Cybersecurity in the European Policy Arena : A Multiple Stream Analysis of Cybersecurity within the European Parliament

(1)

CYBERSECURITY IN THE

EUROPEAN POLICY ARENA

A Multiple Stream Analysis of Cybersecurity within the European Parliament

JANUARY 9, 2018

CHARLIE MAYNARD – S1224662

Supervisor: Tim Dekkers Second Reader: Vlad Niculescu-Dincă

Word count: 16,576

(2)

1 |

1. Table of Acronyms

Listed in order of appearance

Acronym Explanation

DDoS Distributed Denial of Service

NIS Directive Network and Information Security Directive GDPR General Data Protection Regulation

EU European Union

EP European Parliament EC European Commission

MEP Member of the European Parliament

ENISA European Network and Information Security Agency MSA Multiple Stream Analysis

STOA Science and Technology Options Assessment Panel HU Hermeneutic Unit

OSCE The Organization for Security and Cooperation in Europe AU The African Union

ASEAN The Association of South East Asian Nations NATO The North Atlantic Treaty Organization EC3 European Cybercrime Centre

EDA European Defence Agenda

CERT-EU The Computer Emergency Response Team for the EU Institutions, bodies and agencies

NATO CCDCOE

(4)

3 |

1.1. Introduction

The importance of cybersecurity has grown significantly in the past 20 years, with threats and attacks such as ‘DDoS attacks (distributed denial of service)…, malware, website defamation, spam, phishing email attacks’, and ransomware all on the rise (Alali, Amogren, Mehedi Hassan, AL Rassan, & Alam Bhuiyan, 2017). While national strategies include clearly organized solutions to cybersecurity threats, such as the UK’s 1999 ‘Data Protection Act’ or the US’s 2002 ‘Federal Information Security Management Act’, institutions which provide multi-level governance, such as the European Union, have taken significantly longer to develop adequate cybersecurity regulations. In April 2016, the European Parliament (EP) set in place the ‘EU General Data Protection Regulation’ (GDPR), and, shortly thereafter, in July 2016, the ‘Directive on Security of Network and Information Systems’ (The NIS Directive), both of which will come into effect in 2018. Despite cybersecurity being a topic of international discourse amongst academics and policy makers for some time, it was not until 2016 that the European Union adopted this comprehensive ‘series of measures to raise Europe’s preparedness to ward off cyber incidents’ (‘The Directive on security of network and information systems (NIS Directive)’, 2017). Though there have been a number of previous pieces of cybersecurity legislation enforced by the EU such as the 2002 ePrivacy Directive and the 2013 Directive on attacks against information systems, none have had as widely sweeping repercussions as the GDPR or NIS Directive. ‘The upcoming NIS Directive combined with the GDPR will change the legal framework in which any company that operates in the EU is acting’ (Brautigam, Camilli, & Jenny, 2017). In order to understand the decision-making regarding cybersecurity within the EP, this research has examined how the cybersecurity discourse within the EP has developed between 1999 and 2017. The EP was selected as the central focus for this research as it serves primarily as the EU’s law-making institution. It is a directly elected EU body, which consists of 751 MEPs (Members of the European Parliament), and has budgetary, legislative and supervisory responsibilities (‘European Parliament: Overview’, 2017). Legislative proposals are made by the European Commission (EC), which are then formally debated within the EP, and are either approved or sent back to the EC for amendments. John Kingdon’s Multiple Stream Analysis (MSA) has been used as a theoretical lens through which the cybersecurity discourse of the EP was analyzed. More importantly, the MSA has been used to explain the decision-making surrounding cybersecurity regulations such as the NIS Directive and the GDPR.

1.2. Societal Relevance

Examining this is societally relevant because both the NIS Directive and GDPR mark significant turning points in the EP’s stance on cybersecurity threats; it is important to understand how influential cybersecurity regulations such as these came about. The NIS Directive obligates ‘Member States to establish Computer Security Incident Response Teams as well as competent national authorities with adequate financial and human resources to coordinate with law enforcement authorities, data protection authorities and the

(5)

4 |

operators covered by the Directive’ (Maldoff, 2015). Similarly, the implementation of the GDPR also has numerous implications, including regulations on cross-border data transfers, vendor management, training, data breach notifications, and many others (Solove, 2015). Most critically though, if an organization does not process its client’s information in a manner which adheres to the regulations of the GDPR, or if the company is the subject of a security breach, it can be fined (Burgess, 2017). On this basis, it can be said that both the GDPR and NIS Directive have changed the face of cybersecurity within the EU, and it is therefore societally important to understand how cybersecurity regulations such as these are passed by the EP. Understanding the decision-making regarding any EU regulation is societally important because EU regulations have implications for all EU Member states and their residents.

More generally though, as computer technology has seen a trend of exponential growth, this has meant dramatic and profound changes to society such as the introduction of high speed internet, big data, cloud computing, and countless other computing related technological changes. This exponential growth is evidenced by Moore’s Law which is an observation (not an actual law) demonstrating that computer processing speed has doubled every 18 months (Mollick, 2006). Given these advancements, it is also apparent that whilst the internet has given way to vast technological innovation, it is, ‘simultaneously open to exploitation by unscrupulous, profit minded criminals in what amounts to a law-less free-for-all’ (Granville, 2003, p.102). Therefore, this research is also societally relevant as cybersecurity related issues have become a more serious and growing security threat on a global scale. Furthermore, while there has already been a rapid growth of demand for cybersecurity, a 2016 study has forecasted a global cyber security market expansion of approximately 80% by 2021 (‘Cyber Security Market Worth USD 202.36 Billion by 2021 - Rise in Security Breaches Targeting Enterprises Driving Growth - Research and Markets’, 2016). In light of this, it is important to understand how the EP’s perception of the importance of cybersecurity has changed with time, and which cybersecurity incidents or issues might have influenced the formulation of EU regulations. Establishing this knowledge may help determine how cybersecurity related policy is debated and passed by the EP.

1.3. Academic Relevance

According to Clarke et al. ‘cybersecurity is a never-ending battle. A permanently decisive solution to the problem will not be found in the foreseeable future’, and yet, at the same time, cyber security is somewhat of an ambiguous and ever evolving issue, that is not understood in its entirety (Clark, Berson, & Herbert, 2014, p.106). This makes political decision-making on the topic of cybersecurity regulation more difficult and therefore, an important field of academic research. This is primarily because cybersecurity is not fully understood as a concept, and ‘suffers from a lack of consensus in terminology’ within the EU (C. Desouza & Fedorschak, 2015; Silva, 2013, p.4). Under normal circumstances, knowledge serves as the foundation

(6)

5 |

for basic decision-making, with some academics even stating that ‘it is impossible to make good decisions without [the right] information’ (De Kock, 2003, p.6). While cybersecurity experts are struggling to keep up with the latest cybersecurity threats, it is the MEPs with a limited cybersecurity understanding that must decide on the necessary legislation to protect the EU and its member states. So how is it that the EP comes to make decisions on a policy area that it does not fully understand? This is an important issue, as the dynamic nature of cybersecurity threats and technology in general, make decision-making a difficult but critically important part of ensuring cybersecurity within the EU. On this basis this research is academically relevant as it is not clear how problems which are not fully understood (such as cybersecurity), are tackled within the context of the EP.

