When formality meets informality: Examining accountability in the partnerships between the Dutch telecom sector and the Dutch government on cybersecurity

(1)

10-6-2018

When formality

meets informality

Examining accountability in the

partnerships between the Dutch

telecom sector and the Dutch

government on cybersecurity

Student name: Steven van der Plas

Student number: 1508024

First reader: Dr. J. Reijling

Second reader: Dr. J. Matthys

Course: Masterthesis 2017-2018

Word count: 27245

(2)

1

4.1.2.1 The Telecom Information Security Analysis Centre (ISAC) 34 4.1.2.2 The Incident Response Board (IRB) 35 ` 4.1.2.3 The Operational Incident Response Team Meeting (O-IRT-O) 35 4.1.3 The ministry of Economic Affairs and Climate Policy (EACP) 36 4.1.3.1 The National Continuity Counsel – Telecom (NCO-T) 36 ` 4.1.3.2 The Dutch Telecom Agency (AT) 37

4.1.4 Sub-conclusion: Introducing the network of public-private partnerships 39 4.2 Assessing accountability and effective cooperation in the observed network of public-private partnerships 40 4.2.1 Division of risks 40 4.2.2 Division of costs and benefits 42

4.2.3 Addressing social and political impacts 44 4.2.4 Division of expertise 46

4.2.5 Partnership collaboration and trust 48

4.2.6 Performance measurement 50

4.2.7 Sub-conclusion: Explaining accountability in the observed network 52

4.3 Establishing the link between accountability mechanisms and partnership effectiveness 53

4.3.1 Sub-conclusion: Partnership effectiveness in the observed network 53

4.3.2 Conclusion: Partnership effectiveness through accountability 55

5. Reflection 58

5.1 Implications of the analysis 58

5.2 Generalization and limits 59

5.3 Future research and developments 61

Bibliography 62

Appendix: coding schemes interviews 67

(4)

3

Acknowledgements

In the process of writing the thesis and doing research, I was helped by a group of extremely kind and talented people. Without their support and contributions, this thesis would not be able to exist in its current form. First, I would like to thank the respondents of the interviews I conducted, which form the backbone of the later parts of the thesis. Koen van Rhee and Franck Jansen of KPN, I am grateful for the clear answers you have given me and for connecting me to other respondents. Maarten van Kesteren of Economic Affairs, thank you for a very insightful interview on the larger picture of the situation within the telecom market and the latest developments on cybersecurity. I would also like to thank Piet Voesten of VodafoneZiggo for the quick responses and for broadening my understanding on the perspective of the private sector. Arco van Emous and Jasper Nagtegaal of Agentschap Telecom, your clear, detailed answers to my questions and the context you gave me on the role of the government in the partnerships have tremendously helped my thesis. Finally, I would like to thank the organisation of the NCSC for their willingness to help my research despite the sensitive subject matter and for the interview on the role of the NCSC in the observed network. All of you went out of your way to give me the data I needed for my analysis and provided me with extremely useful information on the network I analysed. Many thanks also to my supervisor, Dr. Jaap Reijling, and the second reader of this thesis, Dr. Joery Matthys. Your advice and guidance have helped made this thesis to what it is today in terms of quality and quantity. Your directions and remarks kept the project on the right track. I would also like to thank my parents and my sister for their constant support during the last months and for their wise words when I felt overwhelmed by the project. Lastly, I would like to thank my dear friends Rick and Bob for their advice and corrective work in the final stages of the thesis.

(5)

4

List of abbreviations

AT = Agentschap Telecom (Dutch Telecom Agency) CERT = Computer Emergency Response Team

CSW = Cybersecuritywet (European Cybersecurity Law) DCB = Dutch Continuity Board

DDOS = Distributed Denial Of Service EACP = Economic Affairs & Climate Policy ISAC = Information Security & Analysis Centre IRB = Incident Response Board

NCO-T = National Continuity Counsel – Telecom NCSC = National Cyber Security Centre

O-IRT-O = Operationeel Incident Response Team Overleg (Operational Incident Response Team Meeting)

TLP = Traffic Light Protocol

WGMC = Wet Gegevensbescherming & Meldplicht Cybersecurity (Data protection & duty to report cybersecurity act)

(6)

5

Abstract

Public-private partnerships have become an increasingly popular framework to utilize the strengths of the public and private sectors in policy making and implementation. In the field of cybersecurity, these public-private partnerships are also attracting popularity among governments because of the nature of the policy field. These partnerships mainly rely on information sharing between governments and private companies. The question arises if the accountability mechanisms in these new partnerships are different from the aspects mentioned in the current literature on public-private partnerships in terms of their importance and the relation to partnership success. This question is answered by applying Forrer et al. (2010)’s model of assessing accountability in public-private partnerships to the case of the partnership network between the Dutch telecom sector and the Dutch government on cybersecurity. The knowledge gap is addressed by analysing official documents from the partners and by interviewing government officials and telecom sector employees directly involved in the partnership network. The main finding is that partnership collaboration and trust are the main aspects that explain the effectiveness of the network. The accountability aspects from Forrer et al. (2010)’s model are also present in the observed network. However, these aspects vary greatly in importance and in their relation to partnership effectiveness, emphasizing the uniqueness of public-private partnerships based on information sharing.

(7)

6

1 – Introduction

The introductory chapter will revolve around the observed problem and its context. From this problem, a certain knowledge gap will be formulated, which will result in the research question. Furthermore, the social and scientific relevance of the subject will also be highlighted, signifying the importance of answering the research question.

.

1.1 – Problem introduction and context

For the last decade, coordination between the public and private sectors has become a widespread phenomenon in the developed world. These so called public-private partnerships can be extremely useful, even though the private and public sectors are different worlds based on different sets of principles. The public sector mainly operates to benefit the public and has the responsibility to serve societal interests. The private sector is governed by principles such as efficiency, costs and benefits. Organizations in the private sector aim to maximize profit and answer to shareholders. Even though these sectors work in completely different ways, coordination still occurs regularly and is regarded as very useful (Carr, 2016). Combining methods from different sectors and by sharing information, a comprehensive approach can be developed between the two sectors. Public-private partnerships are also important in policy areas where certain problems can only be tackled by a joint approach that requires combined efforts from both sectors. The field of cybersecurity is the perfect example of such a policy area where public-private partnerships are essential. The public sector has the responsibility to protect critical infrastructure from cyber-attacks, because a successful attack would be detrimental for the whole of society. The complicating factor is that critical infrastructure is regularly owned by the private sector. This makes coordination between both sectors inevitable, as they both have an interest in defending privately owned critical infrastructure.

