Controlling outsourced contracts
How the Dutch ministry of Defence attempts to remain in control of outsourced contracts
Master thesis 'Crisis and Security Management'
Universiteit Leiden Alexander Top S1159224 Supervisor: Dr. L. Block Deadline: 12-1-2020 Word count: 12.642
2
Index
1. Introduction ... 3 2. Theory ... 6 Theoretical Framework ... 6 Control Mechanisms... 9The Outsourcing control pattern model ... 11
Characteristics of the transaction, transaction environment and parties ... 11
Control Mechanisms... 13
The role of trust ... 13
3. Methodology ... 16
Type of research ... 16
Case Selection ... 16
Method of data collection ... 16
Method of data analysis ... 17
Limitations and addressing them ... 17
4. Fox-IT ... 18
NCC-Group takes over Fox-IT. ... 18
Algemene Beveiligingseisen voor Defensieopdrachten (ABDO) 2006 ... 19
Dutch government demands influence ... 21
Algemene Beveiligingseisen voor Defensieopdrachten (ABDO) 2017 ... 22
Statutory changes... 24 5. Analysis... 26 Transaction ... 26 Control mechanisms ... 28 Trust ... 30 6. Conclusion ... 32 Discussion ... 33 Acknowledgements ... 34 Key Documents ... 35 References ... 36
3
Abstract
Outsourcing is a form of a principal-agent partnership aimed at achieving efficiency, accessing expertise not available within the party itself and allows the party to focus on its core competencies. This research draws on the model by Langfield-Smith & Smith (2003) to examine how the Dutch government attempts to remain in control of outsourced contracts in a single case study of a Dutch cybersecurity company which provides security products for the protection of critical infrastructure after its takeover by a foreign entity. An analysis of the characteristics of the transaction, control mechanisms and the role of trust appeared to fit the trust based pattern. However, control was achieved through strict behavioural and contractual controls which fit in with the bureaucratic pattern. Through this research a better understanding of this practice by the Dutch government can be gained.
1. Introduction
The protection of critical cyber systems in our society has been a prominent point on the political and societal agenda in the last few years. The planned installation of the new 5G mobile internet network has caused a controversy in the Netherlands and the rest of the world in the spring and summer of 2019. Leading company in this sector, Chinese Huawei, is one of the main contenders to roll out this network. However, the Dutch intelligence agency AIVD has warned repeatedly for (corporate) espionage activities from that country. A recent example of this is the theft of data from computer chip manufacturer ASML (Verrijt & Mandemaker, 2019), where two Chinese ex-employees copied data and linked this to the network of Chinese company Xtal. This company then became a new rival for ASML with comparable software for chip production but at a much lower price. Xtal managed to persuade Samsung to use their software rather than ASMLs' which directly resulted in major damage for the company, the total provisional financial damage of the theft is estimated at 223 million dollars. Because of this theft, and concerns for Chinese influence, the parliament wants to temporarily halt any cooperation with Huawei. Multiple parties fear that Huawei could use their technology to conduct intelligence operations for the Chinese government and call for better protection of the nations vital networks (RTL Z, 2019).
The key question that the 5G network brings forward is how the nations critical infrastructure can be protected against malevolent outside influence. These kinds of networks connect the operating and control systems of infrastructure vital to Dutch society such as drinking water
4 supplies, the electric grid and the financial system (den Hartog, 2019). To have the overarching network through which all these networks are connected designed, constructed and operated through an outside company and their equipment leaves concerns for the national security. It would not be a strange thought to expect a country to utilize opportunities like these. Crucial in this question is the dependency of the nation on these networks and parties, especially when this country is suspected to conduct an active cyber campaign against the Netherlands. If these systems would fail the outcome could potentially lead to widespread chaos and leave the country unable to operate in a normal manner.
It is clear that in the case of Huawei that the government is careful to open itself up to potential risks from foreign influences. How then does the Dutch Government remain in control of the protection of critical infrastructure when these projects are outsourced? In order to be able to research this issue we will take a closer look at an earlier case in which a foreign party gained ownership of a company which was contracted by the Dutch Government to provide the encryption of state secrets and other sensitive information. The foreign takeover of Fox-IT by the British NCC-group in 2016 led to political and societal unrest and provides a very interesting case with which to take a closer look at this question.
The encryption of digital copies of state secrets of the Dutch government is done by a private party, Fox-IT. When the company was taken over by a British firm, NCC group, this sparked some very interesting questions. Is the encryption of our national sensitive data still save with the company now that it has been taken over by a foreign company? What happens if the NCC group decides to sell the company on? Who has access to our files and technology? The takeover has been a wakeup call for the Dutch government (J Leijten & Esther, 2017). Although the Dutch government has engaged in negotiations on being able to block future takeovers and protect the part of the company in which the sensitive data is located, this is only one example of many public private ventures that the Dutch government has in the cyber field for the protection of infrastructure, and it possibly poses some very interesting risks. In this research it is investigated how control is ensured by public parties in outsourcing the cyber security protection of critical infrastructure. The central question posed is 'How does the
Dutch Government attempt to ensure control over critical cyber1 infrastructure when tasks are outsourced?'.
1 The definition of 'Cyber', and derived terms, as used in this research relate to the "domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networkee
5 The potential risks which come with the use of these types of ventures could have a big impact on society. The state could be facing risks which it has unwillingly or unknowingly helped to create itself. In the case of Fox-IT however, due to the highly technical nature of the encryption and storage of sensitive state documents, the government is 'forced' to outsource these projects, simply because they do not have the knowledge and assets to provide the same level of expertise. This also brings out the particular tension which accompanies these outsourcing projects. The dependency of the government on the private actor may affect the amount of control which the government is able to assert over these actors.
systems and associated physical infrastructures" as defined by Cartwright (2010, p. 7). In short, it relates to the
digital space through which information is stored, modified and exchanged. The term 'Cyber' has been chosen because it prevails over 'Information technology' and 'digital' in the sources used in this research.
6
2. Theory
In order to be able to research how control can be asserted over outsourced projects by a public party there needs to be a clear understanding of what it is we’re trying to research. First of all, what types of infrastructure are there, secondly, what possibilities do public parties have to employ private parties and thirdly, what are ways for the public party to control the private party in the execution of their activities for the public party?
