Cyber incidents and safety regions: The securitization of cyber security in regional government

(1)

1

Cyber incidents and safety regions

The securitization of cyber security in regional

government

Name: Ignas Melman Student number: s1417266

Email: Ignas_melman@hotmail.com Date: 12-01-2020

(2)

(3)

3

1. Introduction

Technological developments and the strive for effectiveness and productivity have led to an increase in the complexity of systems. Through digitization, IT systems are becoming increasingly intertwined with critical infrastructure, business processes and government services, which makes it difficult to make a distinction between the digital and physical world. A lot of processes are digitized to enhance effectiveness and the comfort of the end users of services. Operators are able to control large,

complex systems at a distance; train schedules are generated automatically, multiple bridges can be managed from one central control room and the distribution of electricity has been automated.

Networking systems allows for a great increase in productivity.1_{However, if these systems would fail,} it could cause massive damages to physical properties, the economy, and society as a whole. Due to the interdependency of critical infrastructure, failure in one system may have cascading effects and affect many others. In addition, analogue options to control critical processes as well as the

knowledge to operate them manually are disappearing. This means that back-up options for digital infrastructure are becoming less available, as are the people that know where to find them and how to control them.2

The Netherlands is one of the most digitalized societies in the world.3_{This is a position that} brings a lot of opportunities, but entails threats at the same time; the malfunctioning of digital systems could have a disrupting effect on society.4_{Various actors concerned with the state of cyber security in} the Netherlands have noted that the country is not sufficiently prepared for major cyber incidents and that the disruption of society as a result of a cyber incident is a realistic scenario. The last ones to sound the alarm in this regard have been the Nationaal Cyber Security Centrum (NCSC) and the Wetenschappelijke Raad voor het Regeringsbeleid (WRR), who signaled that the extent to which systems and infrastructure are coupled is a set up for societal disruption in case of a major cyber incident.5

Over the course of the past decades, cyber security has become an important topic for citizens as well as governments. For the Dutch government, cyber security is now a national security issue. Several institutions have been founded to increase the level of Dutch cyber resilience and mitigate the

1_{Landau, S. “Listening in: Cybersecurity in an Insecure Age.” Yale university press (2017): 28.} 2_{NCSC. “CSBN 2019: ontwrichting van de maatschappij ligt op de loer.” (2019): 7. available via:}

https://www.ncsc.nl/actueel/nieuws/2019/juni/12/csbn-2019-ontwrichting-ligt-op-de-loer.

3_{Munnichs, G., M. Kouw & L. Kool. “Een nooit gelopen race. Over cyberdreigingen en versterking van}

weerbaarheid.” Rathenau Instituut (2017): 10.

4_{NCSC. “CSBN 2019: ontwrichting van de maatschappij ligt op de loer.”: 7.} 5_{WRR. “Voorbereiden op digitale ontwrichting” (2019). Available via:}

https://www.wrr.nl/publicaties/rapporten/2019/09/09/voorbereiden-op-digitale-ontwrichting. And: NCSC. “CSBN 2019: ontwrichting van de maatschappij ligt op de loer”.

(7)

7 risks of cyber security threats in order to make the Netherlands “digitally safe”.6_{Plans for cyber}

security are made by organizations such as the NCSC, which gives a yearly overview of the status of cyber security in the Netherlands. Moreover, cyber security plans and policies are included in documents such as the national crisis management handbook and the national ICT crisis plan.7_These documents give an overview of the actors concerned with crisis management on cyber incidents and the crisis management decision-making processes in case of a cyber incident. However, as the names of the documents listed above imply, they are mainly focused on the level of national government. This implies a lack of policy, actors and structures for cyber security on the regional level. The consequence is that there are no guidelines on the level of regional government on what their role in dealing with cyber incidents might be.

When looking at regional government through the scope of crisis management, the most important actors are safety regions. The Netherlands is divided in 25 safety regions. They are

responsible for organizing and managing fire brigades as well as crisis management and disaster relief capabilities. Traditionally, safety regions have had to deal with crises of a physical nature, such as a fire in a chemical plant, a plane crash or a physical terrorist attack. However, due to the growing complexity of systems and infrastructure described above, physical incidents now may have a digital cause or vice versa. These incidents can have a complex character since parts of critical infrastructure are often managed by private organizations, or by an array of different parties. This makes it difficult for safety regions to determine how well this infrastructure is protected, what the exact impact of an incident could be and which organizations need to be notified in the case of an incident.8_{Thus, on a} more general level, there are several uncertainties that a safety region might have when it comes to cyber security. It might be unclear what information position they should have towards national government, citizens and operators of critical infrastructure as well as regular companies, which actions they have to take in the case of a cyber incident, how much knowledge they should have on cyber threats and the consequences an incident could have on critical infrastructure as well as society as a whole.

The growing importance of cyber security in the context of national security and crisis management begs the question whether safety region officials feel the need to make arrangements to incorporate this subject into their crisis management capabilities as well. And if this is the case, how they are going to go about setting up and implementing measures to do so. In order to do find an

6_{Rijksoverheid. “Nederlandse Cybersecurity Agenda”. Available via:}

https://www.rijksoverheid.nl/documenten/rapporten/2018/04/21/nederlandse-cybersecurity-agenda-nederland-digitaal-veilig.

7_{NCTV. “Nationaal Handboek Crisisbesluitvorming.” Available via:}

https://www.nctv.nl/themas/crisisbeheersing/documenten/publicaties/2016/09/13/nationaal-handboek-crisisbesluitvorming. And: Rijksoverheid. Nationaal Crisisplan ICT. Available via:

https://zoek.officielebekendmakingen.nl/blg-193555.pdf.

8_{Veiligheidsregio Zuid-Holland Zuid, “Risicoprofiel” (2019): p.135. Available via:}

(8)

8 answer to these questions, the growing importance of cyber security in the security domain will be

theorized by the securitization theory of the Copenhagen School. This theory states that some policy issues are framed as a security issue, which allows for the quick reallocation of resources to enable security actors to deal with the threat. In the chapter on securitization theory will be argued that the subject of cyber security is indeed securitized in the Netherlands. As a result, one would expect that counter measures would be taken in the form of developing structures and plans to deal with cyber security incidents. Although this is the case on the national level, it appears that they are not present on the regional level. The research question will therefore be as follows:

“To what extent does the securitization of cyber security explain the way safety regions in the Netherlands prepare themselves for cyber incidents?”

The aim of this thesis is to measure the influence of securitization of cyber security on safety regions, which will be done by looking at two factors, namely threat perception and the level of preparedness of safety region regarding cyber incidents. The factor of mandate is added to this framework because it is expected to have a moderating effect on the other factors. The way these two factors are drawn from securitization theory is explained in the section ‘Securitization of cyber security in the

Netherlands’. Hypotheses on the three factors will be given in the ‘hypotheses’ section in order to be able to measure them.