A glaring problem with these coordinating frameworks between the public and private sectors is that the interests of these sectors do not always align completely. The public sector’s responsibility towards society takes form in the multiple accountability mechanisms it possesses. The private sector lacks these public accountability structures. This results in the public sector attempting to hold the private sector accountable for protecting its own critical infrastructure, even when this is not profitable or reasonably feasible. The private sector avoids

(8)

7

these responsibilities if it deviates from their core principles. This means that the public sector has to create these accountability mechanisms for the private sector through regulations and incentives when engaging in public-private partnerships. The absence of these accountability structures will potentially affect the effectiveness of the partnership, as there are no guarantees that the parties work together in any way outside of their formal roles. The Netherlands is a prime example of a country that engages in coordination between public and private sectors in the field of cyber-security, especially within several critical sectors such as telecommunication, energy and financial sectors (Clark et al., 2014). The telecom sector is especially relevant in this regard, as it is completely privatized and because of the high competition between major companies. However, the vital nature of the sector means that the government and the sector itself both have interests in guaranteeing continuity of telecom services. The Dutch strategy on engaging in public-private partnerships within cybersecurity distinguishes itself through its egalitarian model in which the networks are regulated by the participants themselves instead of a lead-organization or an administrative entity (Boeke, 2017). While this sort of model allows the private sector to enjoy relatively more freedom, it also leaves room for possible accountability problems to exist. The literature on public-private partnerships also has conceptions on how accountability works and how this can be assessed within these coordination frameworks, but the question arises if the egalitarian model of the Netherlands also acts the way the literature predicts or if these theories need adjusting.

1.2 – Knowledge gap and research question

Public-private partnerships form an integral part of the Dutch cybersecurity strategy. In several vital sectors, privately owned infrastructure is secured extensively through the cooperation between the public and private sectors. Even though these coordinating frameworks can be extremely useful, they ultimately rely on accountability structures to function properly. However, this relationship between accountability and partnership effectiveness has not been fully explored in partnerships that rely on information sharing in the field of cybersecurity. Through such a partnership, the private sector has to take on responsibilities that are essentially the public sector’s. This public-private partnership approach to cybersecurity is one of the most important aspects of the Dutch cybersecurity strategy. This is exemplified in the Dutch cybersecurity agenda 2018, where a public-private approach to cybersecurity is described as one of the main factors that will lead to more cyber-resilience in the Netherlands. Furthermore, minister of Justice and Security Ferdinand Grapperhaus stated in the document that

(9)

8

“Governmental parties and private organisations in the Netherlands have to cooperate in an

integral approach to cybersecurity”1_{. Considering the importance of these partnerships, it is}

vital that assumptions in the literature on accountability within these partnerships are tested. Forrer et al. (2010) developed a public-private partnership accountability framework that is mainly based on studies of collaboration between government and companies on the American transportation infrastructure sector. In this framework, Forrer distinguishes between six accountability dimensions and links this to the effectiveness of public-private partnerships. However, there are indications that accountability from a public-private partnership on cybersecurity behaves differently from the predictions of Forrer et al. (2010)’s model, because there is expected to be more emphasis on information sharing and the overall cybersecurity performance of the parties. Testing Forrer et al. (2010)’s accountability model on this case will provide clarity on this issue while also potentially offering insights on the relation between different accountability structures and how they influence the effectiveness of such partnerships. This generates the following research question:

“What are the accountability arrangements of the network of public-private partnerships between Dutch telecom companies and participating Dutch governmental organizations on cybersecurity performance and to what extent do these arrangements strengthen the perceived effectiveness of these partnerships?”

1.3 – Societal relevance

The subject is highly relevant as public-private partnerships are essential to the cybersecurity of the whole Dutch society. A successful attack on one of the critical sectors can have devastating consequences. Communication across the entire country could be destabilized, Dutch energy security could be compromised, or severe economic damage could be sustained. According to the National Cyber Security Centre (NCSC), public-private partnerships in these sectors are essential and form the basis of creating cyber-resilience within these sectors. Public-private partnerships are used to combat traditional and non-traditional security threats in the

1_{Translated from: “Overheidspartijen en}

private organisaties in Nederland moeten goed samenwerken aan een integrale aanpak van cybersecurity” (NCSC, 2018h, 5)

(10)

9

Netherlands. Immediate threats can be addressed through a joint crisis response framework, which also relies heavily on public-private interactions. Long term goals can be realized through information sharing, threat reports, recommendations and regulations. The problem is that even though these partnerships form the basis of Dutch cybersecurity resilience, problems may arise if the public sector gives over authority and responsibility to the private sector when it does not have the right accountability structures in place. Another potential issue is that laws on cybersecurity are generic in emphasizing the responsibilities of the telecom sector and the state. If the participating parties do not create a clear indication of accountability and responsibility, an accountability problem will rise between the parties that form the partnership. If these responsibilities are not taken up by the right parties in the right circumstances, it will affect the success entire Dutch approach to building cyber-resilience. If these partnerships define the Dutch national cybersecurity strategy in such an important way, then it would be beneficial for Dutch national cybersecurity to know more about these kinds of cooperation frameworks, what its weaknesses are, how responsibilities are divided and how each party is held accountable for their role in guaranteeing service continuity by defending against cyberthreats.

