The Effectiveness of Public-private Partnerships in the Cyber Domain

(1)

i

Leiden University

The effectiveness of

public-private partnerships in the

cyber domain

A study into Information Sharing and Analysis Centres (ISACs) in the Netherlands

Crisis & Security Management – Master thesis Name: Joeri Nelemans

Student number: S1778935 Supervisor: Dr. E. de Busser Date: 13 January 2019 Words: 26,452

(2)

ii

Abstract

In the current society, cybersecurity is becoming more important by the day. Large-scale cyber-attacks such as WannaCry and Petya show that cyber threats are increasing and potentially devastating for critical infrastructures the world all over. As critical infrastructures are largely possessed and maintained by private actors, while public actors are ultimately responsible for security, public-private partnerships in the cyber domain are necessary to face today’s cyber challenges. Public-private partnerships however, are not without problems and their effectiveness is contingent upon many factors.

This study examines which factors influence the effectiveness of a particular type of public-private partnership in the cyber domain in the Netherlands: Information Sharing and Analysis Centres (ISACs). These ISACs are sector-specific public-private bodies that share and analyse cyber-incident- and counter-measurement related information. Derived from the literature, there are 5 critical success factors (CSFs) that potentially influence the effectiveness of these public-private partnerships: ‘alignment of interests’, ‘effective information-sharing’, ‘clear distribution of responsibility and accountability’, ‘mitigation of risks’ and ‘effective (administrative) management’.

By conducting eight in-depth expert interviews, this study has tested the explanatory value of each of these factors for the effectiveness, in the context of the ISACs in the Netherlands. Attempts to do quantitative statistical research were made, but due to reasons related to confidentiality and privacy, this proved to be not possible.

Apart from ‘clear distribution of responsibility and accountability’, all the factors have a positive influence of the effectiveness of the partnership. ‘Clear distribution of responsibility and accountability’ could not be adequately tested because the ISACs are not an executive body and apart from a very limited degree of responsibility, no provisions about responsibility and accountability of neither the individual partners nor the ISAC as a whole are made. Additionally, this study found two other factors of influence: ‘trust between the partners’ and ‘size of the partnership’. “Trust between the partners” has a positive relationship with ‘effective information-sharing’ and therefore with the effectiveness of the ISAC. ‘Size of the partnership’ has a negative relationship with ‘trust between the partners’ and therefore with the effectiveness of the ISAC.

(3)

iii

List of tables and figures

Figure 1: Spread of WannaCry ransomware virus (source: Kaspersky Lab) ... 1

Figure 2: List of ECI sectors (source: Council of the European Union, 2008) ... 9

Figure 3: Conceptual model ... 20

Figure 4: Traffic Light Protocol, TLP (source: ongisac.org) ... 51

Figure 5: Corrected conceptual model ... 72

Table 1: Potential influential factors………17

(7)

vii

List of abbreviations

AIVD Algemene Inlichtingen en Veiligheidsdienst (Dutch General Intelligence and Security Service)

CI Critical Infrastructure

CIP Critical Infrastructure Protection CSF Critical Success Factor

EU European Union

ICS Industrial Control System(s)

I(C)T Information (and Communication) Technology ISAC Information Sharing and Analysis Centre KPI Key Performance Indicator

MSP Managed Service Provider

MO Modus Operandi

NCSC Nationaal Cyber Security Centrum (Dutch National Cyber Security Centre) NCTV Nationaal Coördinator Terrorisme en Veiligheid (Dutch National Coordinator

for Security and Counterterrorism) NIS Network Information Security PPP Public-Private Partnership SOC Security Operations Centre THTC Team High Tech Crime TLP Traffic Light Protocol

(8)

1

1 Introduction

1.1 Petya & WannaCry

In June 2017, a ransomware attack spread out over Europe, paralyzing and shutting down information networks on a large scale. The attack, named ‘Petya’, originated in Ukraine, where it infected companies, airports, banks and government departments (Rothwell et al, 2017). After that, it quickly spread to other countries, such as the UK, the Netherlands and Denmark. Outside of Ukraine, Petya mainly targeted firms of which the computers were being ‘hijacked’, with the only apparent solution to pay an extortionate amount of money, in the shape of Bitcoin. One of the companies that was struck the hardest was the Danish shipping firm Maersk, along with all its subsidiaries (of which one is APM Terminals, responsible for a considerable amount of container transport in the port of Rotterdam). For Maersk alone, the damage caused by Petya exceeded $300 million in lost revenue (Palmer, 2017). The Petya attack emerged only a few weeks after another large-scale ransomware attack, ‘WannaCry’. This attack hit the infrastructure of around 150 countries, of which the British National Health Service, Spanish telephone company Telefónica, logistics firm FedEx and the German railway organization Deutsche Bahn are examples (Larson, 2017; BBC, 2017). Figure 1 shows the

worldwide spread of the WannaCry ransomware virus, including some major private enterprises and public services. Although this attack was halted relatively quickly by discovering its ‘kill switch’ (Khomami & Solon, 2017), it showed the magnitude with which these increasingly popular malware attacks can strike and shut down

critical infrastructure. Figure 1: Spread of WannaCry ransomware virus (source: Kaspersky Lab)

(9)

2

1.2 Cybersecurity for critical infrastructure

Cyber-attacks themselves are not a new phenomenon. Even these kind of attacks, involving the encryption of files and a payment as ‘solution’, is something that is known to the world since 1996 (Young & Yung, 1996). However, two developments have directed attention towards these attacks and the necessity to be able to prevent them beforehand and stop them when they occur. First, this form of cyber-extortion has boomed in the last couple of years, especially in 2016 and 2017 (Patyal et al., 2017: p. 52). More attacks appeared which infected a large amount of computers, networks and organisations. Moreover, Europol’s latest ‘Internet Organised Crime Threat Assessment’ report (IOCTA), states that ransomware retains to be one of the most dominant and high-paced growing cyber threats (Europol, 2018: p. 7). Secondly, there has been a shift regarding the type of victims of these attacks. Initially, the targets of ransomware attacks were individual home users. A government-like message would be shown, accusing the victim of serious offences, together with a timer as payment deadline. Facing these threats, individuals have a high likeliness to pay the ransom (Patyal et al., 2017: p. 53). However, the recent increase in ransomware attacks shows a shift from the targeting of individuals to the targeting of (large) companies, healthcare organizations and other public sector infrastructure (Patyal et al., 2017: p. 52; Europol, 2018: p. 21). The viruses are mostly installed through ‘file sharing networks’, the clicking on links on malicious websites or the opening of attachments and links in ‘phising’ e-mails (Patyal et al., 2017: 53).