In order to analyze the manner in which political decisions are made within the EP, John Kingdon’s Multiple Stream Analysis (MSA) has been used as the theoretical lens through which to observe the changing perceptions of cybersecurity in the EP. Zahariadis, Ackrill and Kay state that the MSA ‘draws insight from interactions between agency and institutions to explain how the policy process works in organized anarchies where there is a shifting roster of participants, opaque technologies and individuals with unclear preferences’, all of which are arguably characteristics which could be used to describe the EP (Ackrill, Kay, & Zahariadis, 2013, p.871). This theory holds that there are three streams within the policy formulation sphere; the problem stream, the political stream, and the policy stream. When all of these streams come together a policy window can be opened which in turn fosters an opportunity for key actors to make a decision on the issue in question (Zhou & Feng, 2014, p.2). Each of these three streams are elaborated upon in the theoretical framework below. However, it is important to stress for the academic relevance of this research that this theory has yet to have been applied within the context of cybersecurity, thus highlighting a critical literature gap which this thesis intends to fill. Using Kingdon’s MSA as the theoretical lens, this thesis has conducted a discourse analysis of EU documents containing opinions and perceptions on cybersecurity issues. From the results of the analysis, this thesis has plotted the development of cybersecurity subject matter in order to determine how the importance of the topic has affected political decisions made between 1999 and 2017. These results also indicate whether the MSA can be used as a means of explaining how cybersecurity regulations are passed by the EP. The starting date of 1999 was selected as a search in the database of the EP found that 1999 saw the first mention of the term ‘cyber’.

(7)

6 |

1.4. Research Question

The following research question has been formulated:

‘How has the European Parliament’s perception of the importance of cyber security changed between 1999 and 2017?’

Sub-questions

In order to make the answering of this research question more feasible, it will be dismantled in to the following sub-questions:

 Can Kingdon’s MSA be used to explain the passing of cybersecurity legislation by the EP?

 What was the EP’s perception of the importance of cybersecurity between 1999 and 2000?

 How has the EP’s perception of the importance of cybersecurity evolved between 1999 and 2017?

2. Theoretical Framework

2.1. Definitions

Firstly, this theoretical framework defines some of the key concepts of this research alongside some of the relevant academic discourse pertaining to each of these concepts. Secondly, the theoretical tools that are used to answer the research question are outlined and their applicability is explained within the context of the cybersecurity discourse of the EP.

In order to understand the choice of methods and this research as a whole, it is important to convey the definitions that this paper has used as a basis for the analysis. Crucially, cybersecurity needs to be adequately defined: ‘Cybersecurity commonly refers to the safeguard and actions that can be used to protect the cyber domain, both in the civilian and military fields, from those threats that are associated with or that may harm its interdependent networks and information infrastructure. Cybersecurity strives to preserve the availability and integrity of the networks and infrastructure and the confidentiality of the information contained therein’ (‘Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Commitee of the Regions - Cybersecurity Strategy of the European Union: an Open, Safe and Secure Cyberspace’, 2013, p.3)

However, another article commissioned by the EP found that ‘cybersecurity means different things to different people… how the issue is framed influences what constitutes a threat as well as what counter-measures are needed and justified’ (van der Meulen, A Jo, & Soesanto, 2015, p.13). Thus, as yet there is no fixed definition of cybersecurity, and this has been highlighted in an article published by the ENISA

(8)

7 |

(European Union Agency for Network and Information Security) (Brookson et al., 2015). Given that this research frames cybersecurity within the context of the EP, the manner in which the ENISA defines it is also critically important as the ENISA is the EU’s central source of knowledge regarding cybersecurity. This lucid definition of cybersecurity ties in with Silva’s identification of ‘a lack of consensus in terminology’ regarding what constitutes cybersecurity as a concept within the EU (Silva, 2013, p.4). Silva goes on to state that these broad and differing definitions of what constitutes cybersecurity ‘not only undermines the value and application of the term, but opens possibilities for cybersecurity to be used for multiple and indiscriminate purposes’ (Silva, 2013, p.4). Thus, using the ENISA’s stance on the issue, it was expected that the manner in which the Institutions of the EU frame the topic of cybersecurity varied significantly.

However, this variance in definitions may be due to the fact that ‘cybersecurity’ is a relatively novel term. The word ‘cyber’ only came to prominence in the 1940s with the rise of ‘cybernetics’, established by a mathematician named Norbert Wiener. The term was later popularized in the artistic genre of ‘cyberpunk’, giving rise to films like Bladerunner in 1982. It was not until 1989 that the first recorded use of the term ‘cybersecurity’ was used, shortly after the outbreak of the Morris worm, which was at the time the most costly malware outbreak in history (Newitz, 2013). This is not to say that cybersecurity did not exist prior to this, it did, just under a different semantic guise, such as ‘computer security’, ‘data security’, or ‘digital security’. Computers were recognized to have vulnerabilities and present inherent security issues as far back as 1977 when the US ‘General Accounting Office recommended limiting the number of federal employees who could use a computer as a way to prevent network security breaches’ (‘Timeline: The U.S Government and Cybersecurity’, 2003). The first piece of cybersecurity legislation was passed in the form of the US ‘Computer Security Act of 1987’, mainly focusing on the preservation of information security. Given the contemporary use of the term ‘cybersecurity’, this is the terminology that has been used in order to gain a useful insight into the state of cybersecurity in the EP between 1999 and 2017. Searching for a more dated synonym of cybersecurity is likely to draw up less useful results for the more recent time periods.