Theoretical Framework
First of all, let’s look at what types of infrastructures there are. In the introduction there was mention of critical infrastructure but before we can look to critical infrastructure the broader concept needs to be clear. Because we are dealing with the interplay between public and private parties we will only look at the public infrastructures. Private infrastructures will not be taken into account because these do not tie into our research. As Yescombe (2007, pp. 1–2) puts it; Public infrastructure can be regarded as those facilities or services which are paramount for the well-functioning of a society and its economy. These do not only include those services themselves but also supporting or additional facilities. Public infrastructure facilities can be divided into two types of infrastructure; Economic infrastructure, such as transportation services and services such as electricity or water, and social infrastructure such as hospitals, prisons and libraries. Economic infrastructure can be viewed as indispensable for daily economic activities and social infrastructure are fundamental for the system of society.
A number of these facilities can be deemed critical infrastructure in both the economic and social aspect. Critical infrastructure consists of systems and assets which are deemed so vital to society that destruction or incapacity has a major impact on various sectors (Cartwright, 2010). In this concept we can include systems such as power plants, bridges, monetary systems or telephone networks. The cyber security of critical infrastructure is therefore also a matter of national cyber security. More and more of these critical systems are privatized in the public private partnerships to heighten efficiency of the public administration (Dunn-Cavelty & Suter, 2009).
Now that it is clear which types of infrastructure there are and what makes infrastructure critical infrastructure, let us proceed to which options there are for the public party to employ private parties. There are two types of situations where private parties execute government tasks which need to be taken into consideration for this research; Public Private Partnerships and outsourcing.
7 Simply put, a Public Private Partnership is a form of cooperation between the state and the private sector (Carr, 2016). Put more elaborately, it entails "working arrangements based on a mutual commitment between a public sector organization with any organization outside of the public sector" (Bovaird, 2004, p. 200). Although it is argued that if committed more to the social corporate responsibility in their actions PPPs will continue to play an important role in the future (Bovaird, 2004) , Dunn-Cavelty & Suter (2009) argue otherwise. They argue that the PPP model was developed for a completely different context than for the protection of critical infrastructure since the goal of this protection is not to enhance efficiency but rather to enhance the provision of security. Although in other fields the private sector can help counter (cyber) threats and is potentially better equipped than the public sector (e Silva, 2017), Carr (2016) goes a step further and argues that the current PPP model cannot effectively provide security for critical infrastructure because there are no shared interests present in both parties. The private sector regards (cyber) security in a cost/benefits framework and the public sector sees this as a public good. In this regard there is a lack of financial incentive which could encourage companies to invest in security measures. At the same time, due to unaligned ideas about (cyber) security, companies could potentially not implement optimal measures (Givens & Busch, 2013). On the other hand, Yescombe states that it may be argued that safety is sacrificed for profit but that a PPP is under strict oversight by the public party and that safety standards, for all aspects of the operation, should be clearly laid out in the contract between the private and the public party (2007, p. 28). Yescombe goes on to claim that there is probably more ability to control and oversee the safety of the company and its operation than with a fully privatized version (2007, pp. 25–26).
The second form of cooperation between the public and private sector is outsourcing. In this process an organisation, public or private, contracts out activities to a third party which need to be engaged in on a regular basis which would otherwise be done by the organisation itself (Cox, Roberts, & Walton, 2011). More specifically, Kern & Willcocks (2000, p. 322) define IT outsourcing as ‘a decision taken by an organisation to contract-out or sell the organisation’s IT assets, people and/or activities to a third party supplier, who in exchange provides and manages assets and services for monetary returns over an agreed time period’. Outsourcing differs from public private partnerships. A partnership refers to arrangements in which both parties are engaged in collective decision making, where products are developed together and share risks, costs and potential profit from these products (Klein & Tijsman, 2000, p. 334). Outsourcing, on the other hand, is defined by a principal-agent relationship in
8 which the (public) actor specifies the problem and provides the blueprint for the solution (Klein & Tijsman, 2000, p. 335). Where the partnership aims to achieve effectiveness, outsourcing is aimed at achieving efficiency. Partnerships are based on the principles of process management, shared targets, shared financing, shared risks and a shared use of the output. Outsourcing arrangements are based on the principles of project management; starting with a clear principal, clear targets and strict blueprints for the product or output (Klein & Tijsman, 2000, p. 334).
Outsourcing thus has many potential benefits for the pursuing organisation such as cost savings, improved flexibility, access to expertise not available in house, heightened efficiency and the possibility to focus on core competencies (Cox et al., 2011). However, potential risks include, paradoxically, unrealized savings, hidden costs and less flexibility. More importantly, outsourcing also potentially poses risks of conflict of interest, loss of control and security issues (Kremic, Rom, & Tukel, 2006). Conflict of interest may arise from situations where a supplier has to act contrary to their other interests. They could be put into a position where they could create work for themselves without it actually being the best or most viable option. Security issues may be a result of the practices of the party which holds the contract. On a lower level this can involve untrained, unskilled or unwanted personnel which could potentially harm the operation of the company by accident or malevolent elements which set out to sabotage or destroy the operation on purpose. Furthermore, a loss of control or core competencies within an organisation can lead to a dependency on the third party (Kern & Willcocks, 2000). This dependency can potentially pose large risks, especially to parties which engage in the provision of critical infrastructure since the protection of critical infrastructure is a public task. As stated before, the systems of which critical infrastructure is comprised as so vital to society that its incapacity or destruction has a major impact on various sectors and the functioning of society as a whole.
The public party thus has two main options to employ private parties, the public private partnership and outsourcing. Both options have their advantages and disadvantages. The public private partnership provides cooperation between both parties which could heighten efficiency and share risks, costs and also potential profit. Although this can be seen as a big advantage, it is also argued that these types of partnerships cannot provide sufficient security for critical infrastructure due to unaligned ideas and conflicting interests. Outsourcing on the other hand is based upon a principal-agent relationship in which the private party fulfils the needed activities for the public party. Although it has its disadvantages such as potential
9 security risks, less flexibility, potential hidden costs and dependency on the private party it does provide a more ‘do as you’re told’ way of operating. Control can thus be more easily be asserted in an outsourcing operation than in a public private partnership.
Control Mechanisms
How then, does the public party assert control over the private party which fulfils the contract and opposes the disadvantages of outsourcing such as the potential security risks? In order to counteract the potential risks of employing private parties, the public party needs to be able to assert a certain level of control over the private party. Certain control mechanisms need to be put in place to attain this level of control and there are various mechanisms which can be applied to different situations. Following Rustagis' definition, control is described as "Attempts by individual(s) by using certain mechanisms for achieving organizational
objectives" (Rustagi, 2004, p. 32). This definition, when applied to outsourcing, covers all
possible mechanisms which the principal can utilize to assert control over their agent.