Answering the main question by testing the hypotheses will clarify whether safety regions have tasks and responsibilities in preparing for and dealing with cyber incidents, and what these tasks and responsibilities might entail. Analyzing the position of safety regions could help them in the process of judging what precautions they need to take to sufficiently prepare for the event of a major cyber incident occurring in the Netherlands. From an academic point of view, answering these questions is relevant because it provides insights into the extent to which a subject that is securitized on the national level influences the security dynamics on the regional level. Moreover, the academic field of cyber security has been characterized by a lack of gathering empirical data.9_{This thesis aims} to gather empirical data in order to answer the research question.

The structure is as follows: first, a theoretical section is given. This section explains what securitization theory entails, after which the literature regarding securitization and cyber security will be discussed. This literature notices a discourse in which the securitization of cyber security was first contested, but is now established due to the institutionalization of the subject as well as its link to national security. Afterwards, an overview of the securitization of cyber security in the Netherlands is given, arguing that the subject is indeed securitized. From the theoretical section, the three factors of mandate, threat perception and preparedness are distinguished, which will be used to answer the

9_{Balzacq, T., and M. Dunn Cavelty. “A theory of actor-network for cyber-security” European Journal of}

(9)

9 research question.

Second, the definition and use of some terms like cyber security, cyber incidents and digital disruption is discussed. Then, the definitions of the three main factors of mandate, threat perception and preparation are given. Third, the methodology is discussed. Here, the key concepts of the research are operationalized by giving hypotheses on each of them. The research- and data collection methods are then explained and justified. The analysis will be conducted through a case study, using data from documents supplemented by interviews.

Third, the theoretical framework will be used to analyze the gathered data. After three chapters in which separate cases are discussed, a fourth chapter will compare them and give an overview of the safety regions as a collective. Lastly, a conclusion will be given, in which the research question will be answered and the limitations of the research will be discussed.

2. Theoretical framework

In this chapter, the securitization theory will be further explained. A literature review of academic literature on securitization in combination with cyber security will be given as well, in which the discourse of the securitization of cyber security will be discussed. Then will be argued that the topic of cyber security has also been securitized in the Netherlands. Afterwards the attention will be focused on the level of regional government. A description of the organization and function of safety regions is given in order to gain some understanding of how these organizations function.

Furthermore, the link between safety regions and cyber security will be further explained.

2.1. Securitization theory

The securitization theory was first developed by Buzan, Wæver and de Wilde and is connected to the Copenhagen school, which is one of the most influential approaches to the agenda of security

studies.10_{The theory explains the process of framing a certain issue into a security issue, which allows} the quick reallocation of resources in order to fix the problem. The authors claim that security issues are not objective, nor are they necessarily an actual threat to society. However, an issue, also called “threat subject” (the source of the threat) is perceived as being a threat after it has been successfully framed as a security issue. Perceiving the issue as a threat means that counter-measures need to be taken in order to solve the issue. The framing of an issue happens through a speech act, which means that an actor publicly claims that an issue should be regarded as a security issue. A speech act is characterized by the message that action should be undertaken, or serious incidents will occur in the

10_{Buzan, B., O. Wæver and J. de Wilde. “Security, A New Framework for Analysis”, Lynne Rieners Publishers}

(10)

10 near future.11_{This focuses the attention of policy makers on the problem.}12_{Framing can be seen as a}

battle between actors to capture the attention for a certain threat subject. The one delivering the speech act is the “securitizing actor”. Securitizing actors can be policy makers and politicians, but also non-governmental sources such as media or academics.13_{Government based or not, the securitizing} actor is usually an expert or authority, which gives them the ability to successfully deliver a speech act. The securitizing actor identifies both the threat subject and the “referent object”, that which is threatened.14_{The authors claim that securitization can be ad hoc or become institutionalized, the latter} is the case when the threat is persistent.15_{Below will be discussed that in the case of cyber security,} the response and sense of urgency have become institutionalized.

2.2 The Copenhagen School and cyber security

Since the Copenhagen School first conceptualized securitization, a significant body of literature on the subject has been developed. Authors have applied the theory to several topics, such as terrorism and the climate change discourse. Securitization has also been applied to the field of cyber security. Initially, the Copenhagen School rejected the securitization of cyber security, which they still characterized as “the computer field”.16_{They argued that the attempt failed since cyber security had} “no cascading effects on other security issues”.17_{There was therefore no need to theorize cyber} security as a distinct security sector. A lot has changed since this assessment was made.

Internationally, cyber security has been institutionalized. The NATO created the cyber defense center in Estonia following the cyber-attacks on the country in 2007 and The European Union created an agency for cyber security (ENISA) in 2004. On a national level, most countries have developed national cyber security strategies and have founded institutions that are concerned with the issue.

Following these institutional developments, academics have argued that cyber security has been successfully securitized. Balzacq and Cavelty distinguish two relevant bodies of literature when it comes to positioning cyber security within critical security studies. One is the Munk school, which focusses on surveillance and censorship. The other one uses the securitization theory to link the cyber

11_{Hansen, L., and H. Nissenbaum. “Digital Disaster, Cyber Security, and the Copenhagen School”.}

International Studies Quarterly 53, no.4 (2009), 1155-1175: 1161.

12_{Buzan, B., O. Wæver and J. de Wilde. “Security, A New Framework for Analysis”, Lynne Rieners Publishers}

(1998): 24-25.

13_{Eriksson, J., “Cyberplagues, IT, and Security: Threat Politics in the Information Age” Journal of}

Contingencies and Crisis Management 9, no. 4 (2001): 211-222: 211.

14_{Lawson, S. “Beyond Cyber-Doom: Assessing the Limits of Hypothetical Scenarios in the Framing of Cyber}

Threats”. Journal of Information Technology & Politics 10, no.1 (2013), 86-103: 88.

15_{Buzan, Wæver and de Wilde. “Security, A New Framework for Analysis”: 27.} 16_{Ibidem: 25.}

(11)

11 dimension to national security.18

In the latter, Hansen and Nissenbaum have made an effort to theorize cyber security as a separate sector within security studies. They examined what threats and referent objects characterize cyber security and how this distinguishes it from other security sectors.19_{They observe the large} amount of referent objects in the field of cyber security and discuss the possibility to distinguish several discourses based on these different referent objects. They argue that discourses should be based on connected referent objects, because this better captures the securitizing and political

dynamics of the field.20_{This ties back to the notion that cyber security includes lots of different actors} in the public and private sector who all wish to protect their data, networks and property. Because these might overlap, referent objects do so as well.