1.4 – Scientific relevance

The academic relevance of the subject of public-private partnerships in cybersecurity has been highlighted in the past decade. More research has been conducted on public-private partnerships, which has led to the creation of theories on the assessment of accountability within these partnerships. However, most of these theories have not been tested on real cases of public-private partnerships. It is the aim of this research to test certain assumptions on public-public-private partnerships by applying Forrer et al. (2010)’s model of accountability assessment to the case of the partnership between the Dutch government and telecom companies on cybersecurity performance. Do these assumptions on accountability that come forward in the literature and Forrer et al. (2010)’s model explain the accountability mechanisms in the case correctly or are there different aspects of accountability that come up from observations? There are also assumptions in the current academic literature on accountability within public-private partnerships about accountability within public-private partnerships that also need to be tested, because these theories have not been tested on practical cases. Forrer et al. (2010)’s model to assess accountability within public-private partnerships embodies these assumptions in the literature through its six dimensions of accountability. By testing this model on a public-private partnership on cybersecurity performance that relies mainly on information sharing, this model

(11)

10

can be evaluated by comparing its notions of accountability sources with the observations of this research. By looking at one of the critical sectors the Dutch public sector works together with, the accountability structures can be described in-depth and explained, which will lead to reflection of these assumptions made by the literature. There is also the fact that a public-private partnership that focusses on improving cybersecurity performance instead of a joint project with a clear end goal. The importance of accountability in such partnerships is highlighted in the literature. For example, Carr (2016, 44) notes that a public-private partnership does not just abdicate authority but also responsibility for national securityto the private sector. Carr (2016, 44) also mentions that public-private partnerships in national security contexts are deeply flawed and that unless certain problems are correctly addressed, the public-private partnership will not be an effective tool for ensuring national security. This sentiment is shared by Dunn Cavelty and Suter (2009, 181), who note that public-private partnerships are only successful if interests between the parties align, even though this is often not the case. In light of these problems, this research aims to test Forrer et al. (2010)’s model of accountability assessment . Furthermore, the focus of the research is on the accountability problem in practice from the beginning while other research focusses on the problem as part of a general discussion on what the problems with public-private partnerships are.

(12)

11

2 – Theoretical framework

A theoretical framework is necessary to define important concepts, to present theories that are relevant for the research and to shape expectations. Findings from the literature will provide the basis for the analysis in the form of a body of knowledge. The framework will have to contain concepts of public-private partnerships, cybersecurity and accountability on performance. This way, the theoretical role of accountability within public-private partnerships will be analysed as a basis for the analysis in the later chapters.

2.1 – Defining public-private partnerships

Although the literature on public-private partnership has grown extensively over the last decade, there is still contention among scholars on what the term “public-private partnership” entails. This means that there is no strict definition and that the term is distinctly muddled. Assaf (2009, 67) uses a broad definition of public-private partnerships that defines them as any compromise between the public and private sector that lets activities that are normally done by the public sector be performed by the private sector. This definition is problematic, as it leaves almost no distinction between public-private partnerships and privatization (Hodge & Greve, 2007, 547-548). Wettenhall (2003, 90) elaborates on this distinction by defining two arrangements between the public and private sector. The first one is a horizontal partnership that is defined by equality between the partners and the second one is essentially vertical and based on hierarchy. Wettenhall (2003, 90) argues that only horizontal partnerships can be true partnerships in order for the term to distinguish itself from simple privatization. Elsig and Almaric (2008, 390) further develop this distinction by noting that public-private partnerships in the narrow sense are based on co-regulation between the private sector and the state. Cooperation and equality between the parties are thus essential to defining public-private partnerships and distinguishing it from privatization (Andersson & Malm, 2006, 180-184 ; Brinkerhoff & Brinkerhoff, 2011, 3). Acknowledging this distinction, Forrer et al. (2010, 476) developed the following definition:

“Public–private partnerships are ongoing agreements between government and private sector organizations in which the private organization participates in the decision-making and production of a public good or service that has traditionally been provided by the

(13)

12

public sector and in which the private sector shares the risk of that production. (Forrer et al., 2010, 476)”

This definition will be adopted by this research, as it includes the cooperating element that defines public-private partnerships. It emphasises a cooperating role in production and decision-making between both sectors and therefore distinguishes the term from contracting or privatisation. Furthermore, public-private partnerships bring with it a certain risk for the private sector, as it helps producing a good or service that is otherwise provided by the public sector (Linder, 1999, 45-46). The character of the public-private partnership is further defined by its goals and success requirements. Kouwenhoven (1993, 126) defines the success conditions of public-private partnerships as the unambiguity of objectives and strategy and the existence of a clear division of costs, risks, returns, responsibilities and authorities (Reijniers, 1994, 140-142). A degree of trust is also required, as well as pre-existing interdependence of actors and goals. Furthermore, contractual arrangements and clear precautions against abuse are necessary (Dunn-Cavelty & Suter, 2009, 180 ; Maughan, 2010, 90).

2.2 – Accountability and partnership effectiveness

The concept of accountability is seen as a major condition for partnership success in the literature. This link has already been established in the adopted definition of Forrer et al. (2010, 476) of the public-private partnership, because this definition emphasizes the participation and co-decision making by the private sector. Public-private partnerships are distinguished in these ways from forms of outsourcing or contracting, because the private sector ultimately has responsibilities in this framework. Despite this, the public sector still has to adopt a lead role in the partnership, because there are public interests at stake. This makes the presence of public accountability in such a partnership a necessity, because there have to be ways for the public to hold the partners accountable for the end product or service.

In addition to a certain degree of accountability being necessary for the functioning of public-private partnerships, accountability aspects can directly contribute to the success of these coordinating frameworks. Partnership success is closely influenced by important accountability factors, such as communication and acknowledged interdependence between the parties.

(14)

13

Rosenau (1999, 16) further elaborates on the need for public accountability, stating that public-private partnerships deal with public interest and potentially vulnerable population groups. Furthermore, it is the role of the public sector to ensure quality performance when it comes to equity, access and democracy. This relates closely to the need for communication between the partners regarding the consequences of the partnership and which party is responsible. If these mechanisms are not present, there is a risk that the partnership causes unforeseen negative impacts. Rosenau (1999, 15-16) identifies this absence of accountability structures as one of the main weaknesses of the public-private partnership. While these frameworks increase short-term efficiency and reduce costs, the long-short-term benefits are much more difficult to assess. Furthermore, it is vital that responsibility for potential negative impacts are addressed by the partners (Rosenau, 1999, 26-27). This is also emphasized by Kouwenhoven (1993, 126), whose definition of partnership success solely rests on the unambiguity of important details concerning the responsibilities of the participating organizations and private sector companies. Accountability within public-private partnership is related to the notion of clear communication between all parties

