Business as Usual? The Indirect Governance of Cybersecurity

by Moritz Weiss and Vytautas Jankauskas

Abstract

Cyber-attacks have evolved as a predominant security problem for individuals, businesses and states alike. This lends significant urgency to the question of how does the state as supreme authority attempt to provide cybersecurity. In contrast to scholars stressing the state’s primary role as an ideal-typical monopolist of direct authority, we argue that the governance of cybersecurity is predominantly indirect. Yet, this is largely independent from cyberspace, but part of a larger trend, which has transformed the state into a manager of indirect authority. By exploring a myriad of national cyber arrangements, we demonstrate not only that both operational and regulatory powers are delegated and orchestrated to third parties, but also reveal systematic patterns of these indirect forms of governance. When we combine existing functional frameworks with our empirical exploration, we arrive at insightful conjectures. Given that delegation allows for some hierarchical control, it is the governance mode of choice when the state responds to threats to its military security. In particular, the build-up of military power clearly follows this pathway. Yet, governments also frequently enlist intermediaries by soft inducements without hierarchical control to tackle vulnerabilities in cyberspace. For instance, insurance companies are mobilized to induce behavioral changes of governance targets. As a result, the paper contributes not only to scholars’ debates on governing cyberspace and state authority, but also provides and applies analytical tools for a better understanding of the politics of cybersecurity.

Paper presented at the “Global Governance in the Internet Era Workshop”, Hertie School of Governance, Berlin (22-23 June 2017).

Please contact Moritz Weiss if you are interested in the manuscript.