2.3. Securitization of cyber security in the Netherlands

The literature on securitization and agenda-setting discussed above has predominantly been written in the period 2000 to 2010, when the securitization of cyber security was arguably still contested and ongoing. All authors observe that cyber security has been firmly established in the security domain, and has been linked to national security. This is also the case for the Netherlands, which has made efforts to institutionalize cyber security and ingrain the subject in their national safety strategy; as discussed earlier, organizations like the NCSC, and the Nationaal Coördinator Terrorisme en Veiligheid (NCTV) play a role in enhancing cyber security of Dutch society. Moreover, the Dutch cyber security agenda states that cyber security is now an integral part of national security.21_These developments show that threats to cyber security are not seen as a threat subject that can be easily solved by quickly implementing countermeasures, after which the subject can be moved out of the security domain again. Cyber security and the threats is the digital domain are seen as a developing field that needs constant attention, or as is stated in Cybersecuritybeeld Nederland 2019: “the digital threat is permanent.”22

As discussed in the previous section, cyber security can have many referent objects, depending on whether one looks at individual security, security of a company or national security. The referent object of cyber security in the context of national security is society as a whole, which the Dutch government divides into six categories: territorial safety, physical safety, economical safety,

18_{Balzacq, T., and M. Dunn Cavelty. “A theory of actor-network for cyber-security”: 78-179.}

19_{Hansen, L., and H. Nissenbaum. “Digital Disaster, Cyber Security and the Copenhagen School: 1157.} 20_{Ibidem, 1163.}

21_{Rijksoverheid. “Nederlandse Cybersecurity Agenda”: 13.} 22_{NCTV, “Cybersecuritybeeld Nederland.” Available via:}

(12)

12 ecological safety, social and political stability and international rule of law.23

Apart from many referent objects, there is a large array of threat actors as well. They vary from state actors and cyber criminals to terrorists, hacktivists and malfunctioning of systems due to an unintentional action.24_{In the context of national security and safety regions especially, the relevant} threat actor could be any of these; since safety regions are concerned with crisis management, they deal with incidents which have an abrupt impact on one or more categories of national security.

Buzan et al. do not precisely define when a securitization move is considered successful, they state the following on this: “We do not push the demand so high as to say that an emergency measure has to be adopted, only that the existential threat has to be argued and just gain enough resonance for a platform to be made from which it is possible to legitimize emergency measures…”25_{although there} is no exact requirement for a successful securitization move, I argue that the inclusion of cyber security in the national security strategy of the Netherlands is enough proof to consider cyber security as a successfully securitized threat subject. The securitization of cyber security in the Netherlands will be taken as a starting point for this thesis. Now that it has been established that the subject has been securitized on the international and national level, this raises the question if and to what extent this influences the security dynamics on a regional level.

In order to measure this effect, it is important to look at the consequences that securitization has. In the previous section on securitization theory was discussed how the securitization of a subject has certain consequences; first, the subject is perceived as a threat. Therefore, one concept that will be studied is that of threat perception within safety regions regarding the subject of cyber security. Second, successful securitization means that measures need to be taken to counter the threat. In their theory, Buzan , Wæver and de Wilde describe the second mechanism as allocating resources in order to take emergency measures. However, as was stated before, the subject of cyber security has become institutionalized. This means that emergency measures might not be as relevant to look at, since long time strategies and permanent institutions need to be in place to be able to counter the problem. Therefore, the second mechanism will not be analyzed by looking for implemented emergency measures, but by looking for counter-measures in general that prepare for cyber incidents or aim to minimize its impact. The factor that encompasses these measures is preparation. A third factor that will be examined is mandate. Before we can go into the hypotheses that come out of the securitization theory, it is important to find out whether officials within safety regions think that the safety region has a mandate to deal with cyber incidents and if this is the case, what their role in dealing with such an incident should look like. Lack of a clear role for safety regions could influence the way they perceive the subject of cyber security and digital disruption as important or relevant for their

23_{NCTV. “Nationale Veiligheid Strategie 2019”. (2019). Available via:}

https://www.nctv.nl/documenten/publicaties/2019/6/07/nationale-veiligheid-strategie-2019: 5.

24_{NCTV, “Cybersecuritybeeld Nederland.”: 17.}

(13)

13 organization. These concepts will be further discussed in the section ‘key concepts and terminology’.

Hypotheses regarding the concepts will be given in the section ‘hypotheses’.

2.4. Safety regions and cyber security

In the introduction was described that the Netherlands is divided in 25 safety regions. A safety region consists of multiple municipalities and is a form of extended local government. This means that the mayor and city council of each municipality are responsible for organizing their own fire brigades, crisis- and disaster management capabilities and medical emergency services.26_{In case of a crisis,} these emergency services merge into one organization. The board of safety regions consists of the mayors of all municipalities in the region. During a crisis situation the head prosecutor, chair of the waterschap (regional water authority) and commissary of the Queen are always invited, along with relevant crisis partners.27_{Municipalities are obligated to take part in a safety region by the law on the} subject, which was passed in 2010.28_{It was designed after policy makers noticed that a new form of} local government was needed to be able to cope with a changing array of threats in an increasingly complex society. Municipalities did not have the capacity nor the budget to organize disaster relief and crisis management capabilities on their own, so they looked for a way to cooperate with other municipalities in order to combine their forces. The form of the safety region allows them to maintain highly efficient crisis management capabilities. Municipalities, safety regions and national

government are embedded in one national crisis structure. In case of an incident, the crisis structure that fits the scale of the incident can be activated so the crisis can be managed properly.

Safety regions have a number of tasks, which can be divided into three categories; preparation, crisis management and information management. The task of preparation consists of organizing the fire brigades and medical emergency services in order to be prepared for small scale incidents as well as large scale crises. The task of crisis management consists of getting a crisis or incident under control, which requires cooperation between the several emergency services, the police and other actors which might be involved, depending on the context of the incident. Fire brigades and medical emergency services deal with the actual crisis response. Safety region officials have a

coordinating role in the hot phase of a crisis, in which they make sure that the response to the incident progresses as well as possible. Lastly, the safety region has a task regarding information management. In the cold phase, this consists of making an assessment of risks within the region. Employees of the safety regions give advice to the mayors and boards of their municipalities as to whether action is

26_{Ministerie van Justitie en Veiligheid. “Wet Veiligheidsregio’s” (2013). Available at:}

https://www.ifv.nl/kennisplein/crises-en-crisisbeheersing/wetgeving/brochure-wet-veiligheidsregios: 11.