2.3 – Public-private partnerships and national cybersecurity

In the field of cybersecurity, the public-private partnership is essential in the national cybersecurity strategies of most countries. For many of these partnerships, this has been in the context of critical infrastructure protection (Carr, 2016, 45 ; Maughan, 2010, 29-31). The public-private partnership is so important in this context, because much of this infrastructure is owned by the private sector, but the government has the responsibility to protect this infrastructure (Dunn-Cavelty & Suter, 2009, 179). According to Dunn-Cavelty & Suter (2009, 179-180), this creates negative consequences for the public sector, which has to deal with the negative aspects of privatization and liberalization. The governments role in coordinating these self-governing networks has been more about coordination and selecting instruments instead of close supervision and immediate control (Dunn-Cavelty & Suter, 2009, 180). Carr (2016, 44) has noted that there is a discrepancy between the expectations of the partners in public-private partnerships within the field of cybersecurity in terms of roles, authority and accountability. This is an important problem, as the functioning of public-private partnerships in this field directly affects national security (Carr, 2016, 44). Carr (2016, 50) defines cybersecurity as an ambiguous term, as the term in its most basic sense encompasses the protection from digital attacks. The question arises who is being protected. The state, the individual or infrastructure

(15)

14

are overlapping referent objects in this case. Furthermore, the means of providing cybersecurity are also important in the context of a public-private partnership. More importantly, in describing the difficulties of creating an effective public-private partnership within the field of cybersecurity, Carr (2016, 54) touches upon wider accountability problems with these arrangements.

2.4 – Network governance theory

Some core aspects of public-private partnerships described by Forrer et al. (2010) also return in network governance theory (Provan & Kenis, 2007, 242). According to this theory, networks are comprised of individual organizations and are thus cooperative in nature (Provan & Kenis, 2007, 242). The aim of his theory is to develop a general framework for organizational networks and to discuss the potential variants, strengths and weaknesses of network governance. Networks can develop in three variants: participant-governed networks, lead organization-governed networks and through network administrative organizations (Provan & Kenis, 2007, 233-236). Participant-governed networks are especially relevant, because they are defined as networks that are governed by the members themselves without a distinct governance entity and share many characteristics with the discussed definition of public-private partnerships (Provan & Kenis, 2007, 233-236 ; Boeke, 2017). Shared governance networks are voluntary, have a high density of trust, have relatively few participants and have a high consensus of goals (Provan & Kenis, 2007, 237). Provan & Kenis (2007, 242-244) describe some issues with this form of network governance. Building trust through collaboration in a network tends to be time consuming and resource intensive, which undermines the efficiency of the process. Furthermore, the shared governance networks have high internal legitimacy between its members but is not necessarily compatible with external legitimacy (Provan & Kenis, 2007, 244). Finally, a shared governance network is highly flexible, but generally lacks formalized structures and the hierarchy to provide stability (Provan & Kenis, 2007, 245).

2.5 - Accountability aspects and problems within public-private partnerships

Public-private partnerships are a special case when it comes to accountability, as the public and private sector are coproducing an otherwise public good or service. The private sector has different accountability structures than the public sector, which makes the participation of the

(16)

15

private sector in producing and decision making in these contexts potentially problematic. Bovens (2005, 184) defines accountability in its most basic form: “A social relationship in

which an actor feels an obligation to explain and to justify his or her conduct to some significant other”. From this basic definition, accountability has evolved into a sign of good governance

in both sectors (Bovens, 2005, 183). Public accountability refers to accountability of the public sector to its citizens, which comes from several sources. Public accountability is necessary because it provides democratic control, integrity and because it helps improve performance. These three aspects provide the legitimacy that public governance needs (Bovens, 2005, 192-193). Bovens (2005, 196-200) also point out that there is a rise in horizontal accountability relationships of public accountability, which replace previously existent vertical accountability arrangements that have previously been the norm for public accountability structures (Bovens, 2005, 196-200). Because the private sector lacks this public accountability, problems arise (Rosenau, 1999, 19-20). Forrer et al. (2010)’s model emphasises six accountability elements within public-private partnerships that are also present in the literature, which will be further explained in the next section.

2.5.1 – Division of risks

A clear division of risks is an important characteristic mentioned in Forrer et al. (2010)’s model. Risks have to managed and addressed by the right parties in the partnership. This can only be done by developing clear roles and responsibilities for all actors involved. The public sector remains responsible for the good or service that is produced by the parties and is accountable publicly for the performance for the success of the partnership (Carr, 2016). The private sector carries mainly financial and reputational risks, as a possible failure means possible reputational damage and future loss of income. These risks will affect the goals, outcomes and other characteristics of the partnership. Therefore, there needs to be a risk assessment that is clear to all parties in order to identify the most important aspects of the partnership and to make sure that certain scenarios can be avoided. Forrer et al. (2010, 479-480) identifies correct risk allocation as a major success factor for the partnership. Furthermore, possibility to shift risk from the public to the private sector is one of the major reasons a public-private partnership is chosen as a way to provide goods or services (Forrer et al., 2010, 479-480). According to Forrer et al. (2010, 479), a public agency should also plan with the private sector to mitigate the impact of certain risks beyond their control. Each partnership encounters risks in different dimensions, which all must addressed by the partners in a cooperative analysis (Forrer et al. (2010, 480).

(17)

16

Risks can also arise in different stages of the public-private partnership. In the planning phase of a public-private partnership, the parties have to deal with political and financial risks, while operational risks are more prevalent in the operations phase of the public-private partnership.

2.5.2 – Division of costs and benefits

Another part of accountability within public-private partnerships in which problems can arise, is the division of costs and benefits. The private sector is essentially focussed on profit while the public sector is not. This can impact the goals and characteristics of the partnership, because these outcomes are the product of deliberation. Shaoul et al. (2012, 218) note that public-private partnerships come with several accountability and governance problems for the public sector that originate from the nature and structure of these partnerships. The first problem of public-private partnerships Shaoul et al. (2012, 218) mention are the involvement of public-private sector actors in project structuring and the effect of their risk-return calculations on the formulation of projects. If a project carries certain risk, private financiers will need certain guarantees when it comes to project formulation and implementation. Forrer et al. (2010, 480) expand on these ideas, stating that a cost-benefit analysis between all the parties allows for the determination of the costs, benefits, opportunity costs and whether a comparative advantage for entering the partnership exists. What is important, is that the potential costs and benefits are tied to the identified risks and the costs if the circumstances change. The identified risks directly impact the possible costs of the partnership. This means that the planning to mitigate risk impacts must include the financial costs. These contingency plans are extremely important, as it will ensure that the good or service the partnership produces is still delivered.