The increase in cyber-attacks and the targeting of critical infrastructure shows the vulnerability of our society, in which we are largely dependent on computer networks and information technology (Jang-Jaccard & Nepal, 2014: p. 973; Boeke, 2017: p. 1). Governments are well-aware of the threats for society, emerging from the cyber domain. In 2013, the EU has published an extensive cyber security strategy, named ‘An Open, Safe and Secure Cyberspace’. The strategy entails EU’s comprehensive vision on how best to prevent and respond to cyber disruptions and attacks (European Commission, 2013a). One of the key components of this strategy is the NIS Directive, aimed at measures for a high common level of security of network and information systems across the Union. One of the main provisions in this directive states that: “Member State must adopt a NIS strategy and designate a national NIS competent authority with adequate financial and human resources to prevent, handle and respond to NIS risks and incidents” (European Commission, 2013a). Thus, the EU burdens

(10)

3 governments of its member states with the responsibility to adequately set up a cyber security policy. The EU then also explicitly mentions the importance as well as vulnerability of critical infrastructure, that need at least to adopt risk managing practices and reporting procedures in the case of security breaches (European Commission, 2013b). The urgency to address cybersecurity is something that the Dutch government is well aware of as well. Every year, it publishes the ‘Cybersecurity Landscape of the Netherlands’ as well as a ‘Cybersecurity Assessment of the Netherlands’, which are in turn part of a larger ‘National Cyber Security Strategy’ (Ministry of Security & Justice, 2017). As well as the EU, the Dutch government emphasizes the importance of critical infrastructure and the State Secretary of Security and Justice (Klaas Dijkhoff) points out: “The sense of urgency to invest in cyber security is growing in Dutch society. Nevertheless, we must continue to invest in knowledge and expertise to stay at the top level. That’s why we talk to businesses, education and representatives from critical infrastructure. We need to work together to keep the Netherlands digitally safe and secure […]”(Ministry of Security & Justice, 2017). Both EU and Dutch governments stress the importance of the protection of critical infrastructure and the need for public and private actors to cooperate in order to protect our network society. In the Netherlands, this has resulted in the creation of so called Information Sharing and Analysing Centres (ISACs). These ISACs are public-private partnerships that are organised per sector. In these public-private partnerships, the participants share and analyse information and experiences concerning cyber security and cyber threats (NCSC, 2017). Examples of these sectoral ISACs are: Energy, Financial Institutions, Health Care and Drinking Water. However, as Carr (2016: p. 44) describes, public-private partnerships within cybersecurity have a high probability to be problematic. An example is an often emerging fundamental disjuncture between the expectations of both ‘sides’, especially regarding who has what role, responsibility and authority. As the operators of critical infrastructure are most often privately owned enterprises, these public-private partnerships seem to be the only viable solution in ensuring cybersecurity for these sectors. This research will examine factors that potentially influence the effectiveness of such a public-private partnership in cybersecurity.

1.3 Research question

Having introduced the problem concerning public-private partnerships in cyber security, this leads to the following research question:

(11)

4 Which factors influence the effectiveness of public-private partnerships within cybersecurity in the Netherlands?

To be able to answer this question, it will be divided in the following sub-questions:

1. What do the concepts ‘cybersecurity’, ‘public-private partnership’ and ‘critical infrastructure entail’?

2. What does the literature say about effectiveness of a public-private partnership and factors that might influence this effectiveness?

3. How are ISACs being set up? Are there any effectiveness measurement instruments in place?

4. Are the ISACs being perceived as effective?

5. How does ‘alignment of interests’ influence the effectiveness of (an) ISAC(s)?

6. How does ‘effective information-sharing’ influence the effectiveness of (an) ISAC(s)? 7. How does ‘a clear distribution of responsibility and accountability’ influence the

effectiveness of (an) ISAC(s)?

8. How does ‘mitigation of risks’ influence the effectiveness of (an) ISAC(s)?

9. How does ‘effective (administrative) management’ influence the effectiveness of (an) ISAC(s)?

The main and sub questions of this research will be answered by doing a case-study into ISACs in the Netherlands. This case-study consists of a qualitative approach, using expert interviews to obtain data. Consequently, the data is analysed after having operationalised the central concepts and by using a coding scheme.

1.4 Scientific and societal relevance

1.4.1 Scientific relevance

Since computers and the internet have emerged in the second half of the 20th century, policy-makers and scholars have been thinking about how sensitive data should be protected from outside entities (Warner, 2012: p. 782). Since then, an increasing amount of scholars have written about the implications of cybersecurity, but public-private partnerships in cybersecurity is a rather specific field in which new research can still contribute to the limited

(12)

5 body of knowledge. Public-private partnerships in general have been studied quite extensively however. Several studies have focused on critical success factors (CSFs) and many other on the key indicators for success (KPIs), however, these are seldom done within the field of cybersecurity, but rather construction (Yuan et al., 2008; Yuan et al., 2009) or transportation (Mladenovic et al., 2013). Very few studies have looked at the determinants for success/effectiveness of public-private partnerships within the field of cybersecurity. Nevertheless, two studies on this topic should be mentioned. First, Carr (2016), examines the public-private partnerships within cybersecurity, that governments have arranged with the owner/operators of critical infrastructure. By using theories about public-private partnerships, she determines the key objectives of these partnerships and the indicators of success, with which she examines the US and UK situations. Secondly, there is a study by Shore, Du and Zeadally (2011), which examines public-private partnership agreements within critical infrastructure protection in the case of New-Zealand. It also proposes a public-private partnership model for national cyber-security, based on this examination. The aforementioned studies show that there has been some research on public-private partnerships in cybersecurity, even aimed at sectors within the critical infrastructure networks. However, these studies have been oriented at either the US and UK or at New-Zealand. A similar study examining public-private partnerships within a European context has not been conducted. Therefore, a research that explores the determinants for effectiveness of cybersecurity PPPs within the Netherlands, will add to the academic body of knowledge.

