their Fifth Week Under Electronic Siege

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.