Public-Private Partnership in Dutch Cyber Security Governance: An Analysis of its Effectiveness

(1)

Public-Private Partnerships in Dutch

Cyber Security Governance

An analysis of its effectiveness

Master Thesis Ewout Aryan van den Blink

Student number: s1890484

Master program Crisis and Security Management Faculty of Governance and Global Affairs

January, 2018

First reader: Mr. Dr. Joery Matthys Second reader: Mr. Sergei Boeke LL.M.

(2)

1 | Page

Abstract

This research has aimed to analyze the effectiveness of Dutch public-private partnerships (PPP) in the realm of cyber security. In this analysis four elements to analyze its effectiveness as presented by Max Manley (2015), trust, clear legal guidance, a bottom-up approach, and community involvement, were applied. These elements were supplemented with the findings of Madeline Carr (2016) on ambiguities related to the division of responsibility and accountability within cyber security PPPs. Through a document analysis of the Dutch National Cyber Security Strategy 2 (NCSS2), and a discourse analysis of interviews with three public and three private sector officials active within PPPs, it is concluded that the Dutch PPPs system is indeed effective. All 4 elements were represented in both the NCSS2 and the interview data. The main findings conclude that the element of trust is however underrepresented in the NCSS2. Clear legal guidance and a bottom-up approach are well represented. Furthermore it is concluded from the interview data that sharing of information and reciprocity are particularly critical elements for effectiveness. A third conclusion is that the division of responsibility and accountability within Dutch PPPs remains ambiguous.

(3)

2 | Page

Acknowledgements

First of all I would like to thank my supervisor dr. Joery Matthys for his patience and advice. Secondly I would very much like to thank all the respondents, without whom I would not have been able to finish this thesis. Thank you for your honesty and for the frank and interesting conversations. Even though some things might not be mentioned in the analysis of this thesis, your insights and expertise have helped me shape this research to what it has become. I hope you enjoy reading it.

(4)

3 | Page

"In order to get a grip on cyber security, not only the government should feel responsible, but all parts of society. The discussion should not only be about our safety, but also about different values like health, equal treatment, access to essential goods and services, honest information, fair prices, and eventually our human dignity." Dr. ir. Melanie Peters, director of the Rathenau Institute (translated)

1. Introduction

1.1 The Dutch cyber security landscape

In an interview published by the Dutch Cyber Security Council (Cyber Security Raad [CSR]) Wim Kuijken, chairman of the board of 'The Hague Security Delta' made the following statement: "Digital safety and security through digital solutions. That is, according to me, the essence of future security policy. More needs to be invested in order to stimulate desired societal development, and also to prevent threatening societal disruption. That is happening far too little (...). The developments are going very fast. That is why urgent political attention is needed" (CSR, 2017, p.15, translated).

With this statement Wim Kuijken explicates the need for enhanced cyber security. This form of security is becoming an inherent part of the national security of many advanced countries worldwide (Luiijf, Besseling & De Graaf, 2013). It is becoming part of the national security strategies because of the simple fact that a very substantial amount of economic activity is taking place in an online environment. And this has not gone unnoticed by malevolent actors. According to Hans de Boer, chairman of VNO-NCW, the largest employers organization in the Netherlands, cybercrime costs the Dutch economy billons every year (CSR, 2017, p.21).

This is supported by a recent rapport published by Deloitte. They estimate the potential annual loss of value due to cyber threats and attacks at 10 billion euro's. With the public sector alone risking a 2,4 billion euro value loss (Deloitte, 2017). Many industry leaders, from Herna Verhagen, CEO at PostNL to at Marjan van Loon, CEO at Shell the Netherlands quite rightly so argue for enhanced digital safety and cyber security (CSR, 2017).

(9)

8 | Page

In addition, it is not only the national economy and the potential impact of cyber threats on that economy that has people worried. There are also serious implication that come with the rapid digital advancements of this age for critical infrastructure (CI) systems. In a rapport published by The Hague Security Delta (2015) it is argued that due to increased digitalization of systems and processes within critical infrastructures, they have become more vulnerable for cyber threats and attacks. Such cyber threats have a large potential impact on both private and public organizations, and society as a whole, as shown in section 2.1.2. In the words of Wim Kuijken: "We are left with no other choice: the digital security of our critical infrastructure needs to be enhanced" (CSR, 2017, translated).

And here arises a potential difficulty. In the Netherlands, some 80% of the critical infrastructure is owned and operate by private organizations (NCTV, 2016). In order to realize a comprehensive and adequate cyber security strategy, public-private cooperation are thus vital. It is through public-private partnerships (PPP) that the Dutch have established a modus of cooperation in the field of cyber security and critical infrastructure protection (CIP).

It is argued that such public-private partnerships are key in creating order in the cyber security domain and in realizing cyber security. This cooperative form of governance is believed to be a productive vessel in achieving cyber security related goals (Klein, 2015; Kenney, 2012) and an effective form of cooperation in the field of cyber (Kleinwachter, 2003).

1.2. Cyber security as part of the national security

Over the past few decades cyber-attacks have become more common and pose a significant threat to both public and private organizations. It is argued that hundreds of thousands of cyber-attacks take place every year, ranging from cyber espionage to distributed denial of service (DDoS) attacks aimed to paralyze information and communication technology (Klein, 2015; Kenney, 2012). Furthermore cyber crime is increasingly becoming an everyday form of crime, and swiftly recognizing threats and adapting policy is key in achieving cyber security (Choo, 2011).

Due to the emergence of such threats, cyber security has become an integral part of many countries national security agenda (Luiijf et al.2013). The approach on how to deal with these emerging threats however has not always been straightforward. Governments and the private

(10)

9 | Page

sector have been pointing at each other, arguing over who is responsible for the protection of critical infrastructure like power plants and water facilities, but also information and communications technology systems. Simultaneously however that both government and businesses have been coming to terms on working together in order to sufficiently protect critical infrastructure (Cook, 2010).

Within this increasingly comple taken the form of public-private partnerships (Bossong & Wagner, 2016; Carr, 2016; Manley, 2015; DeNardis & Raymond, 2013; Kleinwachter, 2003). In fact, the public-private partnership model has been labeled as a very effective means of cooperation between the two sectors (Carr, 2016; Kleinwachter, 2003).