1.4.2 Societal relevance

As Jang-Jaccard and Nepal (2014: p. 973) explain, our society is becoming increasingly dependent on information and therefore of the facilitating factors of these information flows. An unimaginably large and complex network of digital connections facilitates these information flows, something that is mostly described as ‘cyberspace’. The increased dependency on cyberspace has also made cyber-attacks, such as Petya and WannaCry more attractive, and more disastrous. According to the Internet Security Threats Report by Symantec (2017), the number of victims (whether individuals, companies or governments) is growing by the year and the total amount of costs with it, especially when cyber-attacks now start to target large companies, such as banks, stealing considerable amounts of money. The critical infrastructure systems are the backbone of modern day society and are determinants of security and well-functioning economy of a state. As cyber systems are the lifelines on

(13)

6 which most critical infrastructures rely, their reliable and secure operation undoubtedly of preeminent importance (Jang-Jaccard & Nepal, 2014: p. 984). For actors involved in the critical infrastructure system, it is therefore important to develop their cyber security policies to the level needed to protect their data assets. As Carr (2016: p. 43) describes, public-private partnerships are being perceived as the ‘cornerstones’ of cyber security strategy. This research will help public-private partnerships, especially ISACs in the Netherlands, to explore what causes of effectiveness are. This can in turn, help the partnerships to emphasize certain factors in the set-up or operations of these PPPs, with the goal to maximize effectiveness. Moreover, the results can be used outside of the Netherlands when there are comparable public-private partnerships in place.

1.5 Reading guide

The introduction of this thesis has outlined the central problem and has presented the main research question as well as the sub questions. Subsequently, chapter two contains the theoretical framework that provides all the theoretical background knowledge on which this research is based. Here, the concepts (cyber)security, public-private partnerships and critical infrastructure will be elaborated on extensively. Thereafter, chapter three will explicate the research design of this research, as well as the methods of data collection that have been used. Chapter four will then be dedicated to presenting, analysing and interpreting the data that has been gathered. Finally, chapter five will present the conclusion of this study by answering the research questions, as well as give a number of recommendations.

(14)

7

2 Theoretical Framework

2.1 A nation’s security

2.1.1 What is (cyber)security?

To understand the meaning of cybersecurity, one must first understand the meaning of security, as security can have an ambiguous character. Wolfers (1952) characterized security as “the absence of threats to acquired values” (p. 485). As complete absence of threats is a mere utopia in the complex society of today, the slight reformulation of this definition by Baldwin (1997: p. 13) to “a low probability of damage to acquired values”, is a much more workable phraseology. This will enable one to assume that one hundred percent security is a non-achievable goal, because threats will always continue to emerge, while it gives the opportunity to measure security by the indicator of minimization of damage for the referent object. Especially in cybersecurity, this assumption is necessary, because cyber threats will only grow in number and severity (Symantec, 2017). Hence, security in cyber is not about eliminating every possible threat, but about minimizing the damage to acquired values. Baldwin (1997) also introduces seven questions regarding security, to be able to understand the concept of security. Of these seven, three are most salient for cybersecurity: security for whom?; security from what threats?; security by what means? The first one addresses the referent object that has to be secured, which can be ‘the state’, ‘the individual’ or another entity. The second question refers to the factor that is endangering the security of the referent object. The answers to the first two questions decide the answer to the third, which is about the instruments that should be used to protect the referent object to perceived threats. Most of the time, there is a wide variety of policies that can function as the answer to this third question (Baldwin, 1997: p. 16). These questions are needed to examine (in)security in the realm of cyber and determine what measures may be suitable for specific situations.

When it comes to the definition of cybersecurity, there has been some ambiguity. The Oxford American Dictionary calls cybersecurity “the state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this” (Stevenson & Lindberg (eds.), 2010). Although this provides direction, it is still quite unspecific. According to Jang-Jaccard and Nepal (2014) cybersecurity is “the understanding of surrounding issues

(15)

8 of diverse cyberattacks and devising defence strategies (i.e., countermeasures) that preserve confidentiality, integrity and availability of any digital and information technologies” (p. 974). While specifically focusing on ‘cyberattacks’, this definition is much more detailed and gives insight in how data can be damaged. The definition by the Dutch government focuses more on the causes through which data can be damaged:

“Cyber security refers to efforts to prevent damage caused by disruptions to, breakdowns in or misuse of ICT and to repair damage if and when it has occurred.” (Ministry of Security and Justice, 2013).

This definition is broader because it includes all damage caused by breakdowns, disruptions and misuse regarding information and communication technology. There is one thing that all definitions neglect, however. That is the role of the state in cybersecurity. Cyber-attacks endanger critical infrastructure systems in our society, as demonstrated by Petya and WannaCry, cybersecurity concerns national security. As Carr (2016: p. 54) mentions, we perceive the state to be responsible for the provision of security, especially when it concerns national security. Boeke (2017) adds to this by stating that in a large number of countries a governmental organization or ministry is coordinating and/or leading the cybersecurity policy, either by design or by accident. This underlines the importance of the role of the state, or even state-leadership, in the case field of cybersecurity. Nevertheless, cybersecurity is a complex domain, which is hard to control by a single entity, such as the state. Maughan (2010) emphasizes the fact that there is not a single federal agency that ‘owns’ the issue of cybersecurity. Furthermore, he stresses that not even a federal government can own or control cybersecurity, let alone cyberspace. Through cyberspace, a nation’s critical infrastructure is vulnerable and both company interests and state-security interests align here in the need for a solid cyber resilience. Hence, a comprehensive cooperation between the public and private sector is needed.

2.1.2 Critical infrastructures (CI)

As mentioned before, critical infrastructure is a sector in which the emergence of public-private partnerships has boomed. One reason for this is that in most of the sectors within critical infrastructure, much has been privatized (Carr, 2016: p. 43). So what exactly is critical infrastructure then? According to the Oxford Dictionary of Disaster Management, it entails “assets, systems, and networks (virtual or physical) so important to a society’s vital

(16)

9 functions that incapacitation or destruction of them would have great consequences for national security, safety, and/or public health” (Rubin & Dahlberg, 2017). Following this definition, the government of the United States of America have distinguished 16 critical infrastructure sectors (Department of Homeland Security, 2017).