According to Robert Scott Dewar, the EU’s perception of cybersecurity is mostly hinged upon economic values, predominately because it is a multi-state institution that is primarily focused on socio-economic and political issues which limits its capacity to employ military and defence oriented strategies (Scott Dewar, 2017, p.16). Dewar goes on to state that other nations have also employed this socio-economic approach, whilst at the same time these states have also ‘included military, defence, or national security focused solutions in their strategies, often with offensive capabilities’ (Scott Dewar, 2017, p.16). The fact that the EU consists of a multiplicity of member states and actors often contradicting one another

(9)

8 |

also complicates adequate decision-making (Fabbrini, 2013, p.1017). Furthermore, as is highlighted by Ilina Armencheva, ‘a universal, agreed definition of national cyber security does not exist. Some that are a symbiosis of “cyber security”, “national security”, etc. can be found in the strategic state documents. That means each country defines these concepts based on their own vision’ (Armencheva, 2015, p.37). This lack of a shared vision of what constitutes cybersecurity in the EU ties in with the malleable and dynamic definition of cybersecurity which was given earlier by the ENISA. Though this lack of a universal definition could be used by MEPs as a means of advancing an agenda on a range of different cybersecurity issues, it could also serve as a hindrance to any substantive development on the issue. Ultimately, if there is no fixed definition of what constitutes cybersecurity in a political sphere, it is possible that the discourse may be a more inconclusive debate, rather than one which leads to constructive developments.

However, despite this lack of a shared vision, cyber security breaches are not a new phenomenon, and have been globally recognized as a security concern since the spread of the Morris worm in 1988, the first computer worm ever distributed via the internet. Ruohonen et al. state that the problems that ‘the Morris worm unmasked in 1988 are largely analogous to the problems in 2016’ (Ruohonen, Hyrynsalmi, & Leppanen, 2016, p.748). Despite the fact that this suggests little in the way of development on addressing the issue of cybersecurity, a considerable amount has in fact been done to better regulate cyberspace in the EU, such as the formation of the ENISA and the introduction of new regulations such as the NIS Directive and the GDPR (Ruohonen et al., 2016). This suggests that the EU has been active in drafting political solutions, implying that the issue of cybersecurity has garnered a substantial amount of attention. Given that building institutions and introducing regulations is how the EU would set about approaching cyber-threats, understanding the discourse behind this policy formulation is an important aspect of this research.

2.2. Theory

Policy formulation has a number of critical steps, starting with agenda setting. It is the political agenda that serves as a foundation for the discourse within a political entity such as the EP, and according to John Kingdon, focusing events serve as one of the determinates of which policy issues are on the political agenda (Birkland & Megan, 2013). Specific focusing events are used frequently in the field of public policy as a means of highlighting relationships between certain policies and the occurrence of serious (often catastrophic) incidents which might push a specific policy on to the agenda (Birkland, 1998, p.56). John Kingdon’s stance on focusing events, is that ‘agenda change is driven by two broad phenomena; changes in indicators of underlying problems[…]and focusing events, or sudden shocks to policy systems that lead to attention and potential policy change’ (Birkland & Megan, 2013). In another article, ‘Birkland noted that the September 11th_{terrorist attacks brought attention to a wide range of issues, from immigration reform to} cyber security’, demonstrating that focusing events do not necessarily have to be explicitly related to

(10)

9 |

cybersecurity in order to influence the cybersecurity agenda (Merry, 2013, p.50). Thus, institutional or policy oriented changes related to cybersecurity within the EU can be understood through focusing events such as those highlighted in the methods below. Given this acknowledgement of focusing events as a potential driving force for the development of legislation and public policy, they have served as a foundation from which the EP’s changing discourse on the topic of cyber security has been analyzed.

Whilst focusing events are a driving force, pushing policy issues on to the agenda, the agenda only makes up one part of what is known as ‘the policy cycle’. The policy cycle is used as a framework for the formulation and implementation of policy and legislation. Howlett et al. break down the policy cycle into a concise five stages; (1) agenda setting, (2) policy formulation, (3) decision making, (4) policy implementation, and (5) policy evaluation (Howlett, Ramesh, & Perl, 2009, p.13). Kingdon defines agenda setting as ‘the list of subjects or problems to which governmental officials, and people outside of government closely associated with those officials, are paying some attention at any given time[…]so the agenda setting process narrows this set of conceivable subjects to the set that actually becomes the focus of attention’ (Kingdon, 1984, p.3). Kingdon’s argument for the formulation of the agenda is founded in his theory called the ‘Multiple Streams Approach’ (MSA), which consists of three streams which, when united, lead to the formation of windows of opportunity he calls ‘policy windows’ (Kingdon, 2001, p.332). These windows of opportunity can then be used by actors, or in this case MEPs, in order to advance the engagement of certain relevant policy issues (Beland & Howlett, 2016, p.222). Below is a comprehensive breakdown of what exactly these three streams entail, and how they might be identified within the cybersecurity discourse of the EP:

2.2.1. The problem stream

This stream can be identified when an issue is perceived as a public problem which requires a governmental response (Howlett et al., 2009, p.103). These tend to arise to political attention because of ‘sudden events, such as crises, or through feedback from the operation of existing programs’ (Howlett et al., 2009, p.103). Essentially, these are public problems that require attention, and given this, identification of such problems within the cybersecurity discourse of the EP serves as an indicator for this stream. As the EP is an arena for MEPs to voice political concerns regarding certain policy issues, problem streams were expected to be identified on numerous occasions within the discourse.

2.2.2. The policy stream

‘The policy stream pertains to the many potential policy solutions that originate with communities of policy makers, experts and lobby groups’ (Howlett, Mcconnell, & Perl, 2014, p.421). For instance, this includes the formation of institutions or legislation in response to certain public issues. Thus, the proposition of solutions, alternatives, and the establishment of institutions regarding cybersecurity issues, all serve as

(11)

10 |

indicators for the presence of a policy stream within the discourse. Given that it was expected that many problem streams would be identified within the discourse, these problem streams were also expected to be coupled with policy streams, consisting of actors proposing solutions to these issues. This was because it is generally not deemed constructive within any situation to raise an issue which needs resolving without actually suggesting a solution or alternative.

2.2.3. The political stream

The political stream ‘is composed of such factors such as swings of national mood, administrative or legislative turnover, and interest group pressure campaigns’ (Howlett et al., 2014, p.103). Kingdon also states that it is the political stream which ‘creates the momentum necessary to place an issue on the public policy agenda’, which highlights just how important this stream is for the formulation of public policy (Larkin, 2012, p.26). Within the political stream, national mood regarding certain issues is an important indicator, and Kingdon defines this as ‘the notion that a rather large number of people out in the country are thinking along certain common lines…these changes in mood or climate have important impacts on policy agendas and policy outcomes’ (Kingdon, 1984, p.153). In particular it is these changes in national mood that this research has used as an indicator for the political stream.