27_{Ministerie van Justitie en Veiligheid. “Wet Veiligheidsregio’s”: 15.}

(14)

14 required to mitigate these risks and if so, what these actions entail. In the cold as well as the hot phase

of a crisis, the safety region is responsible for arranging and managing information streams within and between emergency services as well as giving information to other relevant actors. Moreover, the safety region has a responsibility to provide information to citizens in case of an incident on the origin and size of the crisis, the consequences for citizens and what they have to do in order to minimize the risk of the crisis impacting them. Lastly, the safety region has a duty to provide information on how its tasks are performed to the ministry of Justice and Safety. The organization thus has a specialist role in the area of crisis management, in which they give advice, provide information to citizens and manage information streams within and between services outside of as well as during a crisis.

On the subject of cyber security, safety regions acknowledge that a cyber incident might have consequences that need to be dealt with in terms of crisis management. Each safety region has a risk profile, in which an assessment of risks relevant to their specific region is given. These profiles differ greatly in how comprehensive they are, how up-to-date they are and what methodology they use in assessing the risks their safety region faces. However, out of 25 safety regions, 19 have included the possibility of a cyber incident in their risk profiles.29_{They mostly use the term “ICT incident” or} “malfunctioning of ICT”. In the documents, these incidents are usually named in combination with critical infrastructure, especially telecom, electricity and gas provision. One risk profile uses the term “data communication” in the context of critical infrastructure. Thus although different terms may be used, it is clear that safety regions acknowledge that a cyber incident could have a significant impact on society.

3. Key concepts and terminology

In this chapter, the key concepts and terminology are discussed. First, the definition and use of the terms cyber security, cyber incidents and digital disruption will be discussed. Then, the key concepts of the study will be defined, which are mandate, threat perception and preparation. These concepts will be further operationalized in the section on research design, in which hypotheses are given on each of them.

3.1. Cyber Security

Cyber security is a relatively new field of study, which has recently seen a surge in popularity. It was historically part of computer science, but the significant role that technology, data and digital systems

(15)

15 have begun to play in society made the security aspect a concern for policy and management.30

Consequently, cyber security has become an interesting topic for an array of different academic disciplines. Besides the technical disciplines of computer science and cryptography, cyber security is being researched by, for example, criminology, law, public administration and international studies. They have all developed their own research standards and terminologies on the subject. Consequently, there is a lack of uniform definitions in the field of cyber security, along with discussions in the academic field on how cyber security terminology should be used.31_{This makes it difficult to} determine which definitions to use and why.

Illustrative for the lack of uniform definitions is the way the word “cyber” is used; as a compound word, separately, or with a hyphen. Ramirez and Choucri have made an analysis of major journal databases Scopus and IEEE Xplore from 1990 to 2015 in order to determine what terms relating to information technologies and security were most commonly used. They found that the term “cyber security” was used a lot more than “cybersecurity”. A steady growth in its use was signaled, implying that the field might reach a consensus on the use of the word. The authors therefore recommended that the term “cyber security” be used as the standard term.32_{Therefore, this term will} be used in this thesis rather than “cybersecurity”.

Regarding the definition of cyber security, the following will be used: “Cyber security is the set of measures which aims to prevent damage caused by disruption, failure or misuse by IT, and if damage does occur, to repair it”. 33_{This definition is used in the Dutch cyber security agenda, which} was published by the government. This means that this definition is viable for cyber security in combination with government and policy. Moreover, this agenda was released with the aim to give an overview of how Dutch cyber security policy has to develop the next few years. This makes the definition a good fit for this thesis.

3.2. Cyber incidents and digital disruption

When looking at this definition of cyber security, it becomes clear that it is still quite broad, and may be applied to a wide range of parties, ranging from military networks to personal computers. It is therefore necessary to narrow the scope of what phenomenon will be studied within cyber security. Safety regions are concerned with crisis management, so in the case of cyber security, they are

30_{Ramirez, R. “Making Cyber Security Interdisciplinary: Recommendations for a Novel Curriculum and}

Terminology Harmonization.” MIT Libraries (2016): 8.

31_{Ramirez. R. and N. Choucri. “Improving Interdisciplinary Communication With Standardized Cyber Security}

Terminology: A Literature Review.” IEEE Access 4 (2016), 2216-2243: 2217.

32_{Ramirez and Choucri. “Improving Interdisciplinary Communication With Standardized Cyber Security}

Terminology”: 2228.

(16)

16 concerned with dealing with cyber incidents or their consequences. The British NCSC gives two

definitions regarding such an incident: “a breach of a system’s security policy in order to affect its integrity or availability”, and: “the unauthorized access or attempted access to a system.”34_These definitions could be applied, much like the definition of cyber security, to the network of critical infrastructure just as well as to one individuals personal computer. A cyber incident may thus very well be an incident that is contained by a company before it can cause major damage, or not have the potential to cause this kind of damage at all. It does not give information about the impact that the incident might have, while this thesis aims to focus on incidents with an impact on society. Although it is a nuisance, the breach of one individuals computer will most likely not be an event in which a safety region has to take action.

A term that does give information on the impact of an incident is ‘digital disruption’. In a recent report, the WRR writes about the event of digital disruption, which they define as a disruption of society with a significant digital component.35_{Social disruption follows a catastrophic event like a} large scale flooding or a pandemic. However, it is difficult to determine a minimum threshold for such an event. The WRR states that it could entail an event in which the regular functioning of government institutions, society and economy are disrupted. This would have effects on society, economy and government, including processes such as the judiciary, elections and law-making processes. In case of a grave disruption, critical processes would stop or switch to a less effective mode, causing the

continuity of society to no longer be guaranteed. There would be large economic damages, which could be material or immaterial, Moreover, there could be casualties.36

As becomes clear from this definition, it is difficult to determine what a regular cyber incident is and what could be considered a digital disruption. This ties back to the notion that the digital and physical world are increasingly interconnected. It proves difficult to determine what a digital disruption is exactly, since most incidents nowadays will probably have some sort of digital component. Moreover, the impact of a cyber incident could require action from a safety region, without immediately being classified as digital disruption. Recently, M. van Eeten has addressed the report of the WRR in a lecture, in which he argues that there is no such thing as a digital disruption.37 The essence of this debate is not terminology, but the policies that the government should make for cyber security incidents. The WRR states that a “digital fire brigade” should be installed by the government. Van Eeten disagrees, stating that the government does not have the means to do so and that such digital fire brigades already exist in private companies like Northwave, Fox-IT or CGI.38_It

34_{NCSC. “New Cyber Attack categorisation system to improve UK response to incidents”. Available via:}

https://www.ncsc.gov.uk/news/new-cyber-attack-categorisation-system-improve-uk-response-incidents.