 Chemical sector

 Commercial facilities sector

 Communications sector

 Critical manufacturing sector

 Dams sector

 Defence industrial base sector

 Emergency services sector

 Energy sector

 Financial services sector

 Food and agriculture sector

 Government facilities sector

 Healthcare and public health sector

 Information technology sector

 Nuclear reactors, materials and waste sector

 Transportation systems sector

 Water and wastewater sector Some of the sectors have in turn sub-sectors. Within the transportation sector, there are a number of sub-sectors as well, including ‘postal and shipping’, which includes courier services, mail services, mail management firms and chartered delivery services (Department of Homeland Security, 2017).

The EU also has its own perception of what is critical infrastructure. In 2008, the EU even decided on a directive on ‘the identification and designation of European critical infrastructures and the assessment of the need to improve their protection’ (Council of the EU, 2008). In this directive, the critical infrastructure within the European Union was divided as follows:

(17)

10 The United States and the European Union have a rather different view on what exactly critical infrastructure is, although in both cases, energy and transportation are areas of frequent occurrence.

The sectors that are distinguished to belong to the critical infrastructure, are perceived to need a solid protection from cyber threats. Therefore, these sectors are most often involved in national cybersecurity strategies and policies. This is also the case for the Netherlands. Here, the National Cyber Security Centre, part of the National Coordinator for Security and Counterterrorism (NCTV), coordinates partnerships (ISACs) between public and private actors that are involved with cybersecurity in critical infrastructure sectors.

2.2 Public-private partnerships (PPPs)

2.2.1 What are public-private partnerships?

Starting in the 1970s, the entire Western world moved into a period of administrative reforms. The traditional ways of public administration were perceived as costly and inefficient, and ‘new public management’ (NPM) is born (Kickert, 1997: p. 15). NPM introduces private-sector (management) techniques and procedures into the public sector. This means that values such as ‘output’, ‘efficiency’ and ‘client orientation’ become more and more important (Kickert, 1997: p. 15; Boyne, 2002: p. 97). This reform has paved the way for new forms of administration and governance, especially ones that incorporate society more, among which the private sector. Resulting from this, public-private partnerships (PPPs) have gained popularity in public administration discourse since the 1990s. They can be defined as ‘organizations and institutions that mix elements from both the public sector and the private sector (Greve & Hodge, 2011: p. 265). The introduction of PPPs as new form of organising projects was based on the assumption that there would be a better ‘value for money’ and a superior performance in comparison to traditionally organised projects (Hodge & Greve, 2005: p. 92). Public-private partnerships have now become a defining characteristic of modern-day governance. A more detailed and useful definition for PPPs is the one by Van Ham and Koppenjan (2001: p. 598);

“Cooperation of some durability between public and private actors in which they jointly develop products and services and share risks, costs and resources which are connected with these products or services.”

(18)

11 According to Van Ham & Koppenjan (2001: p. 589), a public-private partnership is the most preferred mode of operation when a project is too complex and includes such an amount of various interests, that the public sector is not able to manage it unilaterally. The probability of a PPP to emerge depends on two factors, the characteristics of the project and the willingness of both parties to participate. Next to that, it also demands for a certain amount of creativity of the partners to achieve a well-working joint project, as well as strategic and communicative skills from both ‘sides’ (van Ham & Koppenjan, 2001: p. 598). Projects involving a nation’s infrastructure lend themselves particularly well for PPPs, of which ‘point infrastructure’ even more than ‘line infrastructure’ (van Ham & Koppenjan, 2001: p. 599: Greve & Hodge, 2011: p. 266). While the visible outcome of PPPs are joint products and services, the partnerships also entail institutional renewal as they encompass a fundamental shift in working methods, procedures, arrangements and institutions regarding public policy (van Ham & Koppenjan, 2001: p. 599).

Dunn-Cavelty and Brunner (2007) describe two developments that support the argument that the state’s importance in certain fields of policy is decreasing. They name the increasing internationalization and the increasing privatisation. These developments both have serious implications for security and even unite in the US and UK approach to national cyber security policy (Carr, 2016: p. 46). When after the Cold War, spendings on technological innovation for defence reasons became less appealing, there was a shift towards an economic reason to do this. Led by the American President of that time, Bill Clinton, the idea of globalizing and liberating markets occurred. He advocated for spending on research and development for commercial technologies. This was a catalyst for public-private partnerships that were aimed at developing information and technology systems for the public good (Stiglitz & Wallsten, 1999: p. 57). The new believe was that it was not the government(s), but the private sector actors that possessed the knowledge and expertise to handle the complex process of developing new information and communication technologies and land them on the market. On the other hand, the governments would have to play an crucial role in enabling the private sector’s efforts to do this (Stiglitz & Wallsten, 1999: p. 63). In many states where critical infrastructures concerning for instance finance, energy and transport, have been privatised, (cyber) security policies have been embracing public-private partnerships as an outcome (Carr, 2016: p. 43).

(19)

12 2.2.2 Effectiveness of public-private partnerships

When it comes to assessing the effectiveness of public-private partnerships, comparative studies are very risky, because the set goals or function of public-private partnerships vary tremendously (e.g. awareness-raising, information-sharing, implementation) (Schäferhoff, Campe & Kaan, 2009: p. 457). The assessment of public-private partnership effectiveness should therefore always occur in a manner that relates to its goal or function (ibid.). A structured way to assess this effectiveness is by using three dimensions of effectiveness: output effectiveness, outcome effectiveness and impact effectiveness (Beisheim & Campe, 2012: p. 629). These dimensions of effectiveness originate in regime theory (as part of international relations theory) and are for example described by Young (1994) and Wolf (2010). They explain that effectiveness of a regime (which can also be translated to a public-private partnership) can be explained and investigated on these three different levels, or dimensions. Output effectiveness can be determined as the (self) commitments of the actors within the regime. In other words, the direct activities of the PPP. This can be service provision, information/knowledge sharing, or implementation of a certain kind (Beisheim & Campe (2012: p. 629). Outcome effectiveness appears when these activities lead to second-tier behavioural changes among the participants of the PPP. These behavioural changes consist of things the participants do outside of the PPP that they would not have done otherwise or of altering entire patterns of behaviour (Young, 1994: p. 145). Outcome effectiveness can also present itself when the activities have spurred national or international political or public debate (Beisheim & Campe, 2012: p. 629). Thirdly, there is impact effectiveness. This refers to the more long-term contribution of the aforementioned activities and behavioural changes to the solution of the underlying problem (Wolf, 2010: p. 4). This impact effectiveness however, can be difficult to measure, mainly because of problems with attribution (i.e. whether the effect is specifically caused by the activities and behavioural changes).