2.3. Applying the MSA to Cybersecurity

The Multiple Streams Analysis has been applied to many studies and ‘remains a key reference point in the public policy literature’ (Cairney & Jones, 2015, p.37). More specifically, the MSA has been applied to societal issues such as domestic violence, child abuse, employment discrimination, and many other topics (Bell Sepulveda, Carlson, & Rust-Martin, 2015). Applying Kingdon’s MSA to the cybersecurity discourse in the EP would appear as follows:

Figure 1: Kingdon’s Multiple Stream Analysis applied to cybersecurity in the EP (Howlett et al.,

2009, p.103)

Stream Cyber security in the EP

Problem Stream: ‘the perceptions of problems as

public issues requiring government action’

Cybersecurity is perceived as a growing public issue requiring action within the EU. This would be evidenced by cybersecurity issues merely being raised in the EP.

Policy stream: ‘experts and analysts examining

problems and proposing solutions to them’

Experts and analysts examine the issue of cybersecurity and propose relevant solutions. One example of this is the ENISA.

Political stream: ‘composed of such factors as

swings of national mood, administrative or

Given that there have been a number of serious cybersecurity incidents (such as the 2007 Estonia

(12)

11 |

legislative turnover and interest group pressure campaigns’

cyber-attacks and the 2017 WannaCry ransomware attacks), this would suggest that there have been interest group pressure campaigns or public outcries in response. These may be referenced within the discourse.

Figure 1 demonstrates how the MSA could apply to the context of cybersecurity within the EP, and how it could be useful as a means of analyzing the developing importance of cybersecurity in the discourse of the EP. Figure 1 also suggests that the analysis of this research is likely to identify occurrences of overlap in these streams, which would then lead to the formation of cybersecurity regulations such as the NIS Directive and the GDPR. On this basis, the MSA has been used as a means of analyzing the perceived importance of cybersecurity in the discourse of the EP, and potentially offering insight into how decisions on the topic of cybersecurity regulation are made in the EP.

Although Kingdon’s MSA is considered to be an academically sound model to apply within the context of a policy issue such as cybersecurity, the MSA is not without criticism. Firstly, Kingdon developed the model solely within the context of the United States. While Howlett et al. note that Kingdon’s model is popular in academia, they find its application geographically limited in scope. They later stipulate that; ‘the popularity of this agenda setting framework in comparative policy analysis is especially interesting because the book focused exclusively on the United States. It is not clear, however, that a framework developed exclusively on the basis of the examination of a single somewhat idiosyncratic national case should generate insights useful in comparative research’ (Beland & Howlett, 2016, p.221). However, Howlett et al. later make reference to the fact that there have been 36 publicized applications of the MSA since its inception by Kingdon in 1984, highlighting the fact that the MSA is still used frequently in academia in spite of the model’s initially narrow focus on the US (Beland & Howlett, 2016).

More specifically, however, Kingdon’s MSA has been applied successfully to the case of the EU on a number of occasions. Ackrill et al. make a comprehensive list of instances in which the MSA has been applied to the case of the EU. In many of these cases, only elements of the MSA are referred to such as ‘policy windows’ or ‘the political stream’. However, in terms of more complete applications, Ackrill et al. reference the work of ‘Pollack (1997); Nugent and Suarugger (2002); Krause (2003); Jordan et al. (2003)[…]and later, Corbett (2005)’ (Ackrill et al., 2013, p.875). In particular Ackrill et al. focus on the fact that the works of many of these authors center on the issue of ambiguity in the field of decision making. Ambiguity is exactly what this research aims to examine: the discourse surrounding the decisions that are made within the EP on an ambiguous and lesser understood policy area such as cybersecurity. Based on the

(13)

12 |

literature review of the applications of the MSA on the Institutions of the EU conducted by Ackrill et al., the model appeared to be useful for analyzing the political processes of the EU. This therefore served as one of the reasons that the MSA was selected as the theoretical lens through which to analyze the cybersecurity discourse of the EP.

However, the MSA’s initially narrow focus on the US remains a shortcoming, and it is not the only disadvantage of the model. According to Anthony Chow, one of the main limitations of the model is that it does ‘not sufficiently acknowledge the significance of media effects, including social media’ (Chow, 2014, p.53). The media serves as a strongly motivating factor for the raising of certain policy issues in a political environment such as the EP. None of the streams within Kingdon’s MSA accommodate the effects of the media, and this does potentially hinder the decision-making processes taking place within the EP. Other theorists such as Dietram Scheufele state that the media does not reflect reality, but rather filters certain pieces of information and tailors it according to the interests of said media source’s target audience (Scheufele, 2010). Thus, it remains unclear to what extent the incorporation of the influence of the media should actually be present within the MSA; thus, this may be a shortcoming of Kingdon’s framework. Given that the MSA has been applied to the EU in order to study decision-making in an ambiguous setting, this suggests that there is a link between situation uncertainty and the coming together of Kingdon’s three streams. According to Ackrill et al., the MSA’s ‘usefulness lies in the lens’s capacity to handle ambiguity and its ability to capture the complex interactions among institutions, issues and entrepreneurs’ (Ackrill et al., 2013, p.883). They also state that this has particular resonance with the case of the EU mainly because the policy process itself is ambiguous due to the EU’s multi-leveled means of governance (Ackrill et al., 2013, p.877). However, this thesis is more concerned with the way that the EP perceives cybersecurity as a policy issue, and how it makes decisions on the topic, as opposed to the ambiguous nature of policy-making in the EU. Unfortunately, the MSA has not been applied to a case involving the topic of cybersecurity, which would have been a useful reference for this research. Nonetheless, the numerous applications of the MSA as a means of analyzing ambiguous decision making processes in a political setting implies that this model is an appropriate and reliable tool for this research.

(14)

13 |

3. Methods

This section provides an outline of the methods that were used in the analysis in order to answer the following research question:

‘How has the European Parliament’s perception of the importance of cyber security changed between 1999 and 2017?’

3.1. What is a discourse analysis?

As mentioned, this thesis has conducted a qualitative discourse analysis. According to Jorgensen et al., ‘there is no clear consensus as to what discourses are or how to analyze them’, however, the definition she then used to define discourse is ‘a particular way of talking about and understanding the world (or an aspect of the world)’ (Jorgensen & Phillips, 2002, p.1). This definition has served as the basis for the discourse analysis employed in this research. The reason that Jorgensen’s definition was used is that she offers a broad and simple view of what discourse is. In stating that discourse is ‘a particular way of talking about and understanding the world’, she is describing exactly what this research aims to measure: perceptions or subjective opinions on a certain topic. Based on this definition, the discourse on cybersecurity within the EP is precisely what this paper seeks to analyze in order to answer the research question. The reason that a qualitative analysis was selected as the form of research, is that the discourse on cybersecurity in the EP is in itself qualitative, rather than quantitative, by nature.