And public-private partnerships are no new phenomena. As early as the 1970's PPP appeared in the United States as a means to de-bureaucratize government processes in order to improve efficiency (Dunn-Cavalty & Suter, 2009, p.2). Nowadays public-private partnerships are used for various objectives. One key aspect of public-private partnerships in cyber security for example is information-sharing (Carr, 2016; Manley, 2015, Dunn-Cavalty & Suter, 2009). However, the erection of PPPs in cyber security remains subject to criticism and scrutiny.

One of the main criticisms on PPPs in cyber security specifically is that they are not a useful means of cooperation, as the information-sharing in many instances has led to nothing more than "joint statements of intent" (Dunn-Cavalty & Suter, 2009, p.2).Nontheless, others argue the opposite, and state that a PPP is in fact an adequate means of cooperation (Carr, 2016; Manley, 2015).

This thesis research will analyze the nature of the current cyber security PPPs between the Dutch government and the private sector in the realm of cyber security. The main objective of the research is to analyze whether and why the public-private partnerships in the Netherlands are effective.

1.3. Research question

In order to add to the debate on PPP effectiveness, this thesis sets out to add empirical understanding of the Dutch PPP system. In order to do so it is imperative to understand the Dutch PPP system, and to understand what elements make PPPs effective in the first place. The research question to achieve this objective is formulated as follows:

(11)

10 | Page

"Does the Dutch system of public and private sector cooperation through public-private partnerships in the realm of cyber security align with the elements of an effective public-private partnership as formulated by Max Manley (2015) and Madeline Carr (2016)"?

The mentioned findings by Manley (2015) and Carr (2016) are presented in the literature review in the following section, and summarized in the conceptual framework in chapter 3.

1.4. Scientific and societal relevance

It is apparent that the Dutch government engages in public-private partnerships regarding cyber security, among which some are aimed at protecting Dutch critical infrastructure from cyber threats. In current day governance, public-private partnerships play an important role in developing and maintaining cyber security and the consequential protection of critical infrastructure (Carr, 2016). Even so, it is crucial to scope the specific scientific and societal relevance of the research at hand.

1.4.1. Scientific relevance

Much academic literature underscores the importance of PPPs in cyber security, and acknowledge the need for advancements in the area. In the literature the Dutch model of public-private partnerships is often praised for its effectiveness (Carr, 2016; Manley, 2015). However, oftentimes these academics have a focuses on the United States or other larger countries their policy, and only briefly touch upon Dutch examples. This thesis aims to asses why it is that the Dutch system so often is praised. By using the academic body of knowledge often used to assess larger western states their PPP policy, the findings from this thesis will help pinpoint which aspect of the Dutch system work best, and where potential further improvements are needed.

Furthermore, when it comes to the protection of critical infrastructure, problems arise when resorting to PPPs. These problems concern the division of responsibility and accountability related to the cyber security of critical infrastructure. Here the relationship between the government and private companies becomes messy, as neither claims the former nor the latter (Carr, 2016). These flaws in public-private partnership are often left unaddressed in the

(12)

11 | Page

assessment of PPP effectiveness, where recognizing and acknowledging them is key in establishing effective cyber security cooperation (Carr, 2016).

1.4.2. Societal relevance

When looking at the research question from a societal point of view, it becomes clear that there are also societal implication connected to PPP effectiveness. The use of internet is becoming more widespread every day, and it is important that national cyber security is managed as effectively as possible. Both the protection of the regular use of the internet by individuals, as well as the protection of critical infrastructure is of large importance for society. Ensuring effective public-private partnerships is thus not only relevant for the public and private partners, but also for the individuals utilizing the cyber infrastructure on a daily basis.

Furthermore reinforcing or disproving the current academic literature on effective public-private partnerships in the Netherlands can help policy makers in the conception of future PPPs, and in streamlining existing PPPs in the Netherlands.

1.5. Introduction to the methodology

In order to analyze whether the Dutch PPPs align with said elements, a holistic single case study approach will be used. Through a document analysis of the Dutch National Cyber Security Strategy 2 (NCSS2), and a discourse analysis of interview data from 6 interviews with both public and private sector officials, a comprehensive set of empirical evidence is collected. These data will allow for a thorough and methodical answering of the posed research question. A set of sub-questions is presented alongside the conceptual framework in section 3 of this thesis. The research is explorative in its nature.

1.6. Outline

The remainder of this thesis consist of a multitude of chapters. First a literature review will look at the definitions of cyber security and public private partnerships. It also consists of an in-depth explication of the before mentioned theories of Manley (2015) and Carr (2016). In the 3rd chapter the conceptual framework derived from the literature review, as well as a set of sub-questions are presented. In the 4th chapter the methodology of the thesis is discussed. In the 5th

(13)

12 | Page

chapter, the analysis of the NCSS2 and interview data is presented, followed by the answering of the sub-questions. The 6th and final chapter of this thesis brings forward a conclusion of the main research findings, and answers the main research question.

2. Literature review

It is important to note that public-private partnerships related to cyber security arguably function somewhat different than ‘regular’ PPPs. Hence, before an analysis of the current functioning of the Dutch public-private partnerships can be made, it is important to define public-private partnerships, and how 'cyber security' influences the functioning and conceptions of such partnerships. First, it is paramount to define the term cyber security. 'Security' is a broadly interpreted term, and it is important to narrow its definition, and subsequently accurately articulate the definition of the term 'cyber security'.

In the second part of this literature review the current state of public-private partnership as a form of governance will be explored. This includes an analysis of the current role PPPs play in (Dutch) governance, as well as an exploration of what is defined as a good and effective public-private partnership.

In this literature review, the findings by Max Manley (2015) and Madeline Carr (2016) stand central in formulating a comprehensive conceptual framework encompassing both core aspects of public-private partnerships and cyber security. This is done in order to enable a comprehensive analysis of the current day state of the Dutch public-private partnerships related to cyber security. In the following section different definitions and conceptions cyber security will be discussed, followed by a section on public-private partnerships.