35_{WRR. “Voorbereiden op digitale ontwrichting”: 25.} 36_{Ibidem: 25-26.}

37_{Van Eeten, M. “Blussen met nullen en enen: Cyber-rampen, cyber-exceptionalisme en de rol van de overheid”}

(2019). Available via: https://www.bestuurskunde.nl/2019/11/14/blussen-met-nullen-en-enen-cyber-rampen-cyber-exceptionalisme-en-de-rol-van-de-overheid/.

(17)

17 is unfortenately outside of the scope of this thesis to extensively go into this debate. Because of a lack

of a clear cut definition of the exact type of incident that will be studied, both the term cyber incident and digital disruption will be used. The term digital disruption was also used while conducting interviews, because it is the terminology that is mostly used by safety region officials. However, it should be noted that the focus will exclusively be on cyber incidents that have an impact on society or require a crisis response, because this is the kind of incident that concerns safety regions.

3.3. Mandate

The literature on the concept of mandate mainly consists of analyzing what a mandate in the political realm means in relation to elections.39_{This does not fit this research, since safety regions largely} operate outside the political realm. Merriam-Webster defines mandate as follows: “an authoritative command”, or “an authorization to act given to a representative”.40_{It is thereby noted that personal} mandates are rare, they are usually given to institutions. This is also the case for this research, so the definition will be slightly adjusted to the following: “an authorization to act given to a representative or organization”. Although the definition is supplemented, this does not inherently change the

definition of the word. The definition fits the case of this thesis better, since it opens up the possibility to explore the roles of an organization in government apparatus through the law that delineates the mandate of the organization.

In this thesis, the concept of mandate will be used to analyze the role and responsibilities that the safety region has in case of a digital disruption. As previously described, the safety region has responsibilities which can be divided in the categories preparation, crisis management and

information management. The category of preparation will be discussed as a separate factor, as it is part of measuring the effect of securitization on the regional security dynamics. The categories of crisis management and information management will be used to structure the analysis on mandate to find out how the safety regions execute these responsibilities in case of a digital disruption.

3.4 Threat perception

The concepts threat and threat perception are mainly used in the context of international relations. A threat is defined as: “a situation in which one agent or group has either the capability or intention to

39_{Hershey, M.R. “The Meaning of a Mandate: Interpretations of "Mandate" in 1984 Presidential Election}

Coverage”. Polity 27, no.2 (1994), 225-254.

40_{“Mandate”. Merriam-Webster.com (2019). Available at:}

(18)

18 inflict a negative consequence on another agent or group. Threats are probabilistic because they may

or may not be carried out.”41

The threat subject in this case could be an actor, but could also be the accidental

malfunctioning of systems. So although the part in which “intention” is named may not be applicable, depending on the incident. The rest of the definition is very relevant; cyber incidents certainly do have the capability to inflict negative consequences to Dutch society. Moreover, it is not certain when or if this threat will be carried out.

Threat perception is defined as: “the extent to which the party feels danger to its physical existence, social and economic well-being, or its identity and values.”42_{The party in this case are} safety region officials. They aim to provide security to the referent object, which is Dutch society. In this case “physical existence, social and economic well-being, or its identity and values” is therefore not about the organization of the safety region itself. It is about Dutch society, or the part of society in which said safety region operates.

3.5 Preparation

Merriam-Webster defines preparation as follows: 1: “the action or process of making something ready for use or service or of getting ready for some occasion, test, or duty”. 2: “a state of being prepared.” 3: “a preparatory act or measure.”43_{All these definitions could be applicable to the case, but the} hypothesis on preparation given in the theoretical section states that safety regions are preparing themselves, implying that a process is still going on. This would makes definition one a good fit. G.B. White has developed a model called the Community Cyber Security Maturity Model (CCSMM).44_{Among others, this model serves as a “yardstick” to determine for officials to determine} a communities’ cyber security posture. Although the model was made to be applied to communities, the general levels of cyber security preparedness can be applied to organizations such as the safety region as well. The levels are as follows:

Level 1: there is minimal awareness of cyber security and information sharing on the topic. Minimal cyber assessments and policy evaluation are made, but there is little inclusion into operation plans.

Level 2: the leadership is aware of cyber threats and imperatives for cyber security. There is

41_{Rousseau, D.L., R. Garcia-Retamero. “Identity, Power, and Threat Perception, A Cross-National}

Experimental Study.” Journal of Conflict Resolution 51, no.5 (2007): 745.

42_{Rouhana, N.N., S.T. Fiske. “Perception of Power, Threat and Conflict Intensity in Asymmetric Intergroup}

Conflict, Arab and Jewish Citizens of Israel.” Journal of Conflict Resolution 39, no.1 (1995),

43_{“Preparation”. Merriam-Webster (2019). Available via:}

https://www.merriam-webster.com/dictionary/preparation.

44_{White, G.B. “The community cyber security maturity model” IEEE International Conference on Technologies}

(19)

19 informal info sharing between actors in the community. No assessments of cyber threats are made, but

officials are aware of the requirement for preparing for such incidents. There is an initial evaluation of policies and procedures. Officials are aware of the need to integrate cyber security into their plans.

Level 3: Officials promote organization security awareness and there is training regarding the subject of cyber security. There is also formal information sharing and analysis on cyber security threats. Autonomous tabletop cyber exercises with assessments of information sharing, policies and procedures are being held. Cyber security is included in operation plans. This means that there are formal plans for cyber incident response and recovery.

Level 4: Leaders and organizations promote awareness: citizens are aware of cyber security issues. There is formal information sharing analysis, both internal and external towards the

community. Autonomous cyber exercises are held including assessments of formal information sharing.45_{These different levels will be used as indicators of the level of preparedness that safety} regions have in case of a cyber incident.

4. Research design

In this chapter, the research design will be discussed. Three hypotheses are given to measure the concepts of mandate, threat perception and preparation. Then, the use of the case study method will be explained and justified. Lastly, a section will discuss the methods for data collection that will be used.

4.1. Hypotheses

The influence of securitization of cyber security on safety regions will be measured by answering two hypotheses on the factors threat perception and preparation. Before going into these factors, a

hypothesis regarding the mandate of safety regions in dealing with cyber incidents will be given. The three factors have previously been defined and discussed, as well as the mechanisms in securitization theory from which they are derived. If securitization influences the regional level, then these

mechanisms should be present in safety regions. Therefore, they are taken as basis for hypotheses in order to test whether the dynamics of securitization theory also apply to the regional level. The hypotheses are then as follows:

H1: Safety regions have a mandate to deal with cyber incidents.

(20)

20 H2: Officials in safety regions perceive cyber incidents as a threat they should deal with.

H3: Officials within safety regions are making preparations to be able to deal with cyber incidents.