A first way to look at control in outsourcing is by using the control theory. Its conceptual model relies on a two-by-two matrix for outsourcing success as laid out by Rustagi (2004, p. 36). This matrix depicts the impact of interaction between the degree of control and environmental uncertainty on the success of the outsourcing process. A high degree of control in a setting of high environmental uncertainty would lead to a high degree of success. In the same matrix a low level of control in a setting of low environmental uncertainty also leads to a high level of success. Both a low degree of control in a setting of high environmental uncertainty and a high degree of control in a setting of low environmental security are expected to lead to a low success of the outsourcing contract.
A second, and more elaborate, way to look at control is by looking at various patterns which can be distinguished when outsourcing is done. Langfield-Smith & Smith (2003) lay out three distinct categories through which control mechanisms can be analysed in an outsourcing contract; the 'Market based' pattern, the 'Bureaucratic based' pattern and the 'Trust based' pattern. The conceptual model as laid out by Langfield-Smith & Smith (2003) is reproduced on the next page. Table 1: (Langfield-Smith & Smith, 2003, pp. 288–289)
10 Outsour
cing Control Pattern
Characteristics of the transaction, transaction environment and parties
Control Mechanisms The role of trust in achieving control Market based Pattern T rans ac ti on - High tas k p rogr amm abil it y - High outpu t mea sur abil it y - L ow a ss et spe cif icity - High re pe ti ti on o f t ra ns ac ti ons T rans ac ti on env ir onme nt - many potential pa rti es - mar ke t p rice contains all the ma rke t inf or mation - soc ial embedd edne ss and ins ti tut ional fa ctor s not re leva nt P ar ti es - not im por tant No spe cif ic contr ol ins tr uments r equir ed as mar ke t mec ha nis ms domi na te - c ompetit ive bidd ing at pe riodi c int er va ls - no de tailed c ontr ac ti ng - mar ke t pr ice li nke d to standa rdis ed ac ti vit ies a nd output s Not re leva nt - s witching cos ts a re low Bureau cratic based pattern T rans ac ti on -High tas k pr og ra mm abil it y - high ou tput mea sur abil it y - moder ate as se t spe cif icity - low to medium r epe ti ti on o f t ra ns ac ti ons T rans ac ti on env ir onme nt - F utur e conti nge nc ies known - medium to high mar ke t ris k - ins ti tut ional fa ctor inf luenc e contr ac tual rules P ar ti es - c ompete nc e re putation - medium ris k sha ring att itude - a symm etr y in ba rga ini ng powe r Outc ome and be ha viour contr ols , foc us ed on dir ec t int er ve nti on by outs our cing pa rty - r igi d pe rf o rmanc e tar ge ts - de tailed ru les of be ha viour - de tailed contr ac ts C ompr ehe ns ive se lec ti on cr it er ia and for mal biddi ng - hos tage a rr ange ments In se lec ti ng the outs our ce r whe n human knowle dge a nd skil ls a re im por tant to the qua li ty of the wor k, the out sour cing fir m mus t pe rc eive high leve ls of compete nc e tr us t and contr ac tual tr us t in the outs our ce r Trust based pattern T rans ac ti on - L ow tas k pr ogr amm abil it y - L ow output mea sur abil it y, that tends to inc re as e ove r ti me - high as se t spe cif icity - low re pe ti ti on o f t ra ns ac ti ons T rans ac ti on env ir onme nt - f utu re c onti nge nc ies unknown - high mar ke t ris ks - s oc ial embedde dne ss - ins ti tut ional fa ctor s inf luenc e the re lation P ar ti es - c ompete nc e re putation - e xpe rienc e in ne two rks - e xpe rienc e with cont ra cti ng pa rti es - r is k sha ring a tt it ude - no as ymm etr y in ba rga ini ng powe r Outc ome and soc ial contr ols de ve lop ove r ti me - br oa d non -s pe cif ic contr ac ts that de ve lop ti me - pe rf o rmanc e as se ss ed thr ough br oa d eme rge nt st anda rds - high leve ls of in for mation s ha ring and comm uni ca ti ons - P er ce pti ons of compete n ce tr us t, contr ac tual tr us t and goodwill tr us t may de ter mi ne the s elec ti on of o uts our ce r, and mus t be a ss es se d in adva nc e - the ins ti tut ional envir onment ca n sti mul ate co mpete nc e tr us t and contr ac tual tr us t - Oppor tuni sti c be ha viour a nd in for mation as ym metr y will be ove rc ome by de ve lopi ng goodwil l tr us t and contr ac tual tr us t. - re gular pe rs ona l contac ts , int ens e comm unica ti ons a nd a n att it ude of comm it ment ca n sti mul ate compete nc e an d goodwill tr us t
11 The Outsourcing control pattern model
Let us take a closer look at the model of Langfield-Smith & Smith (2003). As stated, it consists of three different pattern through which control can be asserted over the private party by the public party; the market based pattern, the bureaucratic pattern and the trust based pattern. Each pattern consists of three main elements through which the outsourcing project can be assessed. The first element deals with the characteristics of the transaction, transaction environment and the parties which can be utilized. The second element takes a closer look at the control mechanisms which are put in place when outsourcing. The third and final element deals with the role of trust which precedes achieving control over the private party.
Characteristics of the transaction, transaction environment and parties
Transaction
The characteristics of the transaction itself depend on four key elements in the model as laid out by Langfield-Smith & Smith (2003). Firstly; task programmability, secondly; Output measurability, thirdly; Asset Specificity and fourthly Repetition of transactions. The last element is of no relevance to this research because of the single case study design. It will therefore be left out of the analysis.
Task programmability can be roughly divided into two broad sections; tasks with high programmability and tasks with low programmability. First there are activities with high programmability. These tasks lie within the knowledgebase of the organization and the organization possesses the knowledge and information to decide in advance on how to execute them in order to prove successful (Speklé, 2001, p. 428). In other words: the organization is able to lay out a step by step program beforehand in order to be able to result in the expected outcomes. In this section it is clear what is required of the contractor and the organization which outsources the contract can achieve control by rules of behaviour, specific instructions and rigid performance targets to make sure that the contractor does what it needs to do (Speklé 2001). The second section are the Low programmable tasks. In contrast to the first section it is not possible for the contractor to specify beforehand what needs to be contributed in order to prove successful in terms of outcome. These contracts rely on
12 emphasizing a general commitment or more vague and general outlines in terms of expected outcome. It is therefore impossible to achieve control in the same way as in a high programmability setting, rather it relies on trust and competence (Speklé 2001).