2.1. Defining cyber security

Most commonly, public-private partnerships have been developed as a means to mitigate the threats of cyber insecurity (Carr, 2016, p.44). Cyber security according to Carr (2016, p.43) is "one of the most challenging aspects of the information age for policy-makers (...)". Complications range from implications on national security, to human rights issues, and are becoming increasingly complex and troublesome to resolve. (Ibid, 2016, p.43).

(14)

13 | Page

Carr (2016) argues that the term 'cyber security' is "as broad and indistinct a term as 'security'" (p.49). This is largely due to the fact that cyber security is a multifaceted term. It refers to the integrity and privacy of personal online activity and communications, but also to the safeguarding of (online) critical infrastructure, to safe online economic activities, and to military threats (Ibid, 2016). And this is not an exhaustive list. Securing the online is an immense objective, and mitigating cyber insecurities is by no means an unambiguous challenge.

Richard Harknett and James Stever (2011), in line with Carr (2016) argue that "The cybersecurity problem does not fit conventional or traditional security categories based on individual security responsibilities, economic or corporate security issues, military security, as well as domestic versus international problems" (p.455).

One of the reasons therefore is the fact that the term 'security' itself is an ambiguous one. If there is one thing International Relations scholars agree upon, it is that defining, or narrowing the definition, of security is challenging to say the least. Carr (2016) therefore continues to define cyber security by answering three questions frequently used to guide those trying to sculpt a frame in which to fit 'security'; "security from whom, security from what, and security by what means?" (p. 49). She uses these questions to see how different states approach cyber security, but she does not bring forward a clear-cut definition herself.

Eric Luiijf, Kim Besseling and Patrick de Graaf (2013) take a look at different definitions formulated by nineteen nations in their respective National Cyber Security Strategies. They argue that formulating clearly what cyber security means, is essential in establishing common ground between the strategies. However, they find that there is quite an inherent difference in the approach between the nineteen national strategies they have analyzed. One main difference they bring forward is that there is a discrepancy in how nations approach and define cyber security. Where some nations have a bottom-up approach, where "information security properties (are) to be safeguarded and guaranteed" (Luiijf et al., 2013, p.5). This contradicts with the top-down approach used by several nations. They use a more holistic approach in which cyber security aims to protect from external threats (Ibid, 2013).

Luiijf et al. (2013) find that the inconsistent defining of cyber security by different nations quite possibly frustrates international cooperation in the field of cyber, in turn making it very complicated to formulate an integrated international approach to tackle global cyber threats.

(15)

14 | Page

They bring forward a definition of cyber security formulated by Rauscher and Yashenko: "a property of cyberspace that is an ability to resist intentional and unintentional threats and respond and recover" (as quoted in Luiif et al., 2013, p.5).

Adding to the debate on the different definitions, Dan Craigan, Nadia Daikun-Thibault and Randy Purse (2014) argue that cyber security is "a broadly used term, whose definitions are highly variable, often subjective, and at times, uninformative" (p.13). Agreeing with the argument that a lack of a harmonized definition harms advancements in tackling complex cyber security issues, they have analyzed nine different definitions. In turn they have distilled those down to the following definition: "Cybersecurity is the organization and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems from occurrences that misalign de jure from de facto property rights" (Craigan et al., 2014. p.17).

As this paper focuses on the Netherlands and its public-private partnership it is key to understand how the Dutch national cyber security strategy defines cyber security. In the Dutch National Cyber Security Strategy 2 cyber security is defined as follows: "Cyber security refers to efforts to prevent damage caused by disruptions to, breakdowns in or misuse of ICT and to repair damage if and when it has occurred" (NCTV, 2013, p. 7).

The Dutch definition shows similarities with the two discussed definitions but speaks of 'efforts' as opposed to 'abilities' in cyberspace. This seems to be a bit more of a cautious approach. Arguably, cyber security in the Dutch definition does not necessarily mean that being cyber secure also entails being fully resilient to threats. It also refers to efforts to minimize these threats, even if these cannot be fully mitigated. This seems to be a more realistic, actionable approach, as being fully able to resist cyber threats in today's cyberspace arguably is a quite utopian objective. Note that the Dutch definition, and that of Rauscher and Yashenko (2013) incorporate the importance of the ability - or effort - to recover from, or repair damages from cyber threats.

In sum, when looking at the three definitions brought forward in this literature review it becomes clear that there is indeed no consensus on how cyber security is to be defined. However, for this analysis the Dutch definition will be used as a guideline when talking about cyber security, as the Dutch public-private system will be analyzed.

(16)

15 | Page

In order to understand why there is no consensus on the definition of cyber security, it might help to take a more in-depth look at the three questions brought forward by Carr (2016). It will show that there are some inherent challenges to cyber security, and it gives insights in how public-private partnerships have become the prevalent means of obtaining (and maintaining) cyber security. This in turn will help to better understand the broader Dutch cyber security policy.

2.1.1. Security for whom?

The first question that needs answering is security for whom? Carr (2016) argues that "the referent object (...) typically (is) the state" (p.50). So security for the state. The state can be dissected into three core components, which are essential when answering the question. The first element focuses on the individuals inside the state. And immediately some friction arises, as what security means for the individual does not necessarily overlap with what security means for the state. Security versus individual privacy here being the cause of friction. There is however also a certain degree of conflation of interests. With the state striving for security, it simultaneously strives to protect its individual citizens (Ibid, 2016, p.50). So state's security interest and individual security interest have some common ground, and it will be interesting to see how the Dutch cyber security policy attends to both the frictions and common grounds.

The second element is the national economy and, more specifically, the business sector of the state. With the internet having become such an integral part of the economy, it is vital to protect this sector from cyber threats. It is argued that it is in the interest of national security of states to protect its cyber infrastructure, as the national economy greatly depends on its functioning (Ibid, 2016, p.50-51).

A third element according to Carr (2016) is "ensuring the integrity and smooth functioning of the internet" (p.51). With the internet having become intertwined with the functioning of society, both on an individual, as on a societal level, it is imperative for the state to protect and guarantee its functioning. The internet has become a core asset of national security (Ibid, 2016).

