ABSTRACT
This article analyzes the policy options available to governments for addressing the very costly economic impacts of cybersecurity threats. It contributes to complexity thinking in public policy. Complexity involves self-organization, emergence, feedback loops, and adaptation. We show that these are present with cyberthreats. In contrast to plans that involve a series of linear steps to a specific outcome, complexity thinking recommends adaptive design, which creates processes that involve coordinated decentralized capacity for experimentation and resilience. These are illustrated with an examination of the 2007 nation-wide cyberattack on Estonia and the lessons learned from this attack.
Acknowledgements
This is an extensively revised version of a paper prepared for a workshop on disruptive technologies at Lee Kuan Yew School of Public Policy, National University of Singapore, 30–31 August 2019. Comments on that paper from workshop participants are gratefully acknowledged, as is research assistance by Jessica Gut. This paper draws on our co-authored papers presented at the European Group for Public Administration conference in Lausanne, September 2018, and the International Studies Association annual meeting in Toronto, March 2019. This version has benefitted greatly from comments at these conferences and from this journal’s anonymous referees.
Disclosure statement
No potential conflict of interest was reported by the author(s).