3.2. Selection of time periods

The periods that have been selected include 1999-2000, 2007-2008, 2016-2017. Breaking down the time period 1999-2017 in to three more digestible periods allows for a more feasible diachronic analysis (Dekkers, Van der Woude, & Van der Leun, 2017, p.6). According to the Oxford University Press, a diachronic analysis is the study of a change in a phenomenon over time (‘Diachronic Analysis’, 2018). Although it would have been optimal to conduct an analysis of all the data within the period 1999-2017, these three specific time periods explain much of the evolution of the discourse. These three time periods were selected based on particular focusing events which have been used to explain trends and changes in perceptions of cybersecurity in the EP during the period of 1999-2017. The following focusing events have been used to isolate the periods of analysis:

1. 1999-2000: In 1999, the term ‘cyber’ was used for the first time in the EP indicating the first recognition of the cyber-domain in the EP. Although this is significant, it is not a focusing event. The focusing event for this time period was the outbreak of ‘the Melissa worm’, which was at the time, the costliest malware outbreak in history, resulting in $1.2 billion in damages (Haury, 2012). 2. 2007-2008: In May 2007, Russian cyber-attacks were launched on Estonian government agencies, banks, newspapers, and other organisations. This is important as it was perceived as one of the first

(15)

14 |

instances of state-sponsored cyberwarfare, and is therefore likely to have resulted in a change in the discourse of the EP (Batashvili, 2017).

3. 2016-2017: The critical focusing event for this time period was the 2016 US Elections, the voting system of which many speculate ‘with a high degree of confidence' to have been hacked (Cummings, 2016). This opened up a new dynamic within the context of cybersecurity and politics. While this focusing event took place in the US, the significance of the situation highlights vulnerabilities that could well be present within the political processes of other nations, including EU member states, which suggests that the EP discourse could reflect this consideration.

These time periods have been used to isolate documents within the database of the EP, which will then serve as the premise of the discourse analysis.

3.3. Type of documents

There is a multitude of different document types in the database of the EP. However, given that this research will conduct a discourse analysis, the following document types are the most relevant in determining the EP’s perceptions of cybersecurity:

- ‘Reports of proceedings’ - ‘Answers to written questions’ - ‘Motions for resolutions/decisions’ - ‘Studies’

- ‘Reports’

These documents provide subjective information which offer insights into the political perspectives on cybersecurity in the EP. Although there are other types of documents which may also have been useful (‘articles’ or ‘in-depth analyses’ for instance), the documents highlighted above are the ones deemed the most likely to convey perceptions. Documents were determined to be useful depending on the context in which the term ‘cyber’ was used. For instance one EP report discussed how ‘cyber-cinema will mean that European audio-visual works will become more easily accessible[…]thus enhancing the cultural diversity of Europe’ (‘Report on the Communication from the Commission to the Council, the Parliament, the Economic and Social Committee and the Committee of the Regions ’Principles and guidelines for the Community’s audiovisual policy in the digital age’, 1999, p.35) . Given that this document is not concerned with cyber related risks or security, it has been excluded from the analysis as its content is not relevant to the focus of cybersecurity. It should also be mentioned that while generally ‘studies’ and ‘reports’ might not be considered to provide subjective insights, they are still useful for this research. This is because the studies selected for this thesis are mostly conducted by the ‘Science and Technology Options Assessment

(16)

15 |

Panel’ (STOA) which ‘forms an integral part of the structure of the EP[…][and] it is composed of 25 Members of the European Parliament’ (‘STOA Panel - 8th Legislature’, 2017). Given that these studies are conducted by MEPs themselves, they are therefore representative of the subjective views held within the EP. Similarly, the reports found within the database represent reports of discussions held within the EP, and are thus also representative of subjective views held within the EP.

3.4. Selection of documents

The basic search function available on the EP’s website was used in order to isolate the documents used in the analysis. This search function enables users to search across the entire archive of official EP documentation highlighting the number of occurrences of the search terms for each year. Documents were downloaded from the database of the EP through a catalogue search for the term ‘cyber*’. A Boolean operator was employed in the search term in order to gain a broader set of results from the EP database. Boolean operators are simple words [or characters] used as conjunctions to combine or exclude keywords in a search, resulting in more focused and productive results’ (‘What is a Boolean Operator’, 2017). On this basis, the EP database has been used to search for ‘cyber*’. In placing the Boolean operator ‘*’ following the word ‘cyber’, this allowed the results of the search to include any additional terms attached to ‘cyber’, yielding results such as ‘cyber-attack’, ‘cyber-threat’ or ‘cyberwarfare’. More plainly, this is used when searching for ‘a word where you only know the first few letters’ (‘Boolean operators, wildcards and special characters’, 2017).

The results of the data collection yielded a total of 453 different documents. Of this number a total of 319 documents were found to be useful for this research. For a breakdown of the number and type of

documents found in the EP Database, see Figure 2 below.

Figure 2: Number and types of documents found in the EP database (N=453)

Type of document 1999-2000 2007-2008 2016-2017 Total

Answers to written questions 0 30 112 142

Motions for resolutions 0 23 38 61

Reports 6 11 68 85

Reports of Proceedings 0 35 40 75

Studies 10 8 72 90

Total number of documents found 16 107 330 453

Total number of documents that contained relevant information

(17)

16 |

3.5. How the analysis was conducted

The software used to conduct the analysis of these documents is called ‘Atlas.ti’, which is a qualitative research and data analysis software. The software enables users to locate, code, and annotate findings in primary data material, to weigh and evaluate their importance, and to visualize the often complex relations between them (Silver & Lewins, 2007). After downloading and organizing the 453 documents into clear folders and sub-folders, the documents were then imported into Atlas.ti. Each time period was separated by an individual hermeneutic unit (HU) in Atlas.ti. Essentially, each HU contains all the documents, codes, memos and other files associated with its respective time period. Following this, the search function in Atlas.ti was used to search each document for the term ‘cyber’. No Boolean operator was used here as they are not compatible with Atlas.ti. Based on the manner in which ‘cyber’ was used in the context of security, codes were created and applied to excerpts in the documents. Based on the frequency which certain codes were applied, Atlas.ti was then used as a means of analyzing trends within the discourse, determining common perspectives on cybersecurity across time, and plotting them within the framework of Kingdon’s MSA. This means that only excerpts of the documents were read, and thus only a minority of the documents were actually read in their entirety.