Security for whom? Well, that depends. The state is argued to be a triad of individuals, the economy, and the internet itself, and each of them might require different attitudes and

(17)

16 | Page

actions in maintaining its cyber security. The subsequent questions that arise revolve, firstly, around the state protecting the individual. But what happens when the individual needs protection from the state? Secondly, if the business sector is so depending on secure cyber infrastructure, should it not aid the state in obtaining and maintaining such security? Thirdly, when securing the fluid working of the internet, the state also secures the persistence of cyber threats, which uses the internet to attack it. Carr (2016, p.52) concludes that these frictions are likely to be found in national cyber security strategies. It will be interesting to see how, and if, these show in the Dutch strategy.

2.1.2. Security from what?

In answering this question a division can be made between actors and targets. First, there is a tendency to clearly articulate which actors pose threats to a states cyber security. Carr (2016) quite eloquently argues that this approach can prove quite nonsensical. Attribution in the realm of cyber can prove quite impossible, and the 'classical' threesome of malicious actors - criminals, terrorist and rival states - might be to narrow of a conceptualization of malevolent cyber actors. Nevertheless, the attributing to, and naming of malicious actors are rooted in current day political and legal conceptions, and as of yet this is no different in terms of cyber threats (Ibid, 2016, p. 52).

More concrete than the discussion on the conceptualization of possible perpetrators, two main 'target areas' of cyber space are identified. These targets are the national economy, and a states critical infrastructure. Having discussed the economic implications of cyber security in the previous section, critical infrastructure deserves an in-depth discussion. Critical infrastructure protection often stands central in the conception of public-private partnerships. The European Commission defines critical infrastructure as: " consist(ing) of those physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of governments" (2004, p.3).

The main reason for the public-private partnerships to emerge in the field of critical infrastructure protection is that - in advanced industrialized countries - many of these systems have been privatized over the past decades. These systems have nonetheless remained critical,

(18)

17 | Page

and with the increasing linkage between the existing infrastructure and the cyber infrastructure, they have become core components of national cyber security (Carr, 2016).

In the Netherlands the Ministry of Justice and Security (until recent the Ministry of Security and Justice) through the National Coordinator for Security and Counterterrorism (Nationaal Coordinator Terrorisme en Veiligheid [NCTV]) is responsible for the critical infrastructure protection. The NCTV differentiates between two different categories of critical infrastructure. The first being 'category A'. CI in category A consist of infrastructure that, when disrupted, damaged, or otherwise impaired meets one of three criteria, and meets the 'cascade effect' criteria. Table 1 gives a schematic overview of these criteria.

Table 1. Criteria for category A critical infrastructure (NCTV, 2017)

Economic impact > approximately €50 billion in damage or an approximately five percent drop in real income.

Physical consequences more than 10,000 dead, seriously injured or chronically ill.

Social impact more than one million afflicted by emotional problems or serious problems with basic survival.

Cascade effect failure results in the breakdown of at least two other sectors.

CI in Category B consist of systems that meet one of three criteria shown in table 2

Table 2. Criteria for category B critical infrastructure (NCTV, 2017)

Economic impact > approximately €5 billion in damage or an approximately one percent drop in real income.

 Physical impact more than 1,000 dead, seriously injured or chronically ill.

Social impact more than 100,000 people afflicted by

emotional problems or serious problems with basic survival.

(19)

18 | Page

The categorization is done according to the possible effects of a failure. Failure in category A CI thus has a potentially larger effects on Dutch society than category B CI. Examples of category A CIs are the drinking water supply and oil supply. Examples of category B CIs are internet and data services, internet access and data traffic, and financial transactions (NCTV, 2017).

With 80% the critical infrastructure systems owned and operated by the private sector in the Netherlands, efforts to secure these sectors have been trending towards self-regulation and cooperation with the government through information-sharing. Within this trend public-private partnerships function as primary facilitator (Carr, 2016, p.55).

2.1.3. Security by what means?

Now that the first two questions have been discussed, it is time to discuss the means by which the state can obtain and maintain cyber security. As stated, public-private partnerships play an important role. Cooperation is deemed key in developing comprehensive cyber security. Carr (2016, p.53-54) argues that information-sharing is an important aspect which a public-private partnership facilitates. Simultaneously however, she signals some ambiguities in these partnerships with regard to the division of responsibility and accountability. But before we take a deeper look into those ambiguities, it is important to understand what a public-private partnership is, and what constitutes a effective public-private partnership.

2.2. The public-private partnership as a means of cooperation

It has been established that PPPs play an increasingly important role in the governance of cyber security (Bossong & Wagner, 2016; Carr, 2016) it is important to take a broader look at what a PPP entails, and what constitutes an effective PPP.

According to Stephen Osborne PPPs are a “cost-efficient and effective instruments for reaching certain government and private sector agendas” (as quoted in Manley, 2015, p.86). The desired goal of a PPP as formulated by Osborne in turn is to "release synergy through collaboration and joining various types of resources, or to transform one or more of the partner organizations" (as quoted in Manley, 2015, p.86). Focusing on PPPs in CIP, Myriam Dune-Cavelty and Manuel Suter (2009) forward a somewhat more elaborate goal, stating that: "Its goal is to exploit synergies in the joint innovative use of resources and in the application of

(20)

19 | Page

management knowledge, with optimal attainment of the goals of all parties involved, where these goals could not be attained to the same extent without the other parties" (p.2). Crucial here is the addition of the section on obtaining goals otherwise unobtainable through the partnership. This will be discussed in more depth in the section on the model of PPP.

Now it is clear what the main goals and objectives of PPPs are, it is time to look at its definition. Forrer et al. (2010) offer the following definition: "Public-private partnerships are ongoing agreements between government and private sector organizations in which the private organization participates in the decision-making and production of a public good or service that has traditionally been provided by the public sector and in which the private sector shares the risk of that production" (p. 476). Although comprehensive, this definition fails to address the possibility of mutual benefits arising from the partnership, and makes the partnership seem like a more rigid agreement.

Trying to surpass the at times encumbering theoretical discussion on its definition, Max Manley (2015) acknowledges the frictions within the many conceptions of public-private partnerships. He goes on and argues that it is essential that PPPs are somewhat fluid in nature, and not too rigid. This is primarily important due to the nature of the objective of the partnership, which is unique in its kind. The fluidity of cyber threats asks for a different conception of public-private partnerships than is often referred to.