2.3 Public-private partnerships in cybersecurity

Now that cybersecurity has gained significant salience over the last couple of years, governments have begun to develop their national cybersecurity strategies at a fast rate (Carr, 2016: p. 43). To protect country’s critical infrastructure, governments have established public-private partnerships (Shore et al., 2011: p.1). However, these partnerships within the

(20)

13 field of cybersecurity are by no means without problems. For starters, there has been persisted ambiguity concerning the parameters of the partnership. Furthermore, it often remains unclear how responsibility and accountability are distributed in such partnerships. This can be because of the government’s reluctance to take authority for possible stronger cybersecurity measures by law and the unwillingness of the private sector to take on a form of responsibility for the nation’s national cybersecurity (Carr, 2016: p. 43).

2.3.1 Public vs Private

The research by Carr (2016) examines these partnerships and the problems they entail. She, like other scholars, assumes that the government has an important role in guaranteeing national security by focussing on cybersecurity, especially since critical infrastructures are heavily relying on the security of cyberspace. However, as already discussed, the governments depend on the private sector in this regard, because most critical infrastructure is privately owned and the private sector has more expertise concerning cyber. To assess public-private partnerships in national cybersecurity strategies in the US and UK, Carr (2016) uses the model by Wettenhal (2003), which distinguishes PPPs in two categories. First, there are the horizontal and non-hierarchical partnerships that rely on equal an consensus-based decision making. According to Wettenhal (2003: p. 90), these kind of partnerships are the embodiment of ‘true’ partnerships. Secondly, there are the arrangements that are controlled by one actor and therefore hierarchically structured. The narrative of public-private partnerships within cybersecurity strongly supports the first type of partnerships. In the UK Cyber Security Strategy, it states for instance that “a safe and secure internet will require everybody, the private sector, individuals and the government to work together” (Carr, 2016: p. 55). This way of approaching cybersecurity underlines the idea that we all face a common threat that has the same implications for everyone, which is not the case. National governments perceive cybersecurity as a common good, whereas for private sector actors cybersecurity relates to financial and reputational challenges (Carr, 2016: p.55). Because these challenges for the private sector are of paramount importance, it is best equipped and structured to face and manage a cyber threat. The problem however, is that much of these networks, especially when it comes to critical infrastructure, are central to national governments, while the private sector operates based on a business model that responds to profit margins and shareholder interests (Carr, 2016: p. 56). This leads to the private sector’s reluctance to engage in cybersecurity PPPs, based on two reasons. First, their costs of

(21)

14 (co)securing national cyberspace would be very high, and second, there is a major risk in accepting liability for cybersecurity as a public good. Because of these reasons, theories assume that the private sector is willing to bear costs and accept responsibilities up to the point that it would be still profitable, neglecting the social benefits of PPPs in national cybersecurity strategy (Carr, 2016: p. 57). According to Carr (2016), this leads to ill-functioning partnerships. However, there are also studies that conclude otherwise. Most of these studies investigate which factors play an important role in the succeeding of the public-private partnership. These factors are called Critical Success Factors (CSFs).

2.3.2 Critical success factors (CSFs)

Various studies have examined the effectiveness of (various types of) public-private partnerships, and what factors are decisive for this effectiveness. In the literature, the following five critical success factors (CSFs) are often reoccurring: ‘alignment of interests’, ‘effective information-sharing’, ‘clear distribution of responsibility and accountability’, ‘mitigation of risks’ and ‘effective (administrative) management’. These factors will be elaborated on more in-depth in the following sub-paragraphs.

2.3.2.1 Alignment of interests

Carr (2016) explains that the private and public partners in a PPP have a difference of interest, causing the partnership to have problems with achieving its goals effectively. This is due to the fact that companies are mainly profit-driven, but also the public partner’s interest can be unstable because of fluctuating electoral support (Stiglitz & Wallstein, 1999). Also Dunn-Cavelty and Suter (2009: p. 181) point out that the interests of private parties and interests of state parties, especially in the protection of critical infrastructure by PPPs, are only partially convergent. They argue that especially the private sector actors will fear that the state might not handle certain information as confidential as it should, which can lead to reputational damage for these private companies. These underlying reasons make synergy in interests hard to obtain (Dunn-Cavelty & Suter, 2009: p. 181). However, when the interests of public and private partners are aligned and the objectives are shared, the cooperation will function more smoothly (Rosenau, 1999: p. 22). Hence, aligning divergent interests is very important for the performance of public-private partnerships because they have a direct effect on their effectiveness, according to Doloi and Ma (2010: p. 9).

(22)

15 2.3.2.2 Effective information-sharing

Key to well-functioning public-private partnerships – whether in the field of cybersecurity or not – is information-sharing. But especially in the field of cybersecurity, the sharing of information is central to most public-private partnerships, to be able to timely anticipate on a cyber threat, but also to learn from each other’s experiences with cyber threats, attacks and counter measures. Therefore, Dunn-Cavelty and Suter (2009: p. 181) name information-sharing as the most immediate need in the context of critical infrastructure protection.

There are however, a few obstacles that hinder information-sharing. From the perspective of the private sector, one of the obstacles is that it is often not immediately clear whether an inconsistency is a technical malfunction or a dangerous exogenous threat. Secondly, it can oppose a private actor’s financial interests to report a problem because it shows it vulnerabilities, leading to an advantage for market competitors (Carr, 2016: p. 58). Rosenau (1999: p. 23) also points towards these kind of private disadvantages of information-sharing. She explains that proprietary information is of crucial importance for private actors in regard to competing with competitors. Therefore, they might be reluctant to disclose certain information to avoid the risk of bringing their market position in jeopardy (Rosenau, 1999: p. 23).

For the public sector, an important limitation is the inability to share certain information with entities that do not have the right security clearance to access this information. Also, performing action on the classified information would most likely expose the information, which means the action can only be done silently, which completely undermines the idea of information-sharing as key component in public-private partnerships. Secondly, a government’s information about a cyber threat is being thoroughly examined and checked to be sure it is accurate, detailed and confirmed. Although these are highly desired characteristics of information, it does not foster the timely sharing of the information with the private sector by any means (Carr, 2016: p. 59).