Asset Specificity is the extent to which a certain asset, or resource, can be used for other purposes without a loss of production value of the resource (Langfield-Smith & Smith, 2003, p. 285). This specificity goes beyond the purely hardware components of the contract, in this case the servers on which the data is stored, and also reaches into human resources, site specificity and more. Should the contract be terminated early when high asset specificity is required then this will result in a clear loss for the contractor.
Transaction Environment
Transaction environment consists of the actions by other (competitive) parties or institutional organisations. In this case, the matter of the protection of sensitive state secrets results in a complicated environment. Not only does the contractor bear responsibility for the security of this data in terms of foreign organisations, be it friend or fiend, it also has to deal with governmental interventions and changing (geo)political arena. It is therefore a highly uncertain environment, with known but also unknown future contingencies, influences of the relation by institutional factors and high risks. The environment can therefore be placed in both the bureaucratic based pattern and the trust based pattern. Since institutional factors are relevant to the relation, the market based pattern can be left outside of the analysis.
Parties
The assessment of potential parties takes a role in two of the three different patterns. In the market based pattern this does not play a role due to the market mechanism; a party just needs to perform a task and switching costs are low. If a party is not suitable it is easy to switch to a different party which will then perform the same task. In the bureaucratic pattern, parties need to have a reputation of competence, have a medium risk sharing attitude yet there still will be an asymmetry in the bargaining power competing for the bid. In the Trust based pattern, the parties which are able to solicit for the bid need to have a competent reputation, have experience in the concerning networks, have previous experience with contracting parties, entail a risk sharing attitude and there will not be an asymmetry in the bargaining power due to the low amount of potential candidates.
13 Control Mechanisms
The control mechanisms in Langfield-Smith & Smith's (2003) model are divided into three options. In the first option, which is found in the market based pattern, there are no additional specific control mechanisms in place for the transaction. It states that these are not necessary due to the domination of market mechanisms. In other words, the market mechanism removes the need for further control mechanisms. In both the bureaucratic and trust based pattern extra control mechanisms are in place, albeit in a different form. Both patterns rely on outcome and behaviour control mechanisms. In the bureaucratic based pattern these mechanisms are aimed at direct intervention of the outsourcing party. These controls consist of rigid performance targets, detailed rules of behaviour, clear contracts, comprehensive selection criteria, formal bidding and hostage arrangements (Langfield-Smith & Smith 2003). Shortly put, the contract is outlined in such a way that there is only a single road to follow, and if the contracted deviates from this road the outsourcing party is able to intervene directly. In the trust based pattern, these requirements are not set out from the start and develop over time. The contracts are more broadly and non-specific, performance is evaluated over time and updated as the project moves along and the control is asserted more through cooperation and guiding rather than a principal agent relationship.
The role of trust
In the market based pattern the role of trust is not relevant. As stated previously the switching costs are low, there a plenty of parties able to conduct the operation in a suitable manner. If a party is unable to execute the (mostly) straightforward job and loses the trust of the outsourcing organisation they will simply move on to a different party. In the bureaucratic and trust based patterns however, trust does play an important role. In the bureaucratic pattern trust comes into play in the selection of the party and the need for human knowledge and skill. The potential candidates must be perceived as having high levels of competence trust and contractual trust. Through this the outsourcing organization creates a mechanism of control because parties deemed unfit for the rigid control mechanisms are not dealt with. In the trust based pattern trust takes over the role rigid control mechanisms and inter-organizational trust is used as a basis for control. There must be a clear assessment of the competence, contractual and goodwill trust in the selection of the contractor, which is then furthered by the institutional environment over time through regular personal contracts. Furthermore
14 opportunistic behaviour and information asymmetry are at the same time diminished by developing and assessing goodwill and contractual trust.
When looking at the model laid out by Langfield-Smith & Smith (2003), three distinct patterns come to light. Firstly, there is the market based pattern. This pattern is most suited for contracts characterised by high task programmability, high measurability of output, low asset specificity and high task repetition (Langfield-Smith & Smith, 2003, p. 286). Within this pattern, no additional control mechanisms are required due to the presence of common market mechanisms. The market mechanisms act as control mechanisms. The environment is of little interest here since alternative suppliers are plentiful and the costs for switching parties are low. Trust is therefore also of no relevance. Secondly, the bureaucracy based pattern fits contracts characterised by high task programmability, high output measurability, moderate asset specificity and low to medium repetitiveness (Langfield-Smith & Smith, 2003, p. 286). Due to the low uncertainty in the transaction environment and a predictable future, control mechanisms will be prescriptive and include a clear set of rules of behaviour and strict performance targets. This will be captured in detailed contracts which are used to monitor the agents' performance. Finally, the trust based pattern fits contracts characterised by low task programmability, low output measurability, high asset specificity and are generally not highly repetitive (Langfield-Smith & Smith, 2003, p. 286). In this case the environment is highly uncertain and risky, thus trust becomes the dominant control mechanism. Using trust as the main control mechanisms also reduces the risks which accompanies the high asset specificity. Trust is divided in three different types in this model. Contractual trust is based on the moral standard of honesty and rests on the assumption that both parties will honour the contract. Competence trust is based on the perception of a partners ability to perform according to the contract. Goodwill trust is associated with integrity, responsibility and dependability (Langfield-Smith & Smith, 2003, p. 285).
Shortly put, in a market based pattern general market mechanism will supply the necessary control mechanisms. In a bureaucratic based pattern the main control mechanisms are bound to behaviour and output. In a trust based pattern, the three types of trust are used as control mechanisms.
15 As we have seen in the theoretical exploration for this research, critical infrastructure consists of those systems and assets which are deemed vital to society that its incapacity or destruction will have a major impact on various sectors and the operating of society itself. Because of this, the protection of these systems can be deemed a matter of national security. When the public party wants to employ private parties to protect these systems, it can use two different ways to do so. Firstly, it can engage in a public private partnership which could heighten effectiveness and share risks, costs, and potential profit with the private party, but also provides potential risks due to unaligned ideas and conflict of interests. The second option is outsourcing, which provides the possibility of having access to more expertise, heightened efficiency and a possibility for the public party to focus on core competencies. On the other hand, outsourcing could also potentially pose risks such as hidden costs, security issues and a dependency on the private party. Control, however, is easier asserted over outsourced projects than over public private partnerships due to the principal-agent relationship instead of the partnership which puts both parties at the same level. Because of this, outsourcing allows the public party to lay out a clear blueprint of what needs to be done and set up control mechanisms in order to counteract potential risks.
