![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
ABSTRACT
Why are some countries better prepared against cyberattacks than others? Whilst previous studies have revealed discrepancies in countries’ cyber readiness, there has not been any rigorous analysis which attempts to explain this variation. Based upon a new data set (Country Capability Data Set), this article therefore seeks to explain why some countries have a higher cybersecurity readiness compared to others. We develop three theoretical frameworks to explain variation in countries’ cyber readiness: (i) ‘institutional threat’; (ii) ‘institutional returns’; and (iii) ‘institutional capacity’. We find that countries facing a more threatening security environment are more likely to have a high level of cyber readiness. Also, the analysis indicates that countries which are highly dependent on cyberspace are more likely to have a high level of cyber readiness. Yet, surprisingly, we do not find a statistically significant association between our measures of institutional capacity (including real GDP) and cyber readiness. In other words, states which have more resources available to allocate to developing a reliable and frontier technology infrastructure are not at a systematic advantage in their cybersecurity investments.
Acknowledgments
We would like to thank Global Forum on Cyber Expertise (GFCE) for letting us present and receive feedback on an earlier version of this paper at their Annual Meeting in Singapore, 2018.
Disclosure statement
No potential conflict of interest was reported by the authors.
Notes on contributors
Dr Christos Andreas Makridis is a Digital Fellow at MIT Sloan's Initiative on the Digital Economy, a Non-Resident Fellow at Harvard Kennedy School's Cyber Security Project, and a Non-Resident Fellow at Baylor University's Institute of Religious Studies. He earned his doctorates in management science and engineering and economics at Stanford University.
Dr Max Smeets is a cybersecurity postdoctoral fellow and lecturer at Stanford University Center for International Security and Cooperation (CISAC). He is also a non-resident cybersecurity policy fellow at New America and Research Associate at the Centre for Technology & Global Affairs, University of Oxford.
Notes
1 In the United States, President Barack Obama began making cybersecurity a priority. For example, the US Army established the US Cyber Command in 2010 and the US Department of Defense published a new cybersecurity strategy in 2011 (updated in 2015). Two years later, in March 2013, US officials stated that the cyberthreat has now replaced terrorism as the greatest threat to national security (Boulanin Citation2013). For popular press and policy accounts, respectively, see (Dilanian Citation2013; The Secretary of Defense Citation2015). Other countries have provided similar statements in their national (cyber)security strategies. For example, see: Ministry of Finance (Citation2018).
2 Many states have also developed offensive cyberattack capabilities (i.e. military cyber warfare organisations), including: Argentina, Brazil, Canada, China, the Democratic People's Republic of Korea, Denmark, Germany, India, Iran, the Republic of Korea, Switzerland and the United States (Lewis and Timlin Citation2011).
3 The variation in policy responses across countries has been discussed by many academics and policymakers. Melissa Hathaway (Citation2013), for example, described the maturity of, and commitment to protecting their investment in various areas, of 35 countries. Hathaway observes great differences between countries in terms of adopting appropriate legislation, fostering international cooperation and investing opportunities in private-public information-sharing exchanges. She has also been the lead investigator of a new project from Potomac Institute for Policy Studies (Hathaway 2015).
4 As discussed in section II, countries with the highest readiness score include Singapore, United States, Malaysia, Oman and Estonia. Also see: Business Achiever (Citation2017); E-Estonia (Citation2018).
5 For several examples of cybersecurity indices, see RSA (Citation2015), Booz Allen Hamilton and The Economist Intelligence Unit (Citation2011) and United Nations Institute for Disarmament Research (Citation2013).
6 For an alternative definition at the business level, see Accenture (Citation2018).
7 After all, it is widely acknowledged that cybersecurity is a multifaceted problem requiring a range of actions to keep pace with the technology. For example, Alan Marcus, Senior Director, Head of IT and Telecommunication Industries for the US's World Economic Forum, said, ‘[c]ybersecurity is an issue that no one organization can resolve by itself’. This point was already acknowledged in the Presidential Decision Directive 63 (PDD-63), the first presidential directive released in May 1998 by President Clinton, which called for a range of actions intended to improve the nation's ability to protect ‘critical infrastructure’ from physical attacks and cyberattacks. See: The White House, ‘Protecting America's Critical Infrastructures: PDD 63’, Critical Infrastructure Assurance Office, (May 22, 1998) quoted in Hathaway (Citation2013, 9).
8 For an alternative discussion see: Smeets (Citation2018) or Smeets and Lin (Citation2018).
9 See for example Russia's policy (Russian Federation Citation2013).
10 Although from a rational-choice perspective all actors are value-maximising, it does not mean that actors are expected to respond in the same manner to a security threat. Readiness for a security threat will vary from one country to another and from one historical context to another, depending on differences between actors’ (i) values and objectives, (ii) estimates of consequences of different courses of action, and (iii) net valuation of each set of consequences.
11 The extensive fortification system was constructed to prevent similar intrusions from happening again.
12 Ibid.
13 This is the first study to make use of the data set. It currently includes 120+ variables on cyber capacity.
14 For an overview of other indices see: Index of Cybersecurity Indices 2017, ITU.
15 The cyber readiness index developed by Melissa Hathaway, for example, only examines 35 countries that have embraced ICT and the internet. Hathaway, ‘Cyber Readiness Index 1.0’.
16 For previous uses of the indicator to measure country threats see: Jo and Gartzke (Citation2007).
17 To gauge the plausibility of our claim, we estimate an AR(1) regression with the CINC index and find an autoregressive coefficient of 0.993 (p-value = 0.00), consistent with our view that national capabilities are very persistent.
18 Even though we have used indicators from international companies, there is a chance that these indicators are insufficiently ‘global’, meaning that results might be affected by variations in the take-up/availability of these products in different countries. Having said that, we are not looking at absolute numbers (e.g. number of intrusions) but indexed numbers (e.g. number of intrusions per 1000 computers).
19 One alternative explanation could be that there is a lagged effect: countries first adopt IT infrastructure and then realise their dependence on it. This could mean that countries with a high levels of IT dependency have not yet formalised this into an institutional interest in cybersecurity.