A key finding of the research by Carr (2016) is that the likelihood of effective information-sharing between the public and private ‘partners’, is highly reliant on the personal relationships within the PPP (Carr, 2016: p. 59). Moreover, this sharing of information is of paramount importance for the effectiveness of the public-private partnership.

(23)

16 2.3.2.3 Clear distribution of responsibility and accountability

Van Ham and Koppenjan (2001) and Carr (2016) touch upon the matter of a clear distribution of responsibility and accountability as vital factors within PPPs. Also Hodge and Greve (2007: p. 522) stress that accountability is an important but often lacking feature within public-private partnerships. The fact that it is often lacking can have several reasons. Van Ham and Koppenjan point to the fact that private partners might be reluctant to take responsibility and accountability because of the fear for public scrutiny. On the public side, there is a reluctance to take on authority for stronger measures concerning cybersecurity (Carr, 2016). Nonetheless, the importance of responsibility and especially accountability within public-private partnerships is often underestimated. After all, one of the central provisions of democracy is that political leaders and governments can be held accountable for their decisions and actions (Rosenau, 1999: p. 19). When public tasks and decisions are (partly) entrusted to private entities, these entities might be burdened with important responsibilities that are normally on the shoulders of democratically elected representatives. When this is the case, clear provisions regarding accountability are crucial to the legitimacy of these quasi-governmental organisations to perform these tasks (Rosenau, 1999: p. 19). It is important that questions regarding accountability are properly addressed during the design phase of a public private partnership (Carr, 2016: p. 60).

2.3.2.4 Mitigation of risks

Fourth, Van Ham and Koppenjan (2001) describe several risk factors with which both partners of the public-private partnership can be concerned with. For public partners, an important risk is that the private partner can gain dominance over the project, because it has the upper hand in expertise. Furthermore, there is the financial risk of public capital ending up in a private company and the risk of discontinuity, involving the withdrawal of the private partner due to strategy change or bankruptcy (van Ham & Koppenjan, 2001: p. 600). Next to risks for the public partners, there are also risks for private partners. An insufficient cash flow and the costs of a long-term investment are two of those. Moreover, uncertainty of transaction costs play a role. The government is a volatile partner, which means changes in strategies, agreements or conditions of the PPP, due to the electoral cycle, are not uncommon. This can lead to a different view on public-private partnerships and a possible termination of these projects. Furthermore, there is administrative uncertainty: will the bureaucratic government be able to manage the administration of the project timely? Lastly there is social uncertainty,

(24)

17 which private partners of a PPP should take into account. Public projects are more visible and open for scrutiny by the public than private ones. Hence PPPs are more susceptible for public opinion and even protest (van Ham & Koppenjan, 2001: p 601). According to the authors, risk management and risk mitigation are very important in the successful functioning of public-private partnerships and can be done by making agreements between the partners upfront, about how risks will be divided and dealt with.

2.3.2.5 Effective (administrative) management

Lastly, Carr (2016) and Van Ham and Koppenjan (2001) talk about the effective (administrative) management of the project as being an important factor for public-private partnerships. This entails for instance a clear structure for meetings, installing a secretary and making sure meeting reports are being made and sent to the participants. This “back-office” function within the public private partnerships is expected to be directly important to the working of the public private-partnership, and therefore also to the eventual effectiveness of the partnership. An important role in this, is for the governmental actors. Dunn-Cavelty and Suter (2009: p. 180) explain that when governing critical infrastructure, the governmental actors should take a role based on governing networks and selecting the right instruments to motivate these networks to protect critical infrastructures together. Instead, governmental roles in PPPs are still mostly based on close supervision and immediate control (Dunn-Cavelty & Suter, 2009: p. 180).

Critical Success Factors (CSF)

Definition Source

Alignment of interests

Due to their background and nature, public and private parties that cooperate might have different interests. Aligning these interests is important for the effective functioning of PPPs in cybersecurity.

Carr (2016); Dunn-Cavelty & Suter (2009); Rosenau

(1999); Doloi & Mai (2010)

Effective

information-Information-sharing is one of the key features in PPPs, in particular in

Dunn-Cavelty & Suter

(25)

18 sharing cybersecurity. For the effective

functioning of these PPPs it is therefore important that problems regarding information-sharing are avoided or solved.

(1999)

Clear distribution of responsibility and accountability

PPPs might undermine basic democratic legitimacy, because private partners are burdened with public tasks. To guarantee legitimacy, and indirectly an effective functioning of these PPPs, agreed upon

responsibilities and accountability are needed.

Van Ham & Koppenjan (2001); Hodge & Greve (2007); Rosenau (1999); Carr (2016)

Mitigation of risks In PPPs, both public and private partners face certain risks.

Agreements on the division of these risks and how to approach these (mitigation) will promote the effectiveness of the PPP.

Van Ham & Koppenjan (2001)

Effective

(administrative) management

In a public-private partnership, the (administrative) management is important in facilitating the partnership and its smooth functioning. Therefore it is of

importance for the effectiveness of it.

Carr (2016); Van Ham & Koppenjan (2001)

2.3.4 Effective PPPs in critical infrastructure cybersecurity a utopia?

After having determined the key elements for a successful public-private partnership, Carr (2016) has applied this to the reality of PPPs in the United States and the United Kingdom.

(26)

19 She concludes that although there is a deeply entrenched perception that there should be far-reaching cooperation between the public and private sector regarding cybersecurity, this is not the case (Carr, 2016: p. 61). Private actors are in fact showing reluctance to accept responsibility and liability for national cybersecurity. For them, the cost-benefit analysis framework approach to cybersecurity is superior over the ‘public good’ framework approach (Carr, 2016: p. 62). She also found that PPPs were continuously referred to in strategy documents, while clear agreements on roles, tasks and responsibilities were never specified. Based on her research, she concluded that the PPPs within cybersecurity in the US and UK are dysfunctional partnerships.

Carr (2016: p. 62) then finalizes by proposing four solutions to the ill functioning of these PPPs:

1. The weaknesses of the public-private partnerships must be made visible and acknowledged to be able to address them

2. Because the term ‘partnership’ brings some obligations regarding the cooperation, such as shared interests and accountability, she suggests to talk about ‘relationship’ instead.

3. We should fundamentally rethink how cyber security fits within the national security framework. It might be more appropriate to develop a cyber-resilience strategy instead of a cyber-security strategy.

4. It would be beneficial to examine how states with either full control over critical infrastructure or more control over their private sector, is dealing with similar issues concerning cybersecurity.