2.3. Defining the effectiveness of a public-private partnership

In his conception of what elements constitute PPP effectiveness, Manley (2015) uses the term 'successfulness'. In this conception he uses the term effectiveness as a synonym for successfulness throughout his article. Although he conceptualizes these terms when he brings forward four crucial elements for PPP success, it is worthwhile to first look at the broader definitions of effectiveness and successfulness within the context of public-private partnerships.

2.3.1. Effectiveness versus successfulness

The Oxford Dictionary defines 'successful' as "accomplishing a desired aim or result". Successfulness can thus be said to indicate the level or degree of accomplishment of that certain aim or result. This is quite synonymous with the term 'effectiveness', regularly used as an

(21)

20 | Page

indicator of the level of success in the broader academic world. In fact, the Oxford Dictionary defines effectiveness as "the degree to which something is successful in producing a desired result". Table 3 gives a schematic overview of both definitions.

Table 3. Definitions of effectiveness and successfulness

Effectiveness "The degree to which something is successful in producing a desired result" (Oxford Dictionary)

Successfulness "The degree to which something has successfully accomplished a desired aim or

result" (Adaptation form the Oxford

Dictionary)

From a linguistic point of view, effectiveness and successfulness can thus be said to be synonyms, and Manley (2015) indeed uses both terms as such. However, from a contextual point of view it can be argued that there is an inherent difference between the two. The term 'successfulness' namely has an inherent positive connotation. 'Success' is inherently positive, and the same goes for 'successful'. An important distinction that should be made however is that when using the term 'successfulness', one does not necessarily imply that something is per definition successful.

Effectiveness on the other hand has a more neutral connotation. Exploring its meaning along the same line as successfulness might help to understand why. The term 'effect' is inherently neutral. It can be both positive or negative. There is a degree of effect, or there is not. The term 'effective' then already hinges towards being more positive in its nature. In turn, the term 'effectiveness' also slightly implies a positive 'effect'. However, as it is commonly used within the academia as an objective term of measurement, overall it has a more neutral and objective connotation.

Remarkably, such distinction is often not made within the academic PPP literature. Some academics use the terms interchangeably (Manley, 2015; Carr, 2016). Others stick to successfulness without going into detail on the definition of the chosen terminology

(22)

(Dunn-21 | Page

Cavalty & Suter, 2009). In general it is found that despite contextual obstacles, 'successfulness' and 'effectiveness' are used as synonyms in the PPP literature, without clear distinctions being made.

Concluding, successfulness and effectiveness are linguistic synonyms. Contextually however, there are some objections for using the term successfulness, albeit it only that it is important to clearly define the term. In order to avoid any possible confusion or perceived subjectivity with regard to PPP success, for the remainder of this thesis the term 'effectiveness' will be used to indicate the degree to which Dutch PPPs are successful in producing cyber security. This choice is made in order to facilitate an objective as possible analysis of Dutch PPPs in cyber security, and aligns with the broader academic use of the term effectiveness. Note that the terms 'success', 'successful' , 'effect', and 'effective' will still be used within the context of their respective linguistic definitions.

2.3.2. Conceptualizing the effectiveness of public-private partnerships

With the choice being made to use the term effectiveness, it is important to define the term within the context of a PPP governance. What is effectiveness for PPPs? Keith Provan and Patrick Kenis (2008) argue that there has been a lack of research into the conceptualization and measurement of effectiveness (p.1-2). They look at network effectiveness specifically, and define networks as "groups of three or more legally autonomous organizations that work together to achieve not only their own goals but also a collective goal" (p.3). In their article Provan and Kenis (2008) bring forward some "critical contingencies" which indicate whether or not a network is effective. Important indicators within the context of PPPs are trust, goal consensus, and the need for network-level competencies.

Critical within the notion of trust is that there is an equal distribution of trust between the organizations. It is argued that network governance is effective when trust is present throughout the network. The network members need to have the same perception of the level of trust, all the way down to the individuals within the cooperation organizations. A high level of trust will in turn create a strong basis for cooperation, leading to an effective cooperation (Ibid, p.9-10).

Concerning goal consensus Provan and Kenis (2008) state that it is not quite necessary to have high levels of goal consensus in order to have high effectiveness. Organizations within a

(23)

22 | Page

governance network can have somewhat different goals for cooperation and still have an effective cooperation. Intermediate levels of goal consensus can already lead to effective cooperation. Kenis and Provan (2008) furthermore note that trust and goal consensus are not necessarily linked. Even with intermediate goal consensus, a high level of trust can be established.

The third critical contingency is the need for network-level competencies. This means that there has to be a direct need for cooperation between the organizations, and this need can only be fulfilled through the cooperation. If the interdependence on the other organization to achieve a certain goal however becomes too great, it can hamper effectiveness. (Ibid, 2008).

In sum, a network is effective when there is a high level of trust, when there is an intermediate level of goal consensus, and when there is not too high a level of interdependence on network-level competencies. This analysis by Provan and Kenis (2008) however does not focus specifically on public-private partnerships. It is therefore essential to formulate a more PPP focused conception of PPP effectiveness.

As mentioned earlier in this section 2.3.1., Manley (2015) uses the terms successfulness and effectiveness as synonyms. However, it is also argued that exclusively using the term effectiveness benefits the overall analysis of Dutch PPPs. In the following section Manley's (2015) conceptualization of essential elements of an effective PPP will be presented. In doing so, it becomes clear that Manley's (2015) conception of PPP successfulness is similar to the conception of effectiveness and shows strong similarities with the conceptions of effectiveness as forwarded by Kennis and Provan (2008). In the conceptual framework a final summary of conceptual lens used in this thesis will be presented. The conceptualization of PPP effectiveness as formulated by Manley (2015) will serve as the main basis for this lens.