2.5.3 – Addressing social and political impacts

A public-private partnership also has effects on and is affected by the social and political dimensions. The outcomes of the partnership and its perceived success are instrumental in determining if the partnership is deemed effective and if it will receive political backing. If the partnership if not perceived as a success or if services do not meet expectations, its social and political backing might come under threat. It is therefore important that public and private sector organizations discuss the social and political impacts together and which partner is responsible for these impacts (Carr, 2016 ; Rosenau, 1999). These social and political impacts are also tied

(18)

17

to the risks and economic aspects of the partnership (Forrer et al., 2010, 480). For example, if a public-private partnership affects society by having a negative impact on the local environment as an unforeseen effect, the risks have not been identified correctly in the planning phase. The social and political impact of a public-private partnership should essentially be partly defined in the risk assessment and the cost-benefit calculation between the parties. Furthermore, social and political impacts are an aspect that is continuously important throughout the life of the partnership, as the circumstances and effect change.

2.5.4 – Division of expertise

Expertise is one of the most important aspects in public-private partnerships, as it partially defines the roles and responsibilities of the partners. In the majority of cases, the public sector enlists help from the private sector because it lacks a certain expertise or resources. The type of expertise required depends on the goals of the partnership (Forrer et al., 2010, 480). This means that this expertise is extremely loosely defined, as it can encompass virtually every resource, service or information the private sector has that the public sector might need. Expertise is important, as it is crucial to manage personnel with the relevant knowledge or skills in the partnership. Expertise can also lead to innovation within the participating organizations (Forrer et al., 2010, 480). Therefore, it is important for public organizations to define what kind of expertise is expected and which organization is responsible for what expertise. The expertise the public sector needs should be defined in the early stages of the partnership, as this is related to the expected risks, costs and the expected impacts. For example, expertise might be needed to deal with external effects, internal partnership issues or public relations. Identifying expertise thus relies completely on the previous aspects. In the operational phase of the partnership, both parties need to carefully monitor if expertise is used as efficient as possible (Forrer et al., 2010, 480-481).

2.5.5 - Partnership collaboration and trust

The nature of the relationships and the partners are also mentioned as a potential difficulty, as their relative power and organizational structures are different (Shaoul et al., 2012, 218). This creates a complex relationship that is based on the relative power of the partners. These power dynamics spill over in the day to day relationship between the partners. Trust is also emphasized

(19)

18

by Carr (2016, 58), who links this to the importance of knowledge sharing and how this ties in with the division of responsibility and the success of the partnership. This is especially relevant for public-private partnerships that are based on these information sharing principles, such as those based on cybersecurity performance. According to Forrer et al. (2010, 481), partnership collaboration is based on effective organizational leadership. Leaders determine the momentum of the partnership and hold those who miss deadlines accountable. This characteristic has to be strengthened by effective communication with all stakeholders. This has come up in the previously discussed accountability aspects as well, but effective communication is an on-going process that takes place in all stages of the partnership and is ultimately critical for its success. All the accountability aspects discussed are a product of deliberation between the parties, which means that effective communication is very important. Project managers also play an important role, as they oversee the collaboration and are responsible for reaching goals and meeting deadlines (Forrer et al., 2010, 481).

2.5.6 – Performance measurement

Problems of performance management and measurement can also possibly arise in the context of a public-private partnership, especially when there is a reliance on self-monitoring. There is the risk that the public sector does not have the skill or expertise to correctly evaluate private performance. When this happens, no organization is able to accept responsibility for poor performance and there is a disagreement on the performance standards, since the public organization is usually publicly responsible for the outcomes of the partnership (Shaoul et al., 2012, 218). Another problem that arises from being unable to evaluate and to measure performance is that organizational outputs are not able to be measured, which determine the success of the public-private partnerships. Having a single method between the partners to measure performance will improve the success of the partnership, as organizational outputs can be measured and compared between the organizations (Forrer et al., 2010, 480). This way, efficiency can be improved and problems can be identified and solved. These processes can be discussed in the planning phase of the public-private partnership, but in reality, performance measurement happens mostly during the operational phase. Performance measurement is the aspect that ensures all other parts of accountability during the operational phase of the public-private partnership. Without performance measurement, there is no guarantee that the parties carry out the agreed upon accountability aspects in the operational phase.

(20)

19

2.6 – A framework to assess accountability within public-private partnerships on cybersecurity performance

The discussion on the literature above has yielded a clear definition of the term public-private partnership and mentioned several key characteristics, weaknesses, accountability problems and success conditions of these partnerships. The main problems with public-private partnerships are defined by Shaoul et al. (2012, 218) and network governance theory, which also return in Forrer et al. (2010)’s accountability model. This framework provides a way to assess the accountability of a public-private partnership on the basis of a number of important factors. Risk allocation, clear costs and benefits, indications of social and political impact, clear division of expertise, the existence of partnership collaboration and performance management all play roles in providing public accountability to the private sector through a public-private partnership (Forrer et al., 2010, 479-482). Through these six aspects, accountability mechanisms can be described in the early stages of the partnership by the public and private sector, but the parties must also show commitment to these principles during daily operations. It is therefore important that there are clear two-way communication channels between the partners, so that accountability can be guaranteed at every stage of the process. However, this model focusses on public-private partnerships in general, while the case this thesis researches is mainly based on cybersecurity performance. In a public-private partnership on cybersecurity performance, it is expected that greater emphasis will be laid on the division expertise, performance measurement and clear communication between the parties. Because the performance on cybersecurity is the central theme in the partnership, it is expected that more attention is devoted to these elements. In order to effectively identify the accountability mechanisms in the network between governmental parties and telecom sector companies, the network also needs to be correctly described. How successful the partnership is according to actors that function in this network is also important in answering the research question. This discussion leads to the following sub-questions to evaluate accountability generation in public-private partnerships and what the relation to partnership effectiveness is:

1. What parties and cooperating frameworks make up the network of public-private partnerships between the Dutch telecom sector and participating governmental organisations?