(27)

20 H5 (+) H4 (+) H3 (+) H2 (+) H1 (+)

2.4 Conceptual model

This research investigates whether the problems with public-private partnerships in cybersecurity, as Carr (2016) describes, also exist in the Netherlands. This will be done by investigating the influence that the aforementioned critical success factors (CSFs) have on the effectiveness of the public-private partnership.

The aforementioned expected relationships are presented in the following conceptual model:

Clear distribution of responsibility and accountability Effective (administrative) management Mitigation of risks Effective information-sharing Alignment of interests Effective public-private partnership

(28)

21

3 Methodology

Thus far, the theoretical framework has introduced the central concepts of this research: effectiveness of public-private partnerships within cybersecurity and the five independent variables (the CSFs) that potentially influence this dependent variable. This chapter will focus on the underlying methodological approach to this research. First, hypotheses will be presented that are derived from the conceptual model, displayed in paragraph 2.4, after which the concepts in the conceptual model will be operationalised. Subsequently, the research design will be elaborated on, and the methods of data collection will be explained, as well as the unit of analysis. Finally, this chapter will touch upon validity and reliability.

3.1 Hypotheses

After the conceptual model in paragraph 2.4 has been made, which visualises the results of the literature review on possible determinants of effective public-private partnership, one can derive 5 hypotheses from this. When investigating causal relationships between two or more concepts, hypotheses are most commonly used. Hypotheses allow the researcher to prove or disprove the potential relationship between the various concepts, by testing them (Matthews & Ross, 2010: p. 58). The potential causal relationships these hypotheses represent are indicated in the conceptual model as H1 to H5. The hypotheses comprise of the following: H1: More alignment of interest between the partners will result in a higher effectiveness of the public-private partnership.

H2: More effective information-sharing between the partners will result in a higher effectiveness of the public-private partnership.

H3: A clear distribution of responsibility and accountability between the partners will result in a higher effectiveness of the public-private partnership.

H4: Effective risk mitigation between the partners will result in a higher effectiveness of the public-private partnership.

H5: Effective (administrative) management of the partnership will result in a higher effectiveness of the public-private partnership.

(29)

22 All the potential causal relationships are positive relationships, meaning that a higher degree or value of the independent variable will lead to a higher value/degree of the dependent variable.

3.2 Research design

For this research the choice has been made to conduct a case-study. According to Yin (2003), a case study design is the most preferred research design when the research meets the following criteria: “ […] when ‘how’ and ‘why’ questions are being posed, when the investigator has little control over events and when the focus is on a contemporary phenomenon within some real-life context” (p. 1). This research meets these requirements.1 To be more specific, this research consists of a single case-study. A (single) case-study design allows the researcher to obtain in-depth knowledge concerning one specific case. The subject of analysis can be an organisation, country or even a company, but the research always focuses on one specific aspect of the case, as presented in the main research question (Matthews & Ross, 2010: p. 128). In this research, this entails the causal relationship between five independent factors and the dependent variable, within public-private partnerships in the cyber domain, located in the Netherlands. As these public-private partnerships in the Netherlands are limited in number, and a specific aspect of these organisations is investigated, a single case-study design is the best choice possible.

3.3 Case selection

The case selection, or unit of analysis, will make clear what the case study is specifically focussing on (Berg & Lune, 2012: p. 388). This research will focus on a specific type of public-private partnership within cyber security, namely Information Sharing and Analysis Centres (ISACs). The next section will give a brief introduction into the background and workings of these type of PPPs.

In the year 1998, American President Bill Clinton called upon the establishment of specific public-private partnerships, namely Information Sharing and Analysis Centres (ISACs). He

1

Every research question that investigates a causal relationship between two or more concepts is a question that can be categorised as a ‘why’ or ‘how’ question, because you can ask: “why/how has the dependent variable a certain value?”

(30)

23 did this based on the results of the research by the President’s Commission On Critical Infrastructure Protection (Dunn-Cavelty & Suter, 2009: p. 180). According to him, these ISACs should be established and maintained voluntarily, by various sectors themselves. The concept of these ISACs is copied on an international scale, and is therefore also introduced in the Netherlands.

Information Sharing and Analysis Centres, or ISACs, are networks of actors within a certain sector, where cybersecurity plays an important role. The ISACs are set-up to facilitate the sharing of information concerning cybersecurity and successful or unsuccessful attempts to breach this security (Gal-Or & Ghose, 2005: p. 187). Moreover, the ISACs are meant to share best practices between actors that are positioned in the same sector (Dunn-Cavelty & Suter, 2009: p. 181). The ISACs in the Netherlands are also established in this way, as they are networks of participants that play a pivotal role in their organisations in the area of IT, information security or cyber policy (NCSC, 2017). They are relatively independently operated institutions that can decide for themselves how often they meet (ranging from two times to eight times per year). Within the Netherlands, the following sectors have their own ISAC: Ports, Airports, Financial Institutions, Water Management, Multinationals, Telecom, Nuclear, Healthcare, Energy, Drinking Water, Managed Service Provider (MSP), Insurance and the National Government and Pensions. A number of ISACs is also being developed at this moment. A new ISAC can be initiated by the National Cyber Security Centre (NCSC) or by the sector itself. Next to the NCSC, the General Intelligence and Security Service of the Netherlands (AIVD) and Team High Tech Crime of the National Police (THTC) are also involved in the ISACs. All the chairmen of the individual ISACs meet a few times per year to discuss overarching topics that concern all the ISACs (NCSC, 2017). These ISACs are examples of public-private partnerships in the Netherlands, including actors from critical infrastructures and the government, with the goal to make these sectors, and the Netherlands as a whole, better resilient against cyber threats.

3.4 Data collection methods

Initially, data collection was attempted to consist of a mixed methods strategy, combining qualitative and quantitative data as groundwork for the analysis. The decision to attempt this was made based on the arguments that 1) the researcher could relatively easily contact experts that are involved in ISACs, making expert interviews easy to plan, and 2) this

(31)

24 research investigates the causal relationship between a dependent and five independent variables, which makes it very appropriate for a statistical analysis based on a survey questionnaire filled out by people involved in the ISACs. However, the NCSC (coordinating organisation of the ISACs in the Netherlands) was not able to cooperate in sending out a survey questionnaire. Their cooperation was needed because the individual members of the ISAC cannot be contacted on own initiative, because their participation is confidential. The NCSC decided not to cooperate because they found it not appropriate to send a survey questionnaire for a thesis research to the ISAC participants in their name. Because of this, data collection is limited to qualitative methods.