2.3 Essential elements of an effective public-private partnership in cyber security

Aiming to set out a model for effective public-private partnerships in the field of cyber security, Manley (2015) brings forward four main elements that he finds are crucial for a partnership to be effective. These elements are trust, clear legal guidance, a bottom-up structural approach, and the need for community involvement (p.89-90). Manley brings forward a schematic model with his

(24)

23 | Page

findings, which for clarity purposes has been reproduced in figure 1. In the following sections these elements will be discussed individually.

Figure 1. Qualitative model for an effective public-private partnership (Manley, 2015, p.90)

2.3.1. Element 1: Trust

The first step that is essential in creating an effective public-private partnership is establishing a high level of trust. It is widely agreed upon that trust is a crucial element within the relationship, as a lack thereof will certainty hamper the voluntary sharing of information. Trust can be established through both informal and formal means. Informal contact via email with partners outside of the own organization for example can help breed trust. Furthermore communication through established networks of secure communication can help build trust relationships among partners. Important here is that there is a shared goal which is worked towards. It is through these shared goals, and the communication with respect to these goals, that trust is created (Manley, 2015).

More formal measures that can help breed trust are transparency, the protection of sensitive information, and acknowledging that there needs to be some form of quid pro quo for all parties involved. Transparency meaning that the intentions and goals of the government for entering in a public-private partnership are to be clear at all times. Furthermore the protection of

(25)

24 | Page

information is crucial for a good trust relationship. Understandably private organizations might not want to share sensitive company information with the government, when the integrity of the shared information cannot be guaranteed (Ibid, 2015). Virginia Greiman (2015, p.123) adds to this debate that indeed Freedom of Information Acts (the 'Wet Openbaarheid van Bestuur' [WOB] in the Netherlands) can hamper information-sharing, as private companies want to keep their competitive information from being disclosed publicly. They also want to avoid possible liability from information disclosed.

Finally, there has to be a certain amount of reciprocity for private organizations to stimulate voluntary information-sharing. In a public-private partnership, it can not only be the government receiving information from the public sector. Manley (2015, p. 92) argues that many United States based CEO's feel that the current form of public-private partnership is more favorable for the government, as they benefit most. PPPs would benefit from a more equal sharing of information, in which the government also shares information it may have on certain threats and developments.

Trust, and the breeding thereof is crucial in establishing an effective public-private partnership. It can be created through different means, but having a foundation built upon it is absolutely essential. The next step in creating an effective PPP is creating clear legal guidance to harness the gained trust.

2.3.2. Element 2: Clear legal guidance

Manley (2015, p.92) makes a distinction between two types of PPPs. First there is the legally non-binding cooperative PPP. Secondly there is the legally binding, contractual PPP. He continues to argue that although cooperative PPPs can be a good vessel to harness resources to achieve and support the mutual goals or interests, they remain non-binding. On the other side, in a contractual PPPs a legal framework can give guidance to its specific functioning, but might also make private organizations feel forced to cooperate. Manley (2015) states that both types of PPPs have their pros and cons, and that the desired end goal is crucial in choosing the legal nature of the PPP. The non-binding PPP is simply not efficient enough, the binding PPP may hamper information-sharing due to its forceful nature.

(26)

25 | Page

Greiman (2015) offers a solution. She argues that legal statues can help form a framework for cooperation in which private organizations feel secure enough to share competitive information with its government partners. These findings align with findings by Pauline Vaillancourt Rosenau (1999, p.21), who states that public-private partnerships benefit from a clear legal framework. Legally ensuring that this information is shielded from for example FOIAs can help create trust and stimulates information-sharing (Greiman, 2015, p.123).

Manley (2015) furthermore states that financial incentives provided by the government can help spur overall cyber resilience, whilst also incentivizing further cooperation with the government. High costs associated with cyber security often holds private organizations back from extensive cooperation. Removing such associations by financial compensation through legal frameworks of cooperation is key.

Manley (2015) here fails to address the ambiguities uncovered by Carr (2016) in dividing responsibility and accountability between public and private partners. Carr (2016) takes a broad approach in her analyses of public-private partnerships and looks at both the public and the private side of the partnership. By taking into account both perspectives of the partnership, her analysis provides a good basis for analyzing the relationship between the two 'sides', and for analyzing whether this type of partnership is an effective form of governance. Her focus lies on explaining and unraveling the complexity of the shared expectations concerning the division of roles, responsibility and authority.

Manley (2015) only states that it is important to have clear legal guidelines in order to spur mutual trust and future cooperation. However, in the realm of cyber security and critical infrastructure protection it is also quite important to discuss these ambiguities. Vaillancourt Rosenau (1999) made mention of these ambiguities in her 1999 article. She argued that although public-private partnerships can in theory be a useful means in creating "synergistic dynamics" (p.10), there are accountability issues that need to be refined. Therefore it is important to return to Carr (2016), and her findings on the ambiguities in public-private partnerships.

According to Carr (2016) the crux of the ambiguity regarding responsibility lies in the fact that "What is in society’s best interest with regard to cyber security is not always in the best interests of the private sector" (p.57). Private organizations in critical infrastructure see their responsibility to protect their system in an economic equation. The cost cannot outweigh the

(27)

26 | Page

benefits, so to say. If securing their systems becomes more costly than the potential economic impact it has on them as a private organization, they will no longer take responsibility. Carr (2016) here finds a distinction between threat-levels that private organizations use. Low-level threats such as individual actors on the one side, and high-level threats like cyber terrorism and stately actors on the other. There is a belief that the latter falls under the state's responsibility to protect against. Where partnerships mainly focus on information-sharing, there is a disjuncture over responsibility-sharing.

A second ambiguity Carr (2016) discussed regards accountability. Here Manley's (2015) argument that clear legal guidance aids the public-private partnership is underscored, and elaborated upon in more depth. The crux here lays in the fact that the realm of cyber security and CIP is one of national security, and is regarded as a matter for which elected government officials and institutions are accountable. However, when delegating policy responsibility to private organizations through PPPs, it is not clear where government accountability ends. With private organizations mixed into the equation, the grounding principle of democracy - accountability to the electorate - of government officials becomes blurred.

The main reason why the division of responsibility and accountability is vague in PPPs, according to Carr (2016), is that it is often unclear what a public-private partnership precisely encompasses. Stating her "core contribution", Carr (2016) says that "the weaknesses in the partnership must be openly acknowledged so that we may begin to develop mechanisms to address them" (p.62).

