Restrained by design: the political economy of cybersecurity

The empirical record of cyberattacks features much computer crime, espionage and hacktivism, but none of the major damage feared in prevalent threat narratives. The purpose of this article is to explain the absence of serious adverse consequences to date and the durability of this trend.

This paper combines concepts from international relations theory and new institutional economics to understand cyberspace as a complex global institution with contracts embodied in both software code and human practice. Constitutive inefficiencies (market and regulatory failure) and incomplete contracts (generative features and unintended flaws) create the vulnerabilities that hackers exploit. Cyber conflict is a form of cheating within the rules, rather than an anarchic struggle, more like an intelligence-counterintelligence contest than traditional war.

Cyber conflict is restrained by the collective sociotechnical constitution of cyberspace, where actors must cooperate to compete. Maintenance of common protocols and open access is a condition for the possibility of attack, and successful deceptive exploitation of these connections becomes more difficult in politically sensitive situations as defense and deterrence become more feasible. The distribution of cyber conflict is, thus, bounded vertically in severity but unbounded horizontally in the potential for creative exploitation.

Cyber conflict can be understood with familiar political economic concepts applied in fresh ways. This application provides counterintuitive insights at odds with prevalent threat narratives about the likelihood and magnitude of cyber conflict. It also highlights the important advantages of strong states over the weaker non-state actors widely thought to be empowered by cyberspace.