To gather data concerning the variables of this research, and more importantly, the relation between those variables, the empirical part of this research is comprised of expert interviews. To ensure triangulation of methods, which is necessary for qualitative research (Verschuuren & Doorewaard, 2007: p. 185), the interviews were supposed to have been supplemented by a document study. That way, the researcher can be sure that the research findings are not affected by the way the data was collected or the type of data (Matthews & Ross, 2010: p. 53). Expert interviews are very appropriate for this research, because potential causal relationships between factors within a very small and specific unit of analysis are investigated. Interviews with experts that are involved with these public-private partnerships allow the researcher to extract important information, experiences and opinions that give an indication about the potential relations (Matthews & Ross, 2010: p. 219). To make sure all the relevant data for the research is gathered while still giving the respondents room to answer the questions or discuss the topics in their own way, the interviews are semi-structured. This means that all the interviews follow a certain structure of topics or questions, but also allow a differently structured conversation on the topics if that is relevant for that specific interview (Matthews & Ross, 2010: p. 221). The standardised list of topics/questions that is used in the interviews can be found in appendix 2. All the interviews were recorded, transcribed, coded, after which the collected data was checked with the respondents to ensure no confidential or sensitive information was unintentionally disclosed during the interviews. As indicated above, a document study on the effectiveness of the ISACs was supposed to complement the interviews. Documents are “written records about people and things that are generated through the process of living” (Matthews & Ross, 2010: p. 277). They exist in many forms, such as reports, policy documents, but also news items, personal information

(32)

25 and audio/visual material (ibid.). Unfortunately, during the empirical study, it became clear that there are no written records available about the ISACs in the Netherlands. There are no performance/effectiveness assessments and the ISAC meeting notes are strictly confidential due to the secrecy of the content of the meetings. This made a document analysis impossible. Therefore, this study relies first and foremost on the expert interviews that have been conducted. To make sure these interviews were as useful and representative as possible, they have been conducted with people representing both the private and the public sector as well as 5 different ISACs in total. Moreover, they are very detailed and extremely in-depth. All interviews lasted between 45 minutes and one hour. Despite minor differences, much of the interview data was comparable. More interviews next to the ones that have been conducted would expectedly not have resulted in new and different data and insights. Furthermore, due to the very specific focus of this research, the group of (available) experts is rather small. Considering the above, as well as the time and effort it took to plan, conduct, transcribe, code and process the interviews, the choice has been made not to conduct additional interviews on top of the eight that have been conducted.

To make sure the data is analysed in a well-structured way, the researcher has used coding to mark important chunks of data, and relate them to the specific research topics. Colour codes have been used to separate the data that relates to every of the independent variables. Consequently, a combination of the first letter of that colour and a number, have been used to indicate a piece of texts or part of an interview that mentions the relation between that specific variable and the dependent variable (for instance: R1).

3.5 Operationalization of concepts

To be able to measure the main research concepts and code them correctly, the concepts from the conceptual model need to be operationalised.

As mentioned in the theoretical framework, effectiveness can be measured on three different levels, or dimensions: output, outcome and impact effectiveness. This research strongly focuses on the output effectiveness of the public-private partnerships. This, because this research investigates the influence that the various factors (independent variables) have on the activities of the PPP itself, and not on the effects that the (participation within) the PPP might have on respectively behavioural/procedural changes at the individual participants, or the solving of the underlying problem in a broader frame. Moreover, as explained in the

(33)

26 theoretical framework, the effectiveness of a regime, or partnership, should always be seen in the light of its function. It is less relevant to look at the effectiveness of PPPs in cybersecurity in the sense of policy implementation, since this is not something the ISACs meant to do. Therefore, the indicators for the effectiveness of cyber PPPs (ISACs in particular) are directly derived from the goals with which the ISACs have been set up (acquired from the literature on ISACs and the NCSC website). Nevertheless, outcome and impact effectiveness are not neglected. Even though the main focus is on outcome effectiveness, empirical data on the other two types of effectiveness will also be taken into account and analysed.

The indicators for the five independent variables are presented as possible problems/barriers that may appear for the effectiveness of the PPP, and can be defined as a problems related to one of the five independent variables.

Concept Operational definition Indicators Data sources

Effectiveness of the PPP

The output effectiveness entails the direct activities of the partnership, that are based on the

self-commitment of the participants within the PPP.

 Sharing of information on security disruptions (Dunn-Cavelty & Suter, 2009)

 Sharing of knowledge and best-practices (Dunn-Cavelty & Suter, 2009; NCSC, 2017)

 Sharing analyses about situational awareness in particular sectors (NCSC, 2017) Expert interviews The outcome effectiveness consists of second-tier behavioural changes at the member organisations of the PPP.

 Action/behaviour in the organisations that would not have been done without the PPP (Young, 1994)

 National/international political/public debate because of the PPP and its activities (Beisheim & Campe, 2012)

Expert interviews

(34)

27 The impact effectiveness

is the long-term

contribution of the PPP and its activities to the broad underlying problem.

 The PPP and its activities have made the Netherlands more cyber secure (Wolf, 2010)

Expert interviews

Alignment of interest

The extent to which the interests of the different partners within the PPP are adjusted to one another.

 Public good supersedes profitability (Carr, 2016)

 No sustainable public interest (electoral support) (Stiglitz & Wallstein, 1999)

 State actor not handling private information confidentially (Dunn-Cavelty & Suter, 2009)

Expert interviews Effective information-sharing Information is shared between the participants of the PPP without any problems and obstacles.

 Technical malfunction or cyber threat/attack (Carr, 2016)

 Corporate disadvantage due to exposure vulnerabilities (Carr, 2016; Rosenau, 1999)

 Confidentiality of information (Carr, 2016)

 Thorough checking hinders fast sharing (Carr, 2016)

Expert interviews Clear distribution of responsibility and accountability Responsibility and accountability are clearly distributed among the participants of the partnerships and agreements concerning

 Private parties are reluctant due to public scrutiny (Van Ham & Koppenjan, 2001)

 Public parties are reluctant to take responsibility for

stronger cyber security

Expert interviews

The Effectiveness of Public-private Partnerships in the Cyber Domain