2. What accountability mechanisms are present in the network of public-private partnerships between the Dutch telecom sector and participating governmental organisations?

(21)

20

3. What aspects explain the effectiveness of the network of public-private partnerships between the Dutch telecom sector and participating governmental organisations?

(22)

21

3 – Empirical design

In this chapter, the more practical aspects of the research will be discussed. This includes the research design and the way data will be collected and analysed. Furthermore, the unit of analysis and the unit of observation will be named. The reliability and validity of the chosen research design and methods will also be listed, which will culminate in a discussion of the strengths and weaknesses of the chosen design.

3.1 – Research design

The research design chosen to examine how Dutch telecom companies are held accountable through public-private partnerships is a holistic case study. The case this thesis is researching is the public-private partnership between Dutch private telecom companies and participating Dutch governmental organizations on cybersecurity performance. The reason for this, is that a specific sector is chosen to examine the wider phenomenon of accountability provision in public-private partnerships. The case is a typical case of a partnership on cybersecurity that is reliant on information sharing and cooperation between the partners. The aim of this research is to provide contextualized insight in a specific partnership network to test whether the accountability mechanisms of the model of Forrer et al. (2010) are present in a partnership that is based on cybersecurity and information sharing. The network of public-private partnerships between the Dutch telecom sector and participating Dutch governmental organisations is a typical case of these elements. Furthermore, the case also represents the approach of the Dutch government in partnering with Dutch vital sectors on cybersecurity performance. Additionally, a case study allows for more focus on the details of the public-private partnership network between the telecom sector and the Dutch government and its specifics, which will allow for the in-depth application of the theory to a case. The research will be qualitative in nature, as the focus is on a single network of companies and governmental institutions. The qualitative style fits the need to explain how coordination within a single sub-system works. More importantly, the interaction between the different parties in the partnership are best researched using a qualitative approach, as it involves thick description and qualitative interviews.

(23)

22 3.2 – Research methods and data collection

The methods chosen to collect and analyse data are based on the qualitative case study design. The aim is to gather qualitative data on the workings of accountability generation within a specific partnership. The first chosen method is document analysis. The official structures of the public-private partnerships between the public sector and the private telecommunication companies are visible within public and private sector documents and official online pages, which are described in figure 3. Using this, an indication can be made of how the partnerships look like and function. However, this method suffers from the fact that interactions between the parties are not written down. To really achieve a detailed analysis of the workings of the partnerships, interviews with the relevant public and private sector institutions and companies also need to be used as a source of information. Interviews will be conducted with policy makers from the telecom sector who are closely involved with the partnerships and with officials from the main governmental organisations that are involved in the partnership, which are AT, the NCSC and the ministry of EACP. In total, six interviews will be conducted. The list of interviewees is found in figure 2. This way, the situation in the public-private partnership can be analysed from the perspectives of its partners, which is ultimately very important. Both methods will yield analytical results on different levels, as the document analysis will focus on what is written and the interviews measure the perceived dimensions of accountability by the partners themselves. Still, the methods focus on measuring the same structures, which will lead to comparison of the findings and limited triangulation. Due to the sensitive nature of the information and the presence of informal aspects, not all accountability aspects can be observed equally through document analysis. Because of this, only limited triangulation is possible within the analysis. The unit of observation will be policy documents and interviews with government officials and private sector companies. The unit of analysis is the way Dutch telecom companies are held accountable on their performance of cybersecurity through public-private partnerships and how this impacts the perceived effectiveness of the partnership.

(24)

23

Figure 2: List of interviews with respondent names, affiliated companies/governmental organisations and functions

Figure 3: List of document clusters used as sources of additional accountability indications

Respondent name Affiliated company or

governmental organisation

Function

Franck Jansen KPN (private sector, telecom

provider)

Policy maker, NCO-T representative KPN

Koen van Rhee KPN (private sector, telecom

provider)

Policy maker, team leader KPN security policy

Anonymous NCSC (public sector, responsible

for supporting vital sectors in cybersecurity domain)

Disclosed function in the telecom ISAC

Maarten van Kesteren The ministry of EACP (public

sector, responsible ministry for the telecom sector)

Policy maker, NCO-T secretary

Piet Voesten VodafoneZiggo (private sector,

telecom provider)

Security expert, subsidiary NCO-T representative VodafoneZiggo Arco van Emous & Jasper

Nagtegaal

AT (public sector, supervising organisation for the telecom sector)

Head supervision security & Project leader

cybersecurity

Documents Belonging

to

organisation

Significance Importance for

accountability dimensions CBSN 2014-2017 (NCSC,

2014, 2015, 2016, 2017)

NCSC Information on the

ISAC structure and the role of the NCSC.

Division of risks, Division of costs and benefits, Partnership collaboration and trust

Cybersecurity Agenda 2018 (NCSC, 2018h)

NCSC Information on

accomplishments and future agenda

Division of costs and benefits

Website articles on public-private cooperation (NCSC, 2018c, d, e, f, g)

NCSC Information on

methods the NCSC uses and the

importance of trust

Partnership

(25)

24 Documents on private

sector criteria for

continuity and information security (AT, 2018c, d, e)

AT Information on how

performance is measured and what risks have to be controlled by the telecom sector Performance measurement Documents on public-private interactions with the ministry (NCTV, 2018 ; Rijksoverheid, 2018, a, b c) Ministry of EACP, NCTV Information on relation with the ministry and its supervising role

Division of costs and benefits, performance measurement

Website documents of the DCB (DCB, 2018)

DCB Information on sectoral

and intersectoral cooperation

(26)

25 3.3 – Operationalization and data analysis

In order to indicate how data is going to be analysed, Forrer et al. (2010)’s conception of

accountability needs to be operationalized within the researched case. This operationalization is necessary, because in order to measure data on accountability generation, the right information sources need to be consulted. In order to answer the sub-question and the research question, the six dimensions of Forrer et al. (2010)’s accountability model will be divided in sub-indicators which will be translated into interview questions. The interviews will be semi-structured, because respondents from the private telecom sector and various governmental organisations are selected in order to assess the points of view of partners from all sectors. The dimensions from Forrer et al. (2010)’s model, the indicators and the methods are all described in the operationalization table (figure 4). Interviews will be the main source of information in collecting data in the dimensions of social and political impacts, expertise and partnership effectiveness. Document analysis combined with interviews will serve to collect data in the categories of the division of risks, costs and benefits, partnership collaboration and performance measurement. The interviews will be used to gather additional information when documents on the partnership are unavailable and most importantly, interviews serve as a way to measure the perceived truth from the partners themselves. The same amount of respondent from both sectors will be chosen to portray experiences from both sectors in an even manner. Snowball sampling will be used to contact respondents with relevant positions within the telecom sector and the relevant governmental organisations.