In order to conduct this analysis using Kingdon’s MSA as the theoretical lens, the three streams were used as a means of determining where the discourse led to the opening of a policy window and consequently the passing of public policy or legislation within the EP. If the presence of all three streams were identified within the discourse of the EP, it could be stated that there was a convergence, therefore the opening of a policy window, and the passing of cybersecurity regulation. On this basis, it can then be stated that the MSA can be used to explain the passing of cybersecurity regulations by the EP. The indicators used to identify these streams within the discourse are highlighted in Figure 3 below. These indicators represent possible components of the discourse which would be indicative of the presence of one of the three streams. In order to clearly identify these streams within the discourse codes were assigned to their indicators. A preliminary set of these are listed within Figure 3. The codes themselves were numbered in order to better identify how they fit within Kingdon’s MSA.

(18)

17 |

Figure 3: Coding scheme for the MSA within the Discourse of the EP (Howlett et al., 2009)

Theory Stream Indicators within the

discourse

Codes

Kingdon’s MSA:

Three streams, which when united will open a ‘policy window’, setting the agenda, and

motivating political change. Problem Stream: ‘the perceptions of problems as public issues requiring government action’ Cybersecurity is perceived as an issue which requires more attention and action

1.1 Cybersecurity is perceived as a threat due to a lack of knowledge on the issue 1.2 Cybersecurity is perceived as a threat due to the growing number of new threats 1.3 Cybersecurity threat X has highlighted a need for improved cybersecurity. Cybersecurity is not perceived as an issue which requires more attention and action

2.1 Cybersecurity is not perceived as a substantial threat. 2.2 Cybersecurity is not perceived to be a growing threat 2.3 Cybersecurity threat X has highlighted the fact that there is no need for

(19)

18 |

improved cybersecurity

Policy stream:

‘experts and analysts examining problems and proposing solutions to them’

Cybersecurity experts and analysts are examining issues and proposing solutions to these issues

3.1 Cybersecurity issues are being examined by experts 3.2 Cybersecurity experts are proposing solutions to these issues 3.3 Institutions are being formed or utilized in order to address cybersecurity issues Cybersecurity experts and

analysts are not examining issues and proposing solutions to these issues

4.1 Cybersecurity issues are not being examined by experts 4.2 Cybersecurity

experts are not proposing solutions to these issues

4.3 Institutions are not being formed or utilized in order to address cybersecurity issues

(20)

19 | Political stream: ‘composed of such factors as swings of national mood, administrative or legislative turnover and interest group pressure campaigns’

Cybersecurity issues are causing public outcry or interest group pressure.

5.1 There is European or national outcry due to a cybersecurity issue 5.2 Certain interest groups are lobbying for action to be taken against a certain cybersecurity threat. 5.3 Cybersecurity threat X has received a great deal of attention from the media. Cybersecurity issues are

not causing public outcry or interest group pressure.

6.1 There is no European or national outcry due to a cybersecurity issue 6.2 Certain interest groups are not lobbying for action to be taken against cybersecurity threats. 6.3 Cybersecurity

threat X has not received a great

(21)

20 |

deal of attention from the media

3.5.1 Justification for selection of codes

These preliminary codes were created as they offer evidence for the applicability of each stream. To illustrate, the problem stream is an indicator of perceptions of cybersecurity issues (‘the perception of problems as public issues’), the policy stream is an indicator of the utilization of experts and certain institutions for cybersecurity purposes (‘experts and analysts examining problems and proposing solutions’), and the political stream is an indicator of national or European perceptions of cybersecurity (‘composed of such factors as swings of national mood’). These codes served as a base from which to start the analysis, however, they were only preliminary. While the framework of Kingdon’s MSA remained firmly in place, new codes were created within each stream as the analysis was conducted. This was because a significant amount of new and unexpected information was found within the discourse. For a complete list of the codes used in the analysis please see the Appendix.

4. Analysis

The analysis was written in a chronological order, highlighting the results of the analysis and stating the applicability of the MSA within each respective time period.

4.1. 1999 – 2000

For the first time period of 1999-2000, cybersecurity was a new and relatively undiscussed topic of discussion within the EP. Consequently, only 7 documents in this period were found to contain dialogue that was relevant to the topic of cybersecurityi_{. The central topic of focus was on the management of} e-commerce and fiscal issues that had arisen with the growth of online business. This is to be expected with the birth of ecommerce giants, eBay and Amazon in the mid-1990s. Within this focus, the issues that are discussed are mostly related to the fact that ‘for all its vast potential, the cybermarketplace is little more than a lawless frontier, lacking rule and accepted business practices to deal with fundamental issues of access, privacy and taxation’ii_{. Similarly, another article highlights the features of crimes committed in this} lawless frontier: ‘The technologies used are constantly evolving; finding evidence is an extremely complex task; the evidence is volatile and modifiable, and is thus easy to tamper with; investigators need to be highly skilled. Such specific characteristics make it necessary for the policy and judicial authorities responsible for combating these types of crime to learn new skills, and for cooperation to become more systematic between magistrates and police forces in the various countries’iii_{. On the basis of statements such as these,} the most frequently seen discussions pertaining to cybersecurity between 1999 and 2000 were focused on the fact that cybersecurity was important due to the lack of European regulation on the issueiv_{. This was a}

(22)

21 |

somewhat expected result in this time period considering the fact that cybersecurity was at that time a new topic within the discourse of the EP – evidenced by the lack of cybersecurity related data within the EP database prior to 1999. This also ties in with two other perspectives on cybersecurity found within this time period, namely that cybersecurity is perceived as important due to the distinct lack of knowledge on the topicv_{, alongside the fact that the policy area is continually developing and prone to unexpected turns of} eventsvi_{. This demonstrates that there are three different problem streams within this time period.}

The next most frequently discussed cybersecurity issue in this time period was related to a field that was initially unexpected in the results, but certainly an integral part of regulating cyber-security, and that is the potential threats that the use of the internet may pose to minors. In this period the focus on the threat to minors is exclusively centered on the distribution of child pornographyvii_{. Although this might not seem} explicitly relevant to the field of cybersecurity targeted in this research, it is included in the analysis because the European Commission states that cybersecurity ‘refers to a broad range of different criminal activities where computers and information systems are involved either as a primary tool or as a primary target’viii_. Such a definition would therefore include issues such as threats to minors and cyberbullying, both of which have been seen consistently throughout all three periods of the analysis. While it is clear that there is discourse associated with the rise of activity within cyberspace, there is little similarity shared with the contemporary understanding of what cybersecurity is. This is mainly because today, cybersecurity is understood as a broad term encompassing many different aspects, whereas in the period 1999-2000, the EP only ascribes the term to a minute number of issues. Given that costly cybersecurity breaches such as the Morris Worm (which led to damages costing an estimated $98 million) had occurred, attracting worldwide attention, the lack of cybersecurity discourse between 1999 and 2000 was somewhat unexpected (Boettger, 2000). Nonetheless, the discussion of online child pornography as a cybersecurity issue represents another problem stream within this time period.