Control can be assessed in various ways but in this research the model of Langfield-Smith & Smith (2003) will be used. The model of Langfield-Smith & Smith (2003, pp. 288–289) allows this research to analyse the case more systematically than other theories would. The control theory as laid out by Rustagi (2004, p. 36) is aimed predominantly at the interaction between control and the transaction environment, in order to assess the level of outsourcing success. This does not allow for the same in-depth review of control mechanisms as the model of Langfield-Smith & Smith (2003) does. In this model, there are three different patterns which can be seen for the provision of control mechanisms. In the first pattern, the market based pattern, control mechanisms will be supplied by the market mechanism itself and no additional mechanisms are required. In the second pattern, the bureaucratic pattern the control mechanisms are bound to behaviour and output, it provides clear demands which need to be met. In the third and final pattern, the trust based pattern, control is developed over time, and is based upon perceptions of the performing party before and during the contract. Through the model of Langfield-Smith & Smith (2003) a deeper understanding of the interaction between the public and private party can be achieved.
16
3. Methodology
Type of research
The research will consist of a single case study. In this format we are able to study the subject into depth within the provided length of the thesis. By utilizing the case study method it is possible to focus more on the dynamics of the way control is asserted by the government. Furthermore, it allows us to set out the context and the chronological order which are key to our case.
Case Selection
This research will compromise a single case study of Fox IT and specifically the takeover by the UK based firm NCC group. This case has been selected because the takeover was a wakeup call for the ministry of Defence and resulted into various attempts to regain and strengthen control of these kind of outsourcing contracts. For the selection of a case it is necessary to abide by a set of boundaries and characteristics as set out by Bellamy & Perri (2013, p. 103). By looking at the situation before and after the takeover, it can be clearly laid out if and how the ministry of Defence may have altered its way of asserting control over outsourced contracts of this matter. By doing so we have set out clear boundaries for our case as described by Bellamy & Perri (2013, p. 103). Secondly, following the characteristics which a case should entail as stated by Bellamy & Perri (2013, p. 103), this case is sufficiently complex which enables us to analyse the interacting forces and, due to the timeframe in which this case takes place, is bound in such a way that a clear change of the phenomena can be examined.
Method of data collection
Data will be collected through publicly available documents. The ministry of Defence, being a public party, has to be transparent to a certain degree about their tendering process. This will provide the data required to build the set of prerequisites which will allow us to select the appropriate pattern. An important document in this process is the 'Algemene Beveiligingseisen voor Defensie Opdrachten 2017' (ABDO), the General Security Demands for outsourcing of ministry of Defence contracts. Alongside this, various sources of newspaper articles, statutes and parliamentary reports, among others, will provide the additional data needed to answer the central question posed in this research.
17 Method of data analysis
The control asserted by the ministry of Defence over Fox IT will be analysed by using the conceptual model as laid out by Langfield-Smith & Smith (2003). The characteristics of the transaction or contract will be examined, the transaction or contract environment will be laid out and the selection of parties will be laid out. By looking at the prerequisites with which the ministry of Defence operates when setting out the outsourcing process, we can gain an understanding which pattern, as laid out by Langfield-Smith & Smith (2013) this process mostly resembles. Further analysis will then be done to see if the matching control mechanisms have been set in place by the ministry of Defence and, if applicable, which other measures have been taken. A conclusion can then be drawn if the ministry of Defence is relying solely on one of these patterns or that extra or less mechanisms have been used. By looking at the case-study step by step following the three different areas for the three different patterns, we can see if and how the contract with Fox IT matches any of the three distinct patterns. First, the characteristics of the transaction, the transaction environment and the parties will be laid out. Secondly, we will take a look at control mechanisms in place and how these are organized. Finally, we will take a look at how and if trust played a role in the contract and how this is used to achieve (more) control.
Limitations and addressing them
By design a single case study has clear limitations. The most prominent issue with single case studies is that they don't tend to lend themselves for easily generalizable outcomes because it doesn't analyze large volumes of data or large numbers of cases (Bellamy & Perri, 2013, p. 105). However, this is not the main goal of this research. The research delves into a single case to show how the ministry of defence have reacted to the wakeup call which was the takeover of Fox IT by a foreign firm. It also allows conducting a more thorough research of this case than a multiple case study design would have. A second issue brought up is the reliability and replication of this research. Since this research will draw upon publicly available document the same case can be looked at by everyone. By clearly portraying the data collection, the steps taken and the sources used, attempts are made to counter this limitation. The final limitation, which also can be considered the most important is the secrecy surrounding the case. The finer details of the contracts will not be disclosed by either party due to their sensitive nature. This research attempts to provide the picture as clear as possible by using various open source documents. However there is no contesting the fact that simply put, not every detail will be known.
18
4. Fox-IT
For the case study we will take a look at Fox-IT. This company, which was founded in 1999 as a consultancy bureau for forensic expertise, turned its attention to cybersecurity and caused a stir in Dutch politics and society in 2016. When a British company, NCC group, took over Fox-IT, fears for the national security arose. How could it be that a company providing cybersecurity caused such a controversy? In order to provide a quick and clear overview of the case, a timeline has been added below. The timeline will help understand the order of events which took place in the case.
NCC-Group takes over Fox-IT.
When Fox-IT was taken over by British software and cybersecurity company NCC-group in November 2015, it was not initially taken as something unusual. Companies are often taken over by other companies and, in this case, it was published as a great chance for Fox-IT to be able to provide better services due to the bigger amount of resources now backing the
1999 •Founding of Fox IT as a consultancy bureau for forensic expertise.
2003 •Fox IT takes over Philips Crypto in order to focus on cryptography for the Dutch government
2006 •ABDO 2006
2015 •Take over Fox IT by NCC Group
2017
•Government demands influence in Fox IT and specifically Fox Crypto •ABDO 2017 comes into effect
•All government contracts, running and new are brought under Fox Crypto, which has been detached from Fox IT
2018 •Statutory changes Fox Crypto which complies with most of the demands by the Dutch government
2019
•New partnership Fox IT and Ministry of Defence in order to consolidate the development and availability of crypto-products for long term use.