It is this acknowledgment that might consolidate Manley's (2015) conceptions of cooperative versus contractual PPPs. Building trust is key for information-sharing, but is cannot be hampered by too rigid a legal framework. Having seen that neither one is the optimal form, acknowledging mutual shortcomings may form a suitable starting point for effective future partnerships.

2.3.3. Element 3: Bottom-up structural approach

The third step focuses on the operational structure of a public-private partnership. An important distinction made by Manley (2015) is that for a PPP to be effective, the PPP has to have a

(28)

27 | Page

bottom-up implementation of its operational structure. Having too strict a hierarchical structure diminishes the effectiveness of the cooperation.

Here Manley (2015) brings forward the example of the effective implementation of cyber security PPPs in the Netherlands. Through the encouragement of active participation in conferences on cyber security, a network of information-sharing has been established. Essential here is that partners feel equal. This is something that according to Manley (2015) the Dutch PPPs have effectively incorporated into their modus operandi. Note that Manley (2015) does not mention specifically which Dutch PPP are effective.

Establishing effective networks of information-sharing in turn allows for swifter responses with regard to potential threats. Through the implementation of a bottom-up operational structure, lower-level parties will have more autonomy to sufficiently tackle emerging cyber threats, in turn increasing resilience over the entire width of the PPP (Ibid, 2015). Manley (2015) here does note that in case of national crises and calamities, it is important to have a clear division of authority.

In addition, strict constraints imposed in a top-down, hierarchical structure dampen the ability of PPPs in cyber security to swiftly and effectively tackle immediate cyber attacks, something that is essential for the effectiveness of a cyber security PPP (Ibid, 2015).

2.3.4 Element 4: Community involvement

The fourth step in the model is adequately “involving the community”. This element boils down to the level of willingness among parties to engage in a PPP. Important is that there are mutual beneficial circumstances for all parties involved, and there has to be a need for the cooperation. Cooperation for cooperation's sake is not a good basis for a public-private partnership. One key stumbling stone is the sharing of (sensitive) information among partners. Private partners are sometimes reluctant to share information, fearing the privacy and confidentiality of the information is not always guaranteed. However, Manley (2015) does see that this reluctance is decreasing, and that private partners are becoming increasingly positive on the possibilities that public-private partnerships offer for cyber security (Manley, 2015).

(29)

28 | Page

3. Conceptual framework and sub-questions

Concluding the literature review, the remainder of this thesis will aim to analyze Dutch cyber security public-private partnerships. In order to do so, a conceptual framework encompassing the four elements as formulated by Manley (2015) in his conceptualization of PPP effectiveness will stand central. Manley's (2015) conceptualization is reinforced with the findings on ambiguities by Carr (2016)

Figure 2 gives a schematic overview of the conceptual framework.

Figure 2. Schematic overview of conceptual framework (adopted from Manley (2015))

Furthermore, a fourfold of sub-questions have been formulated in order to sufficiently answer the main research question:

1. How are the four elements as formulated by Manley (2015) represented in the National Cyber Security Strategy 2?

2. How are the ambiguities as formulated by Carr (2015) represented in the National Cyber Security Strategy 2?

(30)

29 | Page

3. How do officials involved in Dutch public-private partnerships perceive the partnership, with respect to the findings by Manley (2015) and Carr (2016).

4. How does the conception of public-private partnerships in the National Cyber Security Strategy 2 compare to the perception of officials involved in cyber security public-private partnerships?

4. Methodology

This section encompasses a description of the methods used to analyze the public-private partnerships in the Netherlands. First the overall research design will be discussed, followed by exploration of the data collection methods. Hereafter the methods of analyzing this data are discussed. Finally, concerns regarding validity of these methods will be discussed.

4.1. Research design

In order to analyze cyber security public-private partnerships in the Netherlands, a qualitative research design is used. A holistic single case study has been executed in order to adequately analyze the Dutch PPPs. A single case study allows for a holistic and in-depth exploration of of the subject (Gustafsson, 2017; Yin, 2003). The unit of analysis here being public-private partnerships in cyber security in the Netherlands. Within this single case design the Dutch National Cyber Security Strategy 2 will be examined. Furthermore, 6 Dutch officials from private and public organization engaged in PPPs will be interviewed. The holistic study design allows for a study of the 'global nature' of the Dutch PPPs (Yin, 2003)

The choice for a single case study is based on the findings in the literature review that PPPs in the field of cyber security are relatively new, but already quite prevalent. Ambiguities therefore remain, and by conducting a single case study in which the Dutch cyber security PPP landscape stands central, explorative findings can add to the wider debate on public-private partnerships. This in turn will help to enhance the academic and empirical understanding of PPPs (Baxter & Jack, 2008)

(31)

30 | Page

4.2. Data collection methods

This section discusses the method by which the data is collected. These data are the National Cyber Security Strategy 2 document, and 6 interviews with individuals from the private and public sectors. Three individuals represent the private sector, and three the public sector.

The choice to analyze the National Cyber Security Strategy 2 has been made as it is one of the most important and influential documents published by the Dutch government regarding its cyber security policy. It is also the most recent such strategy published. The choice to only analyze the NCSS2, and not other relevant documents like for example the National Cyber Security Assessment 2017, also published by the Ministry of Justice and Security, is that the NCSS2 approaches cyber security at a more strategic level. This has been a key factor in this decision. The NCSS2 is publicly available in both Dutch and English. The English version has been used for analysis in this thesis.

To further add to the analysis, interviews have been conducted to see how both public and private sector officials perceive the public-private partnerships. The interviews were semi-structured. By asking mainly open-ended questions during the interviews , they have been aimed at extracting the opinion and experiences of the interviewed representatives. The main questions however revolved around how the PPP is perceived, and whether the elements of the conceptual framework are present in Dutch cyber security PPPs.

Questions revolved around how effective the PPP is believed to be, what problems they have encountered, and what they feel can be done better. The interviews have been anonymized to guarantee that interviewees are not reluctant to express their full opinion. A guideline for the interview questions can be found in appendix 1. Table 3 shows the interviewees and their respective functions in random order.