Given that the problem stream is defined as ‘the perceptions of problems as public issues requiring government actions’, the discourse for this time period demonstrated the clear presence of numerous problem streams. There was concern expressed in the EP for the fact that child pornography was a prominent issue on the internet, and there were also calls for more regulation in the field of cybersecurity in order to protect and manage e-commerce servicesix_{. Both of these issues constitute problem streams.} Given that the policy stream is defined as ‘experts and analysts examining problems and proposing solutions to them’, a policy stream was also found to be present in this period. However, there was only one incidence of a code that applies to the policy stream: that experts are proposing solutions to issues of cybersecurityx_. This was only the case in one statement in one of the 16 documents collected for this time period. While these two streams were present, they were not strong in their presence when compared to the other two time

(23)

22 |

periods. This may be to do with the fact that every document in this time period lacks a direct relation to cybersecurity or a related field; references to cybersecurity tended to be only minor. This suggests that the perceived importance of cybersecurity in this time period was not particularly high.

4.2. 2007-2008

In this time period the discourse on cybersecurity developed in a different manner. While the policy area of cybersecurity was still not nearly as prominent as it is today, the issues which took the forefront of the discourse were the importance of cybersecurity for the online safety of minors, the cyberattacks in Estonia which highlighted a need for improved cybersecurity, and also the challenges that cyberbullying posed. On the topic of cybersecurity as an issue for minors, the discourse changed in this period from the previous period. Where the period of 1999-2000 focused predominately on the prevalence and distribution of child pornography as a security issue for minors, this period focused more on the use of the internet as a medium for the physical abuse of children. More specifically there is a significant amount of discourse relating to what is known as ‘cyber-grooming’xi_{. According to the UK children’s charity, the NSPCC (National Society} for the Prevention of the Cruelty to Children), cyber-grooming ‘is when someone builds an emotional connection with a child [through the internet] to gain their trust for the purposes of sexual abuse, sexual exploitation, or trafficking’ (‘Grooming’, 2017). This demonstrates that the course of technological development has unfortunately facilitated the growth of new and more sinister means of exploiting and abusing children. This was even sighted as one of the highest security concerns in the EU; ‘The Commission puts the protection of children from sexual exploitation at the highest level, especially on the Internet’xii_. This coincides with the fact that cybersecurity issues that minors face from using the internet were discussed more thoroughly than any other cybersecurity subtopic, highlighting that this was the most important cybersecurity concern in the EP for the period 2007-2008. This discourse on the issues of cyber-grooming and child abuse through the use of the internet, highlight the presence of two problem streams.

The next issue that was deemed most important within the context of cybersecurity, were the cyber-attacks which took place in Estonia in 2007. This demonstrates that the preselected focusing event for this period (The cyber-attacks in Estonia), did in fact have a significant impact upon the state of the discourse. This shows that there was a general recognition within the EP that these attacks showed that European member states are vulnerable to cyber-attacks from foreign powers. Consequently, the discourse here was mainly centered on the fact that these attacks highlighted a lack of security within the networks of European member states, as well as calls for action to patch these vulnerabilities. This is demonstrated in the following excerpts:

(24)

23 |

‘A year ago, one million computers from all over the world were mobilized to block government institutions and banks in Estonia. I think the European Parliament too has to prepare a concise stand on how to respond to the threats of the newest technologies’xiii

‘Even though only a single countrywide system was involved can we have any doubt that that attack indirectly affected Estonia’s entire network of relations with other countries of Europe?’xiv

These excerpts also show a recognition that EU member states are digitally interconnected, and that a cyber-attack on one member state will likely have a knock on effect for any member states which have digital interactions with the country which was attacked. Given that this was the first state sponsored cyberattack on a European member state, the issue sparked the discussion of a new term within the EP: cyberwarfare. Thus, these attacks also stimulated discourse which was focused on preventing the outbreak of a cyberwar, which these cyber-attacks demonstrated to be a very real threatxv_{. This indicates the presence of an} additional two problem streams in this time period, namely: the cyber-attacks in Estonia highlighting a need for improved cybersecurity and stimulating discussions of cyberwar.

Another interesting element of the discourse in this period was the fact that there was debate over whether or not cybersecurity solutions in the EU should be developed at the level of the Institutions of the European Union, or at the level of the individual EU member state. Some argued that when it comes to law enforcement in the realm of cybersecurity this is a direct responsibility of the member state, and that action at the EU level was not necessary. These sentiments were echoed in many different documentsxvi_{. However,} it should be noted that some of these sentiments were shared by Eurosceptic MEPs such as Nigel Farage (the former leader of the UK Independence Party) who stated that there should not be any cyber security oriented oversight from ‘the shadowy Europol agency’xvii_{. While this should by no means be excluded from} the analysis, Farage’s sentiments within the EU are somewhat bias given his wholly negative sentiments towards the EU. Nonetheless, the number of individuals who were in support of cybersecurity oversight from the Institutions of the EU were also numerousxviii_{. So, for this period while there was some debate over} whether the EU or its member states should regulate the enforcement of cybersecurity, the principal arguments in the discourse were that the institutions of the EU should play a central role in the enforcement of cybersecurity in Europe. However, the very presence of this debate within the discourse highlights an additional problem stream for this time period.

Another characteristic of the discourse in this period is that MEPs and other actors were on numerous occasions seen to be both asking for and proposing policy solutions to issues of cybersecurity. Experts and analysts were found to be proposing solutions such as public-private cooperation projects, EU codes of conduct, a Europol ‘child pornography images database’, as well as other measures in order to secure

(25)

24 |

networks and facilitate information securityxix_{. This explicitly indicates the presence of numerous policy} streams. The discourse also saw 7 references to the fact that the issue of cybersecurity had become one of the EU’s most central security concernsxx_{. This importance ascribed to cybersecurity is further evidenced} with 5 references to the formation and utilization of ENISA which was formed in 2004xxi_{. The utilization} of ENISA also indicates the presence of additional policy streams, as the institution inherently consists of experts and analysts examining problems and proposing solutions to them. Despite the fact that the discourse describes cybersecurity as one of the most important security issues, and there are numerous calls for legislative action, as well as the formation and utilization of the ENISA, none of this fostered any concrete legislative changes at the EU level in the time period 2007-2008. The discourse did make reference to the Budapest Convention on Cybercrime, which was the first international treaty aimed at tackling cybercrime issues such as copyright infringement, child pornography, fraud, hate crimes and network security violations (Arias, 2002)xxii_{. However, the Budapest Convention took place in 2001, not between} 2007 and 2008. In spite of the lack of cybersecurity legislation being passed by the EP in this time period, these points strongly indicate the presence of numerous policy streams.

