An improvised patchwork: Success and failure in cybersecurity policy for critical infrastructure
- Public Administration Review
- 81(5), Sep-Oct, 2021: p.847-861
The last two decades have revealed the vulnerability of privately owned “critical infrastructure”—the power grid, pipelines, financial networks, and other vital systems—to cyberattack. The central U.S. response to this challenge has been a series of sectoral “partnerships” with private owner-operators of critical infrastructure, involving varying degrees of regulation. Qualitative analysis based on in-depth interviews with over 40 policymakers and senior private sector managers, as well as public documents, reveals considerable variation in how well this approach has worked in practice. The main predictors of policy success appear to be (a) the nature of the cyber threat to firms’ operations and (b) regulatory pressure on firms. However, other factors—such as the nature of intra-industry competition—also affect how well the current regime works in specific sectors. Our findings have implications for public administration on civilian cybersecurity, as well as ramifications for regulation in other policy domains. – Reproduced