19 company (Soeteman, 2015). However, due to the contracts which the company performs for the Dutch government, this takeover turned out to be no ordinary one. Fox-ITs' encryption department is responsible for the encryption of sensitive data for the Dutch government and military since the takeover of Philips Crypto in 2003. The takeover by a foreign company could potentially result in national security risks.
Several members of parliament feared the potential risks which accompanying the takeover and asked questions to the Ministers of internal affairs and Defence. Dutch minister of internal affairs Plasterk stated in response to questions of members of parliament that there was no direct risk following the takeover by NCC group. This is because the part of the company that develops and executes security products for the Dutch Government is based in the Netherlands. Therefore, Dutch law regarding the protection of state secrets applies directly to personnel, materials, information and the physical location of the company is protected. Contractually, specific security demands are placed on every private company which are aimed at the prevention of unwanted access to sensitive information. Furthermore, the Dutch government applies strict oversight of these legal and contractual obligations (Tweede Kamer 2016/17, 1350). As an extra measure, in reply to questions posed to the ministers of Defence and internal affairs by two members of parliament, it is revealed that the MIVD (the Dutch military intelligence agency) has issued extra demands to Fox-IT, in addition to the demands placed by the ABDO 2006 (Tweede Kamer 2017/18, 102).
Algemene Beveiligingseisen voor Defensieopdrachten (ABDO) 2006
A key document in assessing this case comes from the ministry of Defence itself. Every party that wants to take on a contract from the ministry of Defence has to abide by the 'Algemene Beveiligingseisen voor Defensieopdrachten', General Security Demands for Defence
contracts', or ABDO. This set of demands lays out the security demands from the ministry of
Defence to companies which deal with special information. The Military Intelligence service is in charge of checking if companies abide by these demands and this certificate is subjected to new control for every new contract.
Since before the takeover by NCC group, Fox IT has to abide to the demands as placed in the ABDO 2006 (“Algemene Beveiligingseisen voor Defensieopdrachten 2006,” 2006). This document consists of 57 demands, divided in sections for the physical location, the
20 organisational structure, personnel and handling of the information. It is primarily aimed at the physical level of security, and placed guidelines for the storage, division and the availability of the information to both in and outsiders. The physical level of security entails that the information is stored in such a way that only cleared personnel is able to handle it on a 'need to know' basis, reliability of IT systems is warranted and that the physical security measures meet the demands of the ABDO. Deviation of these demands is only allowed after approval by the MIVD (“Algemene Beveiligingseisen voor Defensieopdrachten 2006,” 2006, pp. 6–7).
Organisationally, the company is responsible for the security of the company and the information which it handles. A security policy is determined and the contracted company needs to appoint a security official which assumes responsibility for the security to the board. This security officer makes sure that the information is handled in accordance with the security demands and routinely, at least once a year, reviews and reports this to the MIVD (“Algemene Beveiligingseisen voor Defensieopdrachten 2006,” 2006, pp. 7–8). Furthermore, personnel which handles sensitive information must have a security clearance in the form of a 'non-objection-certificate' obtained from the ministry of Internal Affairs. Should the operation be conducted on military installations and/or military bases then this clearance is obtained through the ministry of Defence. Prior to this clearance a screening is conducted by either the AIVD or the MIVD, depending on which ministry grants the security clearance (“Algemene Beveiligingseisen voor Defensieopdrachten 2006,” 2006, pp. 8–9).
Two important elements of the ABDO 2006 for the case of Fox IT are guideline 48 and 50 (“Algemene Beveiligingseisen voor Defensieopdrachten 2006,” 2006, pp. 14–15). Guideline 48 deals with 'changing circumstances'. It states that the contracted party is obliged to notify the Dutch Military Intelligence (MIVD) immediately should there be, among other things, a change of name of the company, planned cooperation with other parties, election of new board members, a change in ownership of company shares or a change in influence into the company. If the MIVD deems the issue a risk for the sensitive information which the company is dealing with, then it could decide to one-sidedly terminate the contract. The MIVD will retrieve all the sensitive information and the contracted company is obliged to cooperate. Guideline 50 concerns foreign ownership and/or influence. Similarly to guideline 48, the MIVD needs to be notified immediately once something changes in the company. The guidelines deals specifically with the planned election of non-Dutch nationals to the board, intent of foreign parties obtaining more than 50% of the shares of the company, future shifts
21 of influence within the company to foreign parties and intent to cooperate with foreign companies.
Fox-IT has met the demands as laid out in the ABDO 2006, at least as far as the publicly available documents show. If they had not met the demands beforehand, they would not have received the contracts. Furthermore, the MIVD was notified before the takeover took place as demanded by guideline 48 (Tweede Kamer 2016/17, 1351), at which point the MIVD laid out additional demands.
Dutch government demands influence
In January 2017 Dutch newspaper NRC reported that the government demands influence in the operations of Fox IT and specifically Fox Crypto (Jorg Leijten & Rosenberg, 2017). It is no surprise that the Dutch government demands a say in companies responsible for the contracts which have to do with high risk data. According to the article, should Fox IT not agree with these terms then they risk losing the contracts they have been fulfilling. Key in these demands is that all current and future contracts should be brought together and conducted by Fox Crypto, and that this branch is not to be fused, split, dissolved or even be assigned new directors without a clear permission of the ministry of defence. Furthermore, the government demands statutory changes providing the first right of purchase of stocks from the company by the government (Jorg Leijten & Rosenberg, 2017).
One and a half years after the takeover by NCC-group, the Dutch government still had no say in Fox-Crypto. Although Fox did bring all its contracts with the government to Fox-Crypto, which has been detached from the rest of the organisation, the statutes still had not been changed and the demands of the government had not been met. The government demanded that Fox-Crypto would not be sold, fused, divided or that new board members were installed without approval from the ministry of defence. This demand was later toned down to informing the ministry prior to any of these changes in the company (Dieleman, 2017). Furthermore, legal possibilities to protect the national security are under investigation as stated in the letter from the Minister for the department of Defence on the 22nd of May 2017 (Blok, 2017).
22 The minister of Defence states that the negotiations between Fox-IT and the ministry of Defence are beneficial for both parties and are, as of October 2017 coming to a conclusion (Tweede Kamer 2017/18, 102). Importantly so, because the knowledge and technical abilities to be able to fulfil certain contracts can only be found in highly specialized, private companies. Although the Dutch government does not have the expertise to perform these tasks themselves, they do have the expertise to assess and control the development, security and quality of these products. There is a limited number of companies in the Netherlands which are able to provide security products.