This time period had substantially more data to work with (107 documents), and consequently the results of the analysis demonstrated a stronger presence for both the problem stream and the policy stream. A central difference between the period 1999-2000 and this time period is that many of the documents in 2007-2008 are focused predominately on cybersecurity issues, rather than having cybersecurity only as a sub-category of the central topic within a document. Perhaps the previous time period simply did not have any major focusing events or issues relating to the field of cybersecurity to constitute the development of critical discourse on the topic within the EP. In terms of evidence suggesting the presence of the policy stream, there were exactly 15 separate occasions where solutions to cybersecurity issues were being put forward in the discoursexxiii_{. These solutions included further encouragement for the ratification of the 2001} Budapest Convention on Cyber Crime, stressing the need for closer cooperation between cybersecurity agencies, further conferences to ‘tackle the problem of effective action against illegal content on the internet including child pornography’, proposals to fight against network security breaches, and 11 other propositionsxxiv_{. Thus, it can be stated that both problem streams and policy streams are firmly seen to be} present in this period. Still however, there is no indication that a political stream is present, and there was no corresponding policy being passed by the parliament which might have indicated a convergence of the three streams in this time period.

(26)

25 |

4.3. 2016-2017

This period saw results that were far more extensive than the other two periods. This is largely due to the fact that there were 330 documents for 2016-2017, which is more than the two previous periods combined. The most applied code within Atlas.ti for this period was the perception that cybersecurity is an issue which requires more political attention and financial support. This code saw a total of 81 incidences throughout this time periodxxv_{. By contrast, in the period of 2007-2008, the most numerous code (cybersecurity as an} issue for minors) was only applied 21 timesxxvi_{. This demonstrates the rapid growth of the concern regarding} cybersecurity within the EP. However, despite these calls for more attention and financial support for cybersecurity within the EP, the next most important and frequently mentioned topic within this period is the perceived importance of the NIS Directivexxvii_{. This can be considered somewhat of a contradiction of} terms, as the very existence of the NIS Directive presupposes that there is in fact political support for European cybersecurity regulations. This also demonstrates the unchanging and persistent importance of cybersecurity as a priority within the EP, in spite of new groundbreaking regulations such as the NIS Directive. Therefore, these indicate the presence of both a strong problem stream (the perception that cybersecurity is an issue which requires more political attention and financial support) and a strong policy stream (the perceived importance of the NIS Directive).

Another interesting focus of this period is the debate regarding the EU’s role in the domain of cybersecurity. While the period of 2007-2008 showed that there was some debate over whether the institutions of the EU should play any role in the regulation of cybersecurity within the EU, the period of 2016-2017 saw a conclusive end to the debate signaling consensus on the need for EU policy response. There were a total of 64 references to the perception that cybersecurity was an issue that required a transnational response, involving the institutions of the EU, but also in many cases partnerships with other nations and institutions outside of the EU, highlighting the truly global nature of cybersecurity as an issuexxviii_{. This also included} the EUs coordination with other transnational organizations such as the OSCE (the Organization for Security and Co-operation in Europe), the AU (the African Union), the ASEAN (the Association of South East Asian Nations), and NATO (the North Atlantic Treaty Organization). In particular, the importance of a relationship with NATO in order to tackle issues of cybersecurity was perceived as particularly important as it was stressed a total of 24 timesxxix_{. On the other hand, there were zero mentions of cybersecurity being} perceived as an issue which should not be dealt with by the institutions of the EU. This demonstrates that in the years 2016-2017, the EP perceives the issue of cybersecurity as something that the institutions of the EU should proactively address due to the transnational nature of the threat, which is a firm policy stream, as it constitutes a solution. Furthermore, the suggestion of collaborating with NATO to tackle cybersecurity issues presents an additional policy stream, as it too constitutes a potential solution.

(27)

26 |

In line with these debates regarding the EU’s role in the regulation and oversight of cybersecurity in Europe, another more frequently applied code indicated that institutions are being both formed and utilized in order to address issues of cybersecurityxxx_{. The discourse indicated that the following institutions were being} formed and utilized by the institutions of the EU: the ENISA, Europol’s EC3 (European Cybercrime Center), the EDA (European Defense Agenda), and CERT-EU (the Computer Emergency Response Team for the EU Institutions, bodies and agencies). It should be stated that other institutions not formally part of the EU were also perceived as important for cybersecurity in the EU, and a prime example of one of these institutions is the NATO CCDCOE (the NATO Cooperative Cyber Defense Center of Excellence) in Estonia. All these developments demonstrate that cybersecurity is perceived to be an issue of such importance that the institutions of the EU deem it necessary to establish numerous institutions in order to address these issues. The utilization of these institutions indicates the presence of multiple policy streams, as each of these institutions is being used in order to tackle specific issues relating to cybersecurity. Perhaps this diversity of institutional solutions to problems of cybersecurity is due to the corresponding diversity of threats that undermine cybersecurity in the EU. One of the most frequently mentioned threats, as in the other two time periods, was once again the threat that internet usage poses to minors, both in the form of child pornography and ‘cyber-grooming’. The importance of cybersecurity for the security of minors was mentioned a total of 33 times throughout the discourse, and corresponds with one of EC3’s central operational goals (‘European Cyber Crime Centre’, 2017). Another theme in the discourse indicated (just as the previous time periods), that cyberbullying is still a major issue, not just for minors but also for adults. This threat was raised as an important cause for adequate cybersecurity on 27 different occasions throughout the discoursexxxi_{. What’s also interesting here, is that the discourse highlights the manner in} which cyberbullying has evolved as a threat. 2016-2017 shows the evolution of new cyberbullying threats such as ‘revenge porn’ (‘these men publish intimate photographs of their ex-girlfriends, who once trusted them, without their consent, leaving the women open to public humiliation’), and ‘the blue whale game’ (‘some phenomena, such as the infamous Blue Whale game, aim to persuade more vulnerable people, particularly minors, to carry out acts of self-harm, which can even reach the point of suicide’)xxxii_{. This} clearly demonstrates the dynamic landscape of cyber-threats in the EU; evolving with the rapid rate of technological development. These issues of cyberbullying, cyber-grooming, and child pornography indicate the presence of 3 additional problem streams in this time period.

Given this plethora of differing cybersecurity issues alongside the dynamic and constantly changing nature of cyber-threats, there is good reason for the establishment of institutions such as the EC3. Mainly because the number of cyber-threats and attacks has grown substantially, which is something that was perceived as important for the development of cybersecurity within the 2016-2017 discourse a total of 27 timesxxxiii_{. In}

Cybersecurity in the European Policy Arena : A Multiple Stream Analysis of Cybersecurity within the European Parliament