(27)

26

Figure 4: Operationalization table of the dimensions of Forrer et al. (2010)’s accountability model and perceived partnership effectiveness

Dimensions/indicators from Forrer et al. (2010)’s model and effectiveness Sub-indicators Research methods (How observed) Example of interview questions Documents

Division of risks - Assignment of risk

control between the partners - Capabilities of the partners to address risks Interviews, Document analysis

What are some of the risks that you have to address as a telecom company with regards to maintaining service continuity? AT criteria regarding risk control for telecom companies, DCB website information Division of costs and

benefits

- Definition of costs and benefits by the partners

- Perceived importance of costs and benefits of the partners

Interviews, Document analysis

What is the relevance of costs and benefits in the partnership with the telecom sector? Is that a discussion that is relevant for the functioning of the partnership or is this implicit NCSC, IRB, O-IRT-O, AT documents on the value of the partnerships.

Addressing social and political impacts

- Assignment of political responsibility within the partnerships - Division of responsibility for addressing social impacts - Awareness of political consequences between all partners

Interviews What are the political consequences of service discontinuity for the telecom sector?

-

Division of expertise - Division of expertise between partners - Influence of expertise on capabilities and roles of partners

Interviews How is expertise divided within the partnership and how does this define the role of the partners?

-

Partnership

collaboration and trust

- Formal measures taken to facilitate trust - Communication between stakeholders - Perceived importance of collaboration and trust Interviews, Document analysis

What measures are taken by the partners to facilitate trust?

How does trust benefit the relationships with governmental parties? NCSC documents on measures to create trust Performance Measurement - Formal methods to measure performance of actors Interviews, document analysis

What is the importance of the performance of telecom companies on cybersecurity for the

AT official criteria for telecom companies

(28)

27 - Perceived impact of

performance on partnership

partnerships?

In what ways does AT measure the performance of the sector on

cybersecurity? Is this incident driven or does this happen through regular inspections? Perceived partnership effectiveness - Perceived success of the partnerships - Perceived aspects of partnership effectiveness

Interviews In your opinion, is the partnership with the telecom sector successful in realising its goals? What are the main aspects that determine the

cooperation with the other partners?

(29)

28 3.4 – Validity and reliability

The internal validity of the research is guaranteed, because the structure of the partnership and the interactions and perceptions of the partners are directly visible within relevant document and through interviews. The interviews are especially important, as the perspectives from both the private and public sectors within the partnership will be measured. The perceptions from these partners constitute the partnership itself, which is why the internal validity is high. Case study designs regularly have problems with external validity and the generalization of its findings. However, the aim of this research is not to generalize all of its findings, as the system has a certain context that is impossible to generalize. However, the characteristics of the Dutch case, such as its strengths and weaknesses can provide insights that prove useful to the literature of public-private partnerships. The study also provides reliability, as document analysis and interviews are replicable to a certain degree. The context of the public-private partnership that this research is about changes over time, which may damage the replicability if an entire different strategy within these partnerships is pursued by the public sector. Possible pitfalls of this research include that the operationalisation is lacking and that observations made are too vague. With a solid analytical framework and the operationalisation of vague concepts, this problem will be mitigated. Incorporating the six dimensions of Forrer et al. (2010, 479-482) into clear questions asked in the interviews, clear indicators will be established to research the phenomenon. Another possible pitfall is the overgeneralization of case findings, but this can be prevented by referring to the context the research and by only generalizing the lessons of the case.

(30)

29

4 – Analysis

In this chapter, the data that has been collected through the methods described in the third chapter will be presented. The public-private partnerships on cybersecurity performance between the telecom sector and the Dutch government are extensive and encompass projects between multiple governmental organizations and the telecom companies. In order to identify what the accountability structures of the public-private partnerships between telecom companies and the Dutch government are, the exact cooperating roles of the governmental and non-governmental actors in these partnerships need to be identified. What follows from this is an overview of the actors involved and the partnership projects that are ongoing between the telecom sector and the Dutch government. After identifying these aspects, the analysis will focus on the accountability structures of these partnerships and how this impacts the perceived success of the partnerships according to the partners themselves.

4.1 – Describing the network and main actors

In order to effectively protect the Dutch telecom network from cybersecurity threats and to guarantee continuity of telecom services, the sector works together in a network of governmental and non-governmental organisations on strategic, tactical and operational levels. Even though responsibility for cybersecurity within the sector lies mainly within the sector itself, these public-private interactions remain necessary, because they significantly help telecom providers in addressing cyber threats and to respond to crisis situations. This network between public and private actors manifests itself in many cooperating groups and consultations, in which the telecom sector deliberates with public and private partners. It is necessary to provide an overview of the most important actors and what the main ways they work together are in order to identify what accountability structures there are and how this relates to the success of the partnership. What follows is an overview of these important actors and partnerships.

4.1.1 – The Dutch telecom sector

The telecom sector in the Netherlands consists of competing providers of telecommunication and internet services. Most of the telecommunications network is owned by a small number of

(31)

30

major telecom companies, which include KPN, Vodafoneziggo, Tele2 and T-mobile (DCB, 2018). All telecom companies are privately owned in the Netherlands and compete with each other in selling telecom services. There are also numerous smaller regional companies that offer telecommunication and internet services that use parts of the network owned by one of the larger companies. The telecommunications sector falls under the jurisdiction of the ministry of Economic Affairs and Climate Policy (EACP) and is subject to laws and regulations from this department (Rijksoverheid, 2018b). The main law the telecom companies are subject to is the Dutch Telecom Law, which guarantees reliable services, the uptime of emergency numbers and consumers’ rights and privacy protection (Overheid.nl, 2018). In order to protect consumers’ data and to guarantee the continuity of these services, the telecom companies are expected to take appropriate security measures with regards to the present risks. The main governmental agencies that provide oversight on the security measures taken within the telecom sector is the Dutch Telecom Agency (AT) (Agentschap Telecom, 2018a). The Dutch Consumer Authority is also a scrutinizing organisation within the telecom sector, but focusses on protecting customer interests and only focusses on the protection of customer data.