Algemene Beveiligingseisen voor Defensieopdrachten (ABDO) 2017
During these negotiations between the Dutch government and Fox IT, a new key document was released. In 2017 the "Beveiligingseisen voor Defensieopdrachten", or ABDO, was renewed with a larger focus on the field of cyber and this version replaces the older set of demands from 2006. The renewed document consists of four different areas in which the company needs to meet the demands set out, and covers the Cyber and Physical areas as well as staff and board and the organizational structure itself. The first section, dealing with the organisational structure, remains largely the same as in the ABDO 2006. It also places responsibility of the security with the company and a security official needs to be appointed.
The second section, dealing with the staff of the company, is aimed at achieving a certain amount of security that a person working for the company will not undertake any efforts which could harm the well-being of the military sector. This is not aimed at the physical level, which is discussed in the third section, but rather a set of demands for the reliability of staff dealing with sensitive interests (Algemene Beveiligingseisen voor Defensieopdrachten, 2017, p. 17). These demands revolve around two main certificates; the non-objection certificate and the certificate of conduct. The latter of these is less thorough and intrusive and can be handled by the Ministry of Justice and Security rather than the ministry of Defence (Algemene
Beveiligingseisen voor Defensieopdrachten, 2017, p. 17). The Non-objection certificate is
issued by the MIVD and is only given after a full investigation into the member of staff. These two certificates act as a security clearance for both personnel and board members. Without a certificate, a member of staff is not allowed to handle any information dealing with the contract. Furthermore, these certificates need to be renewed every five years or when
23 deemed necessary due to, for example, a change in the personal sphere of the employee. Next to this, the employees have to agree to non-disclosure agreements, Non-Dutch nationals are to be placed in confidential positions only after this investigation has been conducted and on certain positions non-Dutch nationals are not allowed at all.
The third section of the ABDO touches upon the physical level of security, which relates to storage, processing and/or transport of the protected interest and is subdivided in four sections. Firstly, the organisational section is aimed at preventing illegitimate access to the protected interest. Secondly, the electronic section is predominantly aimed at the timely signalling of potential illegitimate access. Thirdly, the architectural section should delay a potential illegitimate access in such a way that timely intervention can take place by either protecting party. This intervention is the fourth section, which at all times should be able to take place before the protected interest can be compromised by the illegitimate access. In each contract the strictness of the prescribed demands is evaluated in comparison to the nature of the protected interest by the military intelligence agency.
The fourth section is where the demands for the cyber domain are laid out. This does not only include the IT-infrastructure but also the complete set of activities which are made possible by or making possible, the infrastructure, including company operations. This part is the most extensive of all four sections, and is globally similar to the ISO27K2 set of standards, albeit adjusted to the security policy of the ministry of Defence. Each company dealing with the contracts is to assign a 'cyber-official' which oversees the activities within the company in light of the contract and the measures taken to protect this. This official is also the contact for the Military Intelligence Agency with regards to the cyber domain (Algemene
Beveiligingseisen voor Defensieopdrachten, 2017, p. 33). The list of demands for the fourth
section spans 20 pages of the document, whereas the first section only spans six. These demands are all aimed at making sure that no one other than the assigned personnel can access (parts of) the protected interest, and ranges from having a company policy dealing with cyber security to the authorisation of suppliers by the MIVD.
2
The ISO27K Set of standards are published by the International Organisation for Standardization and the International Electrotechnical Commission. The set of standards is a series of best practices and explain how to implement an information security management system (ISMS). An ISMS is a systematic approach to risk management. Companies can be audited and certified with these standards.
24 Statutory changes
On the 4th of April 2018, the statutes of Fox Crypto B.V., the party responsible for the encryption of secretive data for the ministry of Defence, were altered. Most importantly, statute 7.3 discusses the compulsory provision of information to the state by shareholders when they receive information of a transfer or obtainment of say in the company. In case of a planned transfer or planned obtainment of shares, the shareholders need to inform both Fox Crypto and the State at least 28 working days in advance (Akte van statutenwijziging Fox
Crypto B.V., 2018, pp. 4–5). Previously, the company did not have this contractual obligation,
they were only obliged to notify the ministry as the ABDO 2006 demanded. Before the takeover by the NCC group, Fox-IT was not obliged to notify the NCTV, however, the ministries of internal affairs and defence had been notified. Generally speaking, there was no legal way to stop these kinds of takeovers from happening before the statutory change (Tweede Kamer 2016/17, 1351).
Furthermore, it is mentioned in statute 8.1.2. that all (potential) directors need to have obtained a declaration of no objection of fulfilment of a position by that person in light of national security. This declaration is given after an investigation by the AIVD which looks at any potential criminal record, ties or support to activities parties which threaten national security and the democratic system and any other behaviour or circumstances which could potentially result in disreputable course of action in the position. This ties into the 'Wet veiligheidsonderzoeken' from 1996 (Stb. 1996, 525), and by this demand the government has the final say in the selection of candidates for a position as a director. In 2019 Fox IT and the Ministry of Defence engaged in a new strategic partnership in order to consolidate the development and availability of cryptography for long term use (Fox-IT, 2019).
Looking back at the demands which were placed by the ministry of Defence on Fox IT, it is clear that the ABDO 2017 places very similar demands. Future projects will have to meet the same demands, and more, as the ministry of Defence placed on Fox IT. The running contracts at Fox Crypto were still under the ABDO 2006 version, the current ABDO 2017 is stricter than its predecessor. In the case of Fox-IT however, because of the extra demands which were imposed by the MIVD and the statutory changes, the contract of Fox-IT is now even more strict than the demands of the renewed ABDO 2017. Key in both the ABDO 2017 and the extra demands by the MIVD is the security clearance, through which direct influence can be
25 exerted. This places the influence at the direct discretion of the MIVD, who can decide who is able to fulfil influential positions in the companies which are subjected to the ABDO 2017.
Laying out the case of Fox-IT has provided an insight in how the Dutch government attempts to remain in control of outsourced contracts. It shows how the security demands, which are placed on private parties, have been altered over time and how the older demands have been updated for Fox-IT. Because the contract with Fox-IT was still under the 2006 version of the ABDO, the renewed and additional security demands were placed through statutory changes within the company itself.