(32)

31 | Page

Table 4.Schematic overview of interviewees and functions

Interviewee Reference Function

Anonymized Respondent 1 Director cyber security at PwC

Anonymized Respondent 2 Commercial Strategist identity and privacy at KPN

Anonymized Respondent 3 Manager public sector at VodafoneZiggo Anonymized Respondent 4 Senior official at Uitvoeringsorganisatie

Bedrijfsvoering Rijk (UBR) at Ministry of the Interior and Kingdom Relations

Anonymized Respondent 5 Senior official at the National Cyber Security Centre

Elly van den Heuvel Respondent 6 Secretary of the Cyber Security Council

Interviewees from the private sector work in the ICT sector (KPN and VodafoneZiggo) and in the consultancy sector (PwC). The choice to interview individuals who work in the ICT and telecommunications sector has been made as it is labeled as a critical infrastructure sector and were approachable trough the personal network of the author. The choice to interview the individual from the consultancy sector has been made as this individuals has extensive knowledge of cyber security, and operates in both partnerships with public sector and private sector organizations.

As for the public sector, the senior official from the Ministry of Interior and Kingdom Relations has been interview for the extensive knowledge and experience this individual has with the execution and management of public-private partnerships. The official works at the Uitvoeringsorganisatie Bedrijfsvoering Rijk (UBR), which is the Dutch governments executive organization for its business management. Its main tasks are to aid the government in making large organizational transitions such as IT transitions and other organizational innovations.

The senior official at the NCSC has been interviewed as a representative of NCSC, and for the officials in-depth knowledge and experience with cyber security and public-private partnerships. The NCSC falls under the direction of the Ministry of Justice and Security, and was established in 2012. The NCSC functions as a central information node, and supports the Dutch

(33)

32 | Page

government with knowledge and guidance on cyber related issues and threats. It also functions as the main crisis management hub, with the Dutch GovCERT, the Dutch Computer Emergency Response Team being integrated into the organization.

Mrs. Elly van den Heuvel has been interviewed in her role as secretary of the Cyber Security Council. The CSR operates as an independent advisory board to the Dutch cabinet that operates in the a public-private capacity. The CSR comprises of 18 members. 7 members from the public sector, 7 members from the private sector, and 4 academia. The CSR operates on a highly strategic level, and gives advice to public and private sector policymakers on cyber security related topics. It is co-chaired by Eelco Blok, CEO of KPN, and Dick Schoof, head of the NCTV (CSR, 2016).

4.3. Data analysis and operationalization

This section looks at how the gathered data has been analyzed. It furthermore looks at the operationalization of the concepts used for the analysis.

4.3.1. Data Analysis

The primary research has been conducted through a document analysis of the National Cyber Security Strategy 2. In addition to this document analysis, interviews have been conducted with various senior officials and representatives from both the public and private sector. The interview data has been analyzed using a discourse analysis. First the document analysis method will be discussed.

For the scrutinizing of the NCSS2 a document analysis has been performed. This analysis has been performed in order to help to "elicit meaning, gain understanding and develop empirical knowledge" (Bowen, 1995, p. 27) on the NCSS2. It also allows for sense-making of the intrinsic nature of the NCSS2 (Ibid, 1995). As it is an official government published document, analyzing NCSS2 has helped provide context in the debate on the functioning of public-private partnerships in cyber security in the Netherlands.

The interviews have been analyzed by performing a discourse analysis on the interview data. Discourse analysis allows for interpretation and systemization of the discourse in the field of public-private partnerships. It allows to place the discourse in a sociopolitical context, and

(34)

33 | Page

aims to uncover the underlying assumptions (Talja, 1999). Discourse analysis enables the uncovering of "ongoing conversations, important debates, and interpretative conflicts existing in society" (Ibid, 1995, p. 473).

Through a combination of the literature review, the document analysis, and the discourse analysis of the interview data, a multitude of sources is used to answer the main research question. Via this methodological triangulation the reliability of the findings is increased (Talja, 1999; Bowen 1995).

A conceptual framework has been constructed in order to analyze the National Cyber Security Strategy 2 and its implications concerning public-private partnerships in the Netherlands. The conceptual framework consists of the concepts brought forward by Max Manley (2015). These findings have been reinforced with the findings by Madeline Carr (2016), as explained in the literature review. The main aim of the conceptual framework has been to assess how trust, clear legal guidance - together with the division of responsibility and accountability -, a bottom-up approach, and community involvement are represented in the National Cyber security Strategy 2. Both the NCSS2 and the interview results have been analyzed using this operational framework derived from the conceptual framework presented previously.

4.3.2. Operationalization

Using the elements forwarded by Manley (2015) a set of indicators have been derived based on the literature review. For the first element, 'trust', the indicators that show whether trust is a present element are: The presence of a shared goal; transparency between partners; the active sharing of information by all partners; and the presence of reciprocity for both partners.

For the second element, 'clear legal guidance', the indicators have been derives based on both Manley (2015) and Carr (2016). Indicators that there is clear legal guidance are: The presence of a clear legal framework of the partnership; a clear division of responsibility and accountability between partners; and the presence of incentives from the government for cooperation.

(35)

34 | Page

For the third element, 'bottom-up approach', the following indicators have been derived: Active encouragement of participation by the government; and the perception of being equal in the partnership.

For the fourth and final element, 'community involvement', the following indicator has been derived: The necessity of the partnership. It is this necessity that can encourage the community into engaging in PPPs. This of course being mainly applicable for the private sector. Table 4 schematically presents the presented operational framework.

Table 5. Schematic overview of operational framework

Element Indicators

Trust - Shared goal

- Transparency

- Active sharing of information - Reciprocity

Clear legal guidance - Clear legal framework of partnership

- Division of responsibility and accountability - Incentives from the government

Bottom-up approach - Encouragement of participation

- Perception of being equal in partnership Community involvement - Necessity of partnership

4.4. Validity and reliability

In this section the validity and reliability of the chosen research methods are discussed. First the internal and external validity are discussed. This is followed by a discussion of the reliability. Thereafter the construct validity is discussed. This section is finalized with the addressing of possible shortcomings in the chosen methods.