4.2 Case study analysis

For the analysis, a case study with three cases will be used. Although safety regions all have the same task, they do differ in terms of having a unique landscape of cities, industry and infrastructure. This may lead to differences in priorities and the contact they have with other parties and the way they function overall. A case study design is thus appropriate; it is not possible to talk about safety regions as a homogeneous set of organizations that all function exactly the same and cannot be in any way distinguished from each other. It is more suitable to study several of them in detail and analyze to which extent their approach of the subject of cyber security is different or similar.46_{This can be} achieved through a cross-case analysis, which allows for a comparison between different approaches and views on cyber security. The cases will be structured by analyzing the three factors of mandate, threat perception and preparation in each case. After discussing the three cases, a chapter will follow which discusses the differences and similarities between the cases. It will also provide additional information on initiatives that the safety regions are taking as a collective on the subject of cyber security incidents. This last chapter serves to provide an overview of the safety regions as a collective, which allows generalizing the findings to safety regions as a whole. In this chapter, the hypotheses will be tested as well.

From a theoretical point of view, a comparison through case study is a suitable approach. Although safety regions might differ in their approach to the subject of cyber security, this cannot be attributed to different securitization discourses of the subject. Safety regions in the Netherlands are all embedded in the same national structures, so the development of capabilities, policies and institutions on cyber security at the national level have logically been the same. Safety regions have thus all had the same ‘starting signal’, by which the growing importance of cyber security is meant. Therefore, differences in approach to the subject cannot be attributed to variations in context. Moreover, safety regions all have the same goals and responsibilities, but they are allowed to make arrangements which are most suited to their respective regions. So they all strive for the same, but can make adjustments which fit their situation best.

The three studied safety regions are Zuid-Holland Zuid (VRZHZ), Rotterdam-Rijnmond (VRR) and Groningen (VRG). These differ in terms of infrastructure and position in the country. For example, the port of Rotterdam is located within the VRR. The port is considered critical

infrastructure and one of the three main ports of the Netherlands. The VRZHZ and VRR are located in

(21)

21 the urban South West of the Netherlands, while VRG is located in the North. Analyzing regions with

different locations and infrastructures prevents generalizing the findings of one set of specific regions to all safety regions. These three regions form a section of the safety regions of the Netherlands, which makes it possible to generalize the findings to all safety regions. Cross-case analysis

strengthens the external validity of the research, in the sense that findings can better be generalized to other safety regions by analyzing the differences and similarities between several of them. The analysis of the several cases will also be supported with providing additional information on safety regions as a collective in the last chapters.

It is possible to generalize the findings of this thesis to security dynamics within the

Netherlands. They will not be generalizable outside the Netherlands, since other countries may have fundamentally different organizational structures to deal with crisis management and cyber security.

4.3 Data collection

The research question will be answered by analyzing documents and using data from semi-structured interviews. Triangulating the data by using documents as well as interviews makes the findings more reliable, since findings can be verified by other sources. This is mainly important because the written documents might not contain very specific information or they might be outdated, which will be discussed later on in this section. These shortcomings can be overcome by supplementing the written sources through data gathered in interviews. A total of twelve interviews was conducted. Eleven interviews were held with safety region officials in the departments of risk management and crisis management and with people of the strategic as well as the operational level. Five interviews were held with officials of the VRZHZ, three with officials of the VRR and two with officials of the VRG. One interview was conducted with an official of safety region IJsselland. Lastly, one interview was conducted with an official of the National Crisis Centre (NCC). The data gathered through these last two interviews can be used to supplement the chapter in which the case studies are compared. Below will be described which documents will be used to answer the various sub questions.

The basis of analysis for the sub question regarding the mandate of safety regions in dealing with cyber incidents will be the law on safety regions, a guiding document of the ministry of justice and safety that explain the implications of the law and the data gathered from interviews.47

The basis of analysis for the sub question regarding threat perception will be the risk profiles of the studied safety regions. In these profiles, an assessment of possible incidents is made, which are categorized by origin of the threat. They assess how likely the occurrence of an incident is and how

47_{Wet veiligheidsregio’s 2010 (NL). And: Ministerie van Justitie en Veiligheid. “Wet Veiligheidsregio’s”}

(2013). Available at: https://www.ifv.nl/kennisplein/crises-en-crisisbeheersing/wetgeving/brochure-wet-veiligheidsregios.

(22)

22 severe the impact of said incident might be. This fits the subject of the sub question; it gives an

indication on how threats are perceived by officials within the safety regions. All regions use the specifically developed method of Nationale Risicobeoordeling to assess the risk of an incident.48 This method scores scenario’s on impact and probability. The factor of impact is scored through five classifications: “limited consequences”, “considerable consequences”, “severe consequences”, “very severe consequences” and “catastrophic consequences.” The factor of probability is scored through five classifications as well: “very unlikely”, “unlikely”, “possible”, “probable” and “very probable.” These risk assessments will be made in order to determine to what extent digital disruption is seen as a threat.

The limitation to these profiles is that although they do have a section on ICT incidents, they are fairly short, which does not give much material for analysis. This will be mitigated by gathering data through interviews with officials that work in safety regions. They can expand on the information in the risk profiles and provide context.

The basis of analysis for the sub question regarding how safety regions prepare themselves will be the policy- and crisis plans of the safety regions. In the policy plans is described what officials in the safety regions need to be able to do when an incidents occurs, in the crisis plans is described what role each actor has in case of an incident. The crisis plans are quite general, they are not specified to different types of crises. The policy plans are four year plans in which is stated on what subjects the organization needs to focus. The data gathered through interviews will be used to provide context to these plans. Interviews can also provide additional insights such as whether staff receives training regarding cyber incidents, which can also be regarded as a form of preparation.

5. Case one: VRZHZ

5.1. Mandate

5.1.1. Crisis management

There is consensus among the officials of VRZHZ that the safety region has the task to react to the physical manifestations of a digital disruption. This lays within the standard tasks of the safety region and can be handled through their existing structures. The respondents agreed that the process of doing so would not be inherently different than handling regular incidents. In the first response to an incident, the cause is often not known. The fire brigades and medical emergency services follow their protocols and in case of a larger crisis, the cause often only surfaces after a few hours. The same goes for a digital disruption, first responders will answer to any physical manifestations of the incident as they normally would. One exception is when their own systems would be affected by a cyber incident.

(23)

23 In this case, the response might be delayed and limited due to reduced capacity, such as a lack of

coordination and communication due to failing ICT. However, even then they expect to be able to improvise and to set up an emergency response.

Safety region officials highlighted that the VRZHZ does have a role in reacting to the physical manifestations of a disruption, but is not able to deal with the source of a digital disruption when the source lays in the digital domain. Organizations with technical expertise should work to normalize the situation in the digital domain, while officials of the safety region focus on the societal effects of the incidents. VRZHZ does not have the capacity nor expertise to do so and does not see a role for the organization in this regard.

5.1.2. Information management

The respondents agree that the VRZHZ has a role in bringing together relevant crisis partners in case of a digital disruption. VRZHZ officials also have a responsibility to inform citizens in case of a cyber incident that impacts society by reaching out to their network in case of a digital disruption and However, the company which has been hit by the incident has a role in communicating about the incident as well. For example, respondent seven argued that in case of a power outage, electricity provider Stedin will communicate about the source of the incident and the expected recovery time. The VRZHZ will communicate about the consequences for citizens.

The interviews revealed that although the VRZHZ has good contacts in the area of crisis management, they do not have a sufficient network in the cyber security sector to secure their information position. In order to be able to fulfill the role as information manager during a digital disruption, officials need to be familiar with relevant actors in the cyber security domain. Moreover, they need some in house expertise to be able to make the translation of a digital incident to the impact that the incident has on society. Although the VRZHZ has a role as an information manager, it does not have a mandate to force companies to give them information on an incident. For example, in June 2019, the emergency number was not available for a few hours due to a malfunction in the systems of Telecom provider KPN.49_{Respondent five stated that KPN did not provide the safety regions with} up-to-date information during the incident. As a result, the VRZHZ did not know to what measures they needed to take or what they could communicate towards their citizens on the expected duration of the incident. Depending on the benevolence of these companies to give out information emphasizes the need for good relations and a good network in the sector.

Part of the information management role of safety regions is making a risk inventory. The law on safety regions states that safety regions have a mandate to make an inventory of the risks of fires,

49_{NOS. “Storing KPN: 112 niet bereikbaar, landelijk noodnummer (2019). Available via:}

(24)

24 disasters and crises.50_{In this regard, the organization has the task to check the facilities of “Besluit}

risico’s zware ongevallen (BRZO)” companies. These are companies that work with dangerous chemical goods and are thus classified as forming a high risk of incidents. In VRZHZ, there are at least twelve of such companies.51_{Respondent five states that, although the fire brigade is allowed to} check the safety of the physical installations in order to make sure that the chance of an incident is minimized, there is no mandate to inspect the security of their ICT systems. This forms a risk, since outdated software or a lack of back-up systems may very well lead to the malfunctioning of the systems of a chemical plant. The ICT of BRZO companies thus avoid inspection, while they could very well be the source of an incident.

5.1.3. New role of safety regions

The interviews reveal that finding out what the exact role the VRZHZ is in case of a digital disruption falls within a shift of the role of the safety region. Traditionally, the safety region was constructed to deal with incidents that required quick attention, but would also be solved within a short period of time. These are called flash crises. In recent years, the organization has also been expected to be able to react to incidents that are less common, have a significant societal impact and last for longer periods of time. Respondent four gave the refugee crisis as an example, in which the mayor of Dordrecht unexpectedly claimed that the safety region had a role to play in that regard as well. The role of the safety region is thus developing from an organization purely focused on dealing with physical incidents, towards an organization which has an important role as information manager and care for citizenry as well. In order to be able to facilitate this change, respondent seven argues that some adjustments to the crisis structures need to be made. According to them, the team now

concerned with the operational response, the ROT, needs to be taken out of the operation in order to have a better view on the impact of an incident. They also stated that the structure that determines to what extent the crisis organization needs to be alerted, the GRIP structure, is not adequate for these incidents. GRIP was designed for incidents with a clear source and an area of effect. In case of a digital disruption, it is much harder to determine where the exact source and area of effect are, if they can be determined at all. Moreover, an incident which causes social unrest, such as misinformation campaigns, does not fit within the GRIP structure either. Some of the existing structures are thus not adjusted to be able to cope with these new type of crises. As of right now, the region is looking for a way to incorporate new crises in the crisis management structures.

50_{NCTV. “Brochure wet Veiligheidsregio’s”, p.16.}

51_{Risiscokaart.nl. Available via:}

(25)

25

5.2 Threat perception

From the risk profiles as well as the interview data, a nuanced image regarding the threat perception of digital disruption arises. Firstly, data that point towards the perception of digital disruption being a threat will be discussed. Then, the data that nuance this image will be discussed.

5.2.1. Perceived as threat

The risk profile of VRZHZ was written in 2011. A new profile was released while writing this thesis, which allows for the comparison of the two documents. In the document of 2011, the term used for cyber incidents was “disruption of telecommunication and ICT” and was mainly used in the context of digital systems of critical infrastructure.52_{In the document is acknowledged that the Telecom sector is} complex and entails a lot of actors. It is also noted that disruption of Telecom and ICT would have a significant impact on a wide array of systems, from payment systems to infrastructure like bridges or water management systems. In case of a national disruption, it is unlikely that a liaison would be available to the crisis organization. Moreover, the risk profile states that the length of an incident is unpredictable. The probability of such an incident was estimated as “possible”, and the projected impact as “severe”.53

In the new profile, the term has been changed to “digital disruption”, which implies a risk for society as a whole instead of just for vital infrastructure.54_{The probability of a digital disruption is} estimated as “probable” and the projected impact as “very severe”, which means that the probability and the projected impact have moved up one category on the scale compared to the previous risk profile. 55_{This means that the subject is regarded as more threatening compared to the period in which} the last risk profile was published. Respondent five noted that after being drafted, the new risk profile was send to the municipalities for comments. The administrators agreed with the changes and urged that a significant amount of attention would be given to the subject. In general, three concerns about digital disruption arise from the new risk profile as well as the interviews.

First, the complexity of the digital domain leads to a lack of oversight and uncertainty of responsibilities within VRZHZ.56_{This is caused by the complex, elusive character of the digital} 52_{Veiligheidsregio Zuid-Holland Zuid. “Regionaal risicoprofiel” (2011), p.134-135. Available via:}

http://www.veiligheid.org/risicoprofielen.html.

53_{Ibidem, p.139.}

54_{Veiligheidsregio Zuid-Holland Zuid. “Regionaal risicoprofiel” (2019), p.135.} 55_{Ibidem, p.139.}

(26)

26 domain: a common theme in the interviews was the perception that there is a lack of grip on the

subject, and a lack of knowledge on what the consequences of a digital disruption might entail. Respondents had widely divergent understandings of the concept of cyber incidents and digital disruption. Some mainly focused on the information systems of their own organization. A disruption of these systems would limit the organization in its operational capabilities and their ability to communicate with their partners and citizens. Others focused on the possible impact a cyber incident could have on society as a whole. Some of the respondents made a distinction between the continuity of the organization and the impact an incident may have on society.