26
5. Analysis
To properly analyse the case which has been laid out in the previous chapter, we will look back at the conceptual model of Langfield-Smith & Smith (2003). The first area which is being examined is the transaction, which consists of the characteristics of the transaction itself, the transaction environment and parties involved. Secondly, the control mechanisms which are in place according to the model. Thirdly, the role of trust in achieving control over the outsourced contract. By going over the case by looking at the different areas, it will become clear if and how the Dutch government is following any of the patterns.
Transaction
The first area of the model deals with the Transaction. This area consists of the characteristics of the transaction, the transaction environment and the parties involved. Within the characteristics of the transaction, it looks at the task programmability, the asset specificity and demands which are placed upon the parties partaking in the outsourcing of the contract.
Programmability
Task programmability is the way the course of a task can be pre-determined. If the company is able to lay out, in advance, what needs to be done in order to successfully execute the task, then the programmability is high. However, if it is impossible to asses beforehand what needs to be done in order for the task to be executed successfully, then the programmability is low. Due to the nature of the contract and the expertise of the company, the encryption of sensitive information, Fox-IT is largely able to lay out a step-by-step program before the start. This would indicate high task programmability. However, due to the developments in IT the company is ever-adapting to new threats, issues and potential problems. The process is therefore not as straightforward as being able to decide it step-by-step. The programmability of this task is therefore neither high or low and hovers somewhere in the middle. The programmability of the task in the case of Fox-IT can thus be placed in all three outsourcing control patterns.
Asset Specificity
Asset Specificity is the extent to which a certain asset, such as hardware, can be reused or repurposed after the task is completed, without loss of production value. Due to the
27 behavioural control guidelines laid out in the ABDO 2017, the assets which are used in the management of the contract tend to be made specific. The hardware, such as servers, can be wiped and reused without a loss of production value. However, due to the nature of the data stored on them this is highly unlikely and would pose significant security risks. Furthermore, a lot of extra assets need to be created specifically for this contract in order to meet the requirements as laid out by the Dutch ministry of Defence, not only physically, but also protected digital infrastructure. Due to the potential reusability, asset specificity could be deemed moderate. This would tie it into the bureaucratic based pattern. On the other hand, due to the extra assets which need to be created specifically for the contract, the asset specificity could be classified as high. This would tie the asset specificity into the trust based pattern of outsourcing control. Since the creation of new assets specifically for the contract poses a higher value than potential reusability, the asset specificity of the Fox-IT case can be associated with the trust based pattern.
Transaction Environment
In the case of Fox-IT, institutional factors deeply influence the relation between the outsourcing party and the contractor. For example, after the takeover by NCC group, the Dutch government started an investigation in to what extent the takeover would have consequences for the Dutch national security and the protection of sensitive data (van Voorst, 2016). Furthermore, the Dutch government is also influencing the management of the company itself as they ask for more influence in the crypto-department of the company after the takeover (Verlaan, 2017) in order to protect state secrets. It is clear that these institutional factors play an important role in the environment of the transaction and the possibilities for the Dutch Government to consolidate control. A strong institutional influence in the contractual rules and the relationship ties in to both the bureaucratic based pattern and the trust based pattern. This section ties into the bureaucratic pattern with the high market risks and strong institutional factors, such as the demands as laid out by the ABDO, which influence the contractual rules. Furthermore, it also ties in with the unknown future contingencies, high market risks and influential institutional factors on the relationship between the public and private party of the trust based pattern. However, due to the emphasis on contractual rules by the ABDO 2006, and the statutory changes of Fox Crypto which follow the demands of the ABDO 2017, the bureaucratic based pattern is marked as the followed pattern in the transaction environment.
28
Parties
When asked if there are alternatives to Fox IT which are fully under Dutch control, without any external private interference, the reply is that there are a limited number of suppliers available for these types of security products (Tweede Kamer 2016/17, 1350). The competence reputation and the limited number of available parties ties in to the characteristics we can assess in the trust based pattern, as laid out in the theory from Langfield-Smith and Smith (2003). However, due to the demands which are placed on potential contractors in the ABDO 2017 (and in this case also ABDO 2006) before they're even considered for a contract, the bargaining power is very asymmetric. This is directly linked to the Bureaucratic based pattern in the model by Langfield-Smith & Smith (2013).
The Transaction area of in the case of Fox-IT already shows that it is not easy to place it directly in to one of the three patterns. The transaction environment, with high market risks, and a strong influence on the relationship by the institutional factors allows our case to be found in both the Bureaucratic and the Trust based pattern. However, the characteristics of the parties involved, especially the asymmetry in bargaining power, place the followed path in the Bureaucratic based pattern of achieving control.
Control mechanisms
The second area of the model deals with the control mechanisms which are in place. This takes into account the behavioural and outcome controls and the provisions set out in the contract. Although we can not subject the original contract itself to investigation, the demands which were placed on Fox IT in 2017 make it clear that additional control mechanisms were put in place after the take over by NCC group. First, we will take a look at the statutory changes of Fox Crypto before looking at the ABDO 2017 document which can be seen as an extensive version of these demands for new projects and a renewal of the 2006 document.
Statutory Changes
On the 4th of April 2018 the status of Fox Crypto were altered. The key alterations for this research are the security clearance, the 28-day notion and shareholders influence. It is mentioned in statute 8.1.2. that all (potential) directors need to have obtained the appropriate security clearance in light of national security (Akte van statutenwijziging Fox Crypto B.V., 2018). This clearance is given after an investigation by the AIVD which looks into any
29 potential criminal record, ties or support to activities parties which threaten national security and the democratic system and any other behaviour or circumstances which could potentially result in unreputable course of action in the position. Although there is no mention of the first right of purchase by the government in the revised statutes as demanded by the government (Verlaan, 2017), the addition of the security clearance to the statutes does imply a clear control mechanism. It is clearly a behavioural rule, focussed on the possibility of direct intervention by the outsourcing party, in this case the State. This control mechanism is a clear example of the types of control as stated in the bureaucratic pattern in the conceptual model of Langfield-Smith & Smith (2003).
The aforementioned alteration of Statutes counters the two potential hazards which the private partner could pose for national security. Firstly, by demanding a 28 working-day notion of a potential transfer or obtainment of say in the company, the influence a shareholder could secretly obtain to alter the statutes and make future take over's, divisions or outside influence into the company is tackled by giving the government the time to react to these matters. Secondly, by keeping the influence by shareholders in the open, it diminishