This dissertation explores the dynamic of control between politics and technology, looking at three particular facets – assimilation, restriction, and standardization – as examples of the evolving relationship between the state and information security. Chapter 1 looks at the process of assimilation as the state attempts to use information security toward its own ends. Critiquing contemporary arguments on the presence of an offensive advantage in information security, this chapter breaks open the previously black boxed process of developing and deploying offensive capabilities by the state. Particularly, it examines how the software development process impacts, and often limits, the state’s ability to employ malicious tools especially in lieu of conventional alternatives like precision guided bombs. Advancing the argument that there is substantial complexity in the offensive process, the chapter concludes that existing assumptions for ease of use and the likelihood of rapid escalation prevalent in literature on the topic are exaggerated owing to the challenges in assimilating and employing information security tools in a conflict environment.
Chapter 2 takes up the question of control through restriction, explaining the repeated use of export controls to regulate the diffusion of information security products globally. Set against a collection of legal tools seemingly ill-fitted to controlling the flow of software, the Departments of Commerce, State, and Defense have persisted in the application of export controls to limit trade in information security products. Rather than adapt to a changing commercial and research environment or craft policy tools better suited to curtail the spread of information security products abroad, the U.S. continued to apply and only moderately tweak the composition of export controls despite their limited effectiveness. This chapter explains the selection of these controls and their persistence as a product of boundedly rational behavior to minimize transaction costs and change in standard operating procedures, even at the cost of reduced regulatory efficacy.
Chapter 3 looks at standardization, trying to answer if the recent emergence of the information security insurance industry as a means of private governance is a product of the state’s failure to set and enforce standards or the private sector’s opportunistic action to lock in material benefit. Synthesizing previous state efforts to create standards with literature on private governance and its internal debates, the chapter examines the history and process of insurance. It argues that a market driven enforcement mechanism was key to providing financial benefit to companies willing to lead in the governance process.
|Advisor:||Sell, Susan K.|
|Commitee:||Adcock, Robert, Balla, Steven J., Friedman, Allan, Hoffman, Lance J.|
|School:||The George Washington University|
|School Location:||United States -- District of Columbia|
|Source:||DAI-A 77/08(E), Dissertation Abstracts International|
|Subjects:||Information Technology, Political science, Computer science|
|Keywords:||Cybersecurity, Export controls, Insurance, Malware|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be