Cyber Industrial Policy in an Era of Strategic Competition

Download the Report
Download the Report

A new report from the Center for Long-Term Cybersecurity (CLTC) outlines diverse industrial policy approaches that governments can use to bolster their domestic cybersecurity and technology industries. ‘Industrial policy’ refers to non-market efforts by governments to grow sectors of the economy that are deemed to be strategically important, but that are under developed as a result of market dynamics.

In their report, “Cyber Industrial Policy in an Era of Strategic Competition,” the authors—Vinod K. Aggarwal, Professor of Political Science at UC Berkeley, and Andrew W. Reddie, PhD candidate—argue that cybersecurity is particularly well-suited for government intervention because cyberattacks pose a significant security and economic problem for governments and firms, but growth in the cybersecurity industry has been limited by labor shortages and other challenges.

“Our intent is to help cybersecurity industry leaders and policymakers assess the costs and benefits of a range of possible industrial policy measures in an era of renewed strategic competition,” the authors write in the report. “We assess the driving forces of cybersecurity industrial policy, inventory existing industrial policy approaches, and examine what challenges and conflicts are likely to arise from the competitive pursuit of such policies.”

The report builds upon a two-year comparative project sponsored by CLTC. Drawing upon the efforts of academics from around the world, the study investigates the role of firms, governments, and other key stakeholders involved in the rise of industrial policies related to cybersecurity in the United States, China, Taiwan, Japan, the EU, UK, France, and Finland. Findings from the study were published in December 2018 in a special issue of the Journal of Cyber Policy.

Published as part of the CLTC White Paper Series, the new report provides an overview of many of the industrial policy approaches available to national policymakers seeking to advance their domestic cybersecurity industries, including:

  • Direct investments in cybersecurity-related goods and services;
  • Incentives for firms and agencies to invest in or procure goods and services from domestic firms;
  • Enabling the sharing of information between federal agencies and technology and manufacturing firms;
  • Limiting foreign firms’ participation in markets, as with the federal government’s restrictions on China’s Huawei and ZTE, as well as Russia’s Kaspersky Labs, which were banned out of concern they would provide undue access to Beijing or Moscow, respectively.

The authors write that although industrial policy may be appropriate for cybersecurity, policymakers should tread carefully because such policies can restrict free trade, lead firms to engage in arbitrage across countries, or expose differences in values among public- and private-sector actors. “Given the lessons learned over the past decade of addressing cybersecurity across a number of countries, we suggest 1) that programs to promote human capital development remain important but currently under-funded; 2) the regulatory context within which firms operate remains opaque—particularly with regard to information sharing requirements placed upon firms; and 3) further research is necessary to examine the multinational aspects of the cybersecurity, information technology, and IT-adjacent markets.”

“The practice of industrial policy in the cybersecurity marketplace remains in its infancy,” the authors explain. “While it is too early to tell whether existing policies and plans have been successful, the cybersecurity marketplace offers an important venue to watch—the complicated nature of interactions between the public and private sector in cybersecurity markets are likely to have corollaries in other emerging technologies with potential to be applied for economic and military purposes, including artificial intelligence, quantum computing, and robotics.”

Download the Report