The Dutch Telecom Law places responsibility for the protection of the Dutch telecom network mainly in the hands of the telecom companies. This is an enormous responsibility, as the Dutch government has labelled telecommunications as a vital sector. This means that disruption of Dutch telecommunication services have major ramifications for the whole of Dutch society (Personal interview, 1st May). To fulfil this responsibility and in order to ensure the continuity and quality of the services they sell, the telecom companies have developed their own Computer Emergency Response Teams (CERTs) and cooperate with each other through various networks and with the ministry of EACP, other vital sectors and the NCSC to continuously secure the integrity of the Dutch telecom network (Personal interview, 1st May, 2018). In addition to cooperating within these frameworks, the Dutch telecom companies also have to manage their own expertise in order to effectively respond to threats (Personal interview, 1st May, 2018). On the other hand, the telecom companies have to sufficiently safeguard customer data in accordance with the telecom law (Overheid.nl, 2018). Since October 2017, organizations within the Dutch vital sectors are required by law to report cybersecurity breaches to the NCSC as soon as possible after an incident. This builds on existing practices in the sector and ensures that effective solutions or crisis response can be set in motion immediately after this happens (Personal interview, 1st_{May, 2018).}

(32)

31

4.1.1.1 – The Dutch Continuity Board (DCB)

The Dutch Continuity Board is a platform created by the telecom providers in order to work more closely in creating cyber-resilience within the sector and to preserve the continuity of telecom services (DCB, 2018). The board operates as a distinct group within the existing ISAC structure of the NCSC and aims to facilitate coordination between the members of the telecom ISAC and ISAC’s from other vital sectors (DCB, 2018). The members of the DCB recognize that the telecom sector is reliant on other vital sectors, such as the energy and financial sectors. Because of this, the DCB actively works together with these domains on a case-by-case frequency (DCB, 2018). By involving these sectors, the cybersecurity knowledge shared within the DCB will not just benefit the telecom sector, but will help protecting a wider range of vital Dutch infrastructure. The DCB mainly focusses on specific cybersecurity issues that are relevant for the vital sectors. DDOS attacks has been labelled as one of the most important areas to create cyber-resilience in, because it is such a frequently recurring problem and because of the possible impact it can have on service continuity within the vital sectors (DCB, 2018). Even though the DCB members are competitors in the telecom market, the initiative is purely focussed on reinforcing resilience within the sector through collaboration. This means that commercially and technically sensitive information will not be shared, but that the cooperation is focussed on sharing useful operational information and knowledge with regards to the prevention of cyber threat and DDOS attacks in particular (DCB, 2018).

The DCB functions on the operational level and focusses on sharing information and knowledge to stop or help mitigate cyber threats such as DDOS attacks (DCB, 2018). The main operational goals of the DCB are to facilitate collaboration between its members to support government and industry information exchange. Furthermore, threats, intrusions and anomalies detected by the members are shared together with the best practices and implementation methods to prevent these events from occurring. Furthermore, the DCB facilitates operational coordination in a crisis scenario in case of a major threat to Dutch vital infrastructure. The DCB coordinates with other entities on the operational level, such as the OPS trust DDOS working group, O-IRT-O and the ICT Response Board (IRB). In the case of a national crisis, the IRB serves an advisory function to other organizations within the Dutch national crisis organisational structure (DCB, 2018). The DCB will submit operational input to the IRB when this body convenes in case of a national crisis scenario, which further emphasises the importance of public-private coordination in times of a crisis (DCB, 2018).

(33)

32

4.1.2 – The National Cyber Security Centre (NCSC)

The National Cyber Security Centre (NCSC) is a Dutch governmental organization that ensures the protection of critical Dutch infrastructure in cyberspace. The NCSC was established in 2012 and functions according to the framework of GOVCERT NL, which was created in 2002 (NCSC, 2017, 24th January). The main task of the NCSC is to deal with computer security problems and their prevention within the Netherlands. The NCSC achieves this goal through coordination when an ICT related incident occurs and through proactive actions to prevent such incidents (NCSC, 2017, 24th January). The main constituency in which the NCSC is active consists of Dutch governmental organizations, private organizations with a public assignment, organizations of Dutch critical sectors and members of Dutch Information Sharing and Analysis Centres (ISAC’s) (Personal interview, 7th_{May). The NCSC defines critical sectors as sectors}

that are important for Dutch society. For example, the energy, telecommunication and financial sectors are all considered to be vital sectors (NCSC, 2018g). The NCSC is part of the National Coordinator for Counterterrorism and Security (NCTV), which falls under the jurisdiction of the Dutch ministry of Justice and Security. The NCSC consists of three teams, which are tasked with incident response, knowledge services and organizational development (NCSC, 2017, 24th

January ; NCSC, 2018, 24th February). Through these three teams, the NCSC provides four basic services: Incident Prevention, Incident and Crisis Response, Monitoring and Knowledge Sharing. In these four domains, the NCSC acts as the role of a facilitator of international exchange of knowledge, as an independent source of knowledge and as a forum for participants and incident response teams to exchange knowledge between actors within the Netherlands (NCSC, 2018g). In order to maximize effectiveness while remaining as efficiently as possible, the NCSC cooperates with a wide variety of national and international actors in order to share knowledge on threats and effective countermeasures with as many other CERTS as possible. Furthermore, these communication channels are essential for the NCSC to carry out its role in the four established domains and to provide support to the vital sectors on strategic, operational and tactical levels (Personal interview, 7th May, 2018). The ultimate role of the NCSC is to connect problems, solutions and organizations to protect Dutch vital sectors from cyberattacks (Personal interview, 7th May, 2018).

The NCSC as a number of characteristics that help consolidating its information sharing role with the vital sectors. Even though the NCSC falls under the jurisdiction of the ministry of Security and Justice, it has acquired the reputation of a neutral party that is solely interested in