The interviews showed another factor that contributes to the elusiveness of the subject of digital disruption, which is that VRZHZ officials do not have insight in the digital infrastructure in their region. Respondents four, five and six noted they perceived this as a threat because they do not know which objects need to be inspected to see if they have good safety provisions. It is also not clear what the impact might be if parts of the digital infrastructure is malfunctioning. This is a concern because they do know where important structures of critical infrastructures are located. This is however unknown for digital infrastructure, while they feel that a disruption of this infrastructure might have an equal effect to the disruption of critical infrastructure.

Second, although there are several actors on national and regional level which are concerned with cyber security in the Netherlands, it is unclear where employees of the safety regions should get their information during a crisis.57_{This is in line with the notion that was made in the previous section} on mandate, in which was stated that the safety region does not have a sufficient network to be able to fulfill its role as information manager in case of a digital disruption. It also adds to the previously made point on lack of oversight of responsibilities in the previous paragraph. For other types of incidents, VRZHZ has a clear view on who their partners are and what they can expect from them. They are not familiar with cyber security organizations. The lack of a network in this sector makes that digital disruption is perceived as a threat, because VRZHZ officials do not know who to contact in case of an incident. Respondent five made a comparison with terrorism: in case of a terrorist attack, the response requires involving specific actors with certain expertise and mandates. It is clear what to expect from other parties in their network during the response, such as local and national police or special anti-terror units. In case of a cyber incident however, these expectations are not clear. This goes for actors on the national level such as the NCTV and the NCC, but also for private cyber security companies such as Fox-IT, CGI or Northwave. Respondent nine also perceived the subject of digital disruption as more threatening than a terrorist attack because of a lack of readily available expertise and capacity outside of the organization that can be consulted in case of a disruption. They named the previously mentioned KPN outage as an example, when all regions were coping with the same problem. If they would have had covenants with KPN to help them in case of a major outage,

(27)

27 KPN would not have been have to make true to that arrangement, since it would not have had the

capacity to send liaisons to each and every region. This ties back to the notion that a cyber incident, contrary to a terrorist attack, often does not have one geographical source and area of effect. In case of a large scale cyber incident, there are not enough experts available to aid all affected organizations.

The dependability on outside experts or other organizations that the VRZHZ is unfamiliar with brings us to the third concern. In a traditional crisis, the emergency services are able to control the incident and control the source of the incident. Digital disruption is a different case because it might not be known what the source is, where it might be or what the exact impact is. The lack of information makes that safety region officials or first responders cannot assess when the incident is controlled. Moreover, it may not be possible to stop the incident just by controlling its physical manifestations. This is the case when the incident has a digital source or is located somewhere outside the region. In both cases, emergency workers can only deal with the physical consequences. They can only do so for a limited amount of time though, since the crisis organization is designed to be able to keep running for 48 hours straight. The inability to solve a crisis combined with lack of access to a network with actors which might help them do so makes that digital disruption is perceived as a subject that requires immediate attention. This is reinforced by the lack of official plans, processes and covenants that officials can fall back to in case of a digital disruption. The lack of clear tasks and responsibilities creates uncertainties for the organization. Respondent five foresees that in case of a digital disruption, the administrative bodies of the region will consider the safety region an important organization in the matter as being the specialist in the area of crises, while they do not have the tools

to deal with the incident.

5.1.2. Nuancing the image of threat perception

Digital disruption has become an increasingly important subject for VRZHZ over the course of the last years. However, the interviews also show that the safety region is a resilient organization with a well-functioning crisis management system. The organization has an adaptive ability which allows officials to react creatively to incidents for which they might not be sufficiently prepared, or when their own systems are not working properly. Scarcity of resources and information is inherent to a crisis and safety region officials as well as emergency service personnel are used to that. The actions of VRZHZ officials during the KPN malfunction is an example of flexibility and improvisation. The regular communication channels between hospitals and medical emergency services could not be used. A provisional solution was found by dropping of a number of transceivers at the hospitals in order to be able to keep communicating. This ties back to the notion on responding to physical incidents in the section on mandate. One of the roles for safety region officials is to respond to the physical manifestations of the incident. First responders will find a way to set the operational response in motion, no matter the cause of the incident or reduced capabilities due to the failure of systems.

(28)

28 Moreover, when talking about a cyber incident that has physical consequences, the operational

response of emergency services will probably not differ from the actions they would take when the incident has a physical source. For example, if malware in the systems of a chemical plant would cause a fire due to malfunctioning of the Industrial Control Systems (ICS), the fire brigade would try to get the fire under control and mitigate the damage dealt to public health and environment caused by toxic clouds or leaking chemicals. If the same fire would be caused by for example a broken pipeline, the actions of the safety region would be the same.

Respondents six and seven stated that they did not see cyber incidents as a threat which should be treated differently than other types of incidents. Respondent seven argued that two years ago, the subject which received all the attention was terrorism. This subject was regarded as a special subject for which special measures needed to be taken. Nowadays, the situation has normalized and the measures to prepare for terrorism have been incorporated in the regular crisis management structures. Concerns about cyber security, digital disruption or cyber incidents are comparable. They are, as they put it, “hot and sexy” for a period of time. There is a general concern about these

problems during a couple of years, while the tasks of the safety region are not inherently different than in case of a regular incidents. Surely, when a few preparatory measures are taken, there would not be much to be concerned about. Although this respondent might not agree with this trend, they are right in the observation that digital disruption is a subject that has received a lot of attention within VRZHZ. Respondent seven observed that “this has more or less been our year of cyber, of digital disruption”. This claim is supported by the notion that VRZHZ has had multiple training exercises and projects on the subject, which will be further discussed in the next section.

5.3. Preparation

5.3.1. Impact on internal systems

The interviews show that safety region officials have taken preparatory measures in case an incident affects their ICT systems as well as the crisis communication systems. Respondent four stated that these systems are hosted by external companies and are quite robust, since they need to be able to handle large peaks in traffic. When an NL-alert is sent to the city of Dordrecht to warn citizens of an incident, it reaches around 90.000 people. When all of those people access the link in the alert at the same time, most websites would go down.

Apart from having back-up systems, preparatory measures have been taken to keep communication going in case systems go down; information managers have documents in Google Docs in which they can share information. As a last resort, the safety region has a covenant with radio amateurs who can come and help them communicate. A scenario has also been implemented in the risk profile, which explores the implications of malfunctioning of the systems of the emergency

Cyber incidents and safety regions: The securitization of cyber security in regional government