Objective: The objective of this research is to understand how organizations and policies were altered by a new information security technology, namely intrusion detection and intrusion prevention systems (IDS/IPS). The paper tracks the progress of the U.S. federal government’s Einstein program between 2003 and 2013, which implemented first IDS and later IPS capabilities in U.S. government agency networks. IDS/IPS inspects data packets in real-time and decides how to treat network traffic based on automated recognition of threats. The paper will: 1) analyze the securitization of U.S. information infrastructure; and 2) assess the potential implications for U.S. telecommunications policy.Method: We draw on interviews with principal actors, documentary evidence from federal privacy impact assessment reports, policy documents and news reports to track the progress of the program. Theoretically, we draw on new institutional economics, specifically transaction costs theory, to explain how security technologies can create new dependencies or new forms of supervision across organizational boundaries, or require hierarchies where before there were market transactions or looser, networked forms of cooperation. Findings: Cybersecurity efforts can alter the boundaries between governmental and private networks. The implementation of cybersecurity policies struggled to maintain a clear line between security and surveillance. As Einstein progressed, the relationships between private sector operators of Internet infrastructure and the government’s Internet security initiatives proved to be especially sensitive. The DPI technology required greater coordination and some degree of organizational centralization, as well as new forms of information sharing between military intelligence agencies and civilian agencies. This restructuring profoundly affected the relationships between ISPs and the U.S. government. The civilian Department of Homeland Security (DHS) had to serve as the ‘trusted intermediary’ between the private sector actors and military and intelligence agencies. Initially the DPI equipment was housed in the government agencies, but later the ISPs retained control of the DPI equipment but were given signatures by federal agencies. In a 2013 executive order the government extended Einstein to include networks of the private sector Defense Industrial Base (DIB) and Critical Infrastructure (CI) companies. Through contractual arrangements, those entities can receive Einstein capabilities provided by telecom providers AT&T and CenturyLink and defense companies Lockheed Martin and Raytheon.Implementation of the technology, in other words, threw up for negotiation the question of authoritative responsibilities between civilian and the military/intelligence government entities and the boundaries between the public and the private sector in cybersecurity efforts. These dynamics triggered strong apprehensions about surveillance, security and civil liberties, as well as concerns about the distribution of costs and risks, which in turn seem to have had a strong impact on the way the technology was implemented.Contribution: This article contributes to the debate on the Internet’s securitization (e.g. Dunn Cavelty, 2008) by providing an empirical, longitudinal case study on technology deployment and its institutional effects. The emphasis on transaction costs provides a suitable analytical method for understanding the factors that created both pressure for and resistance to organizational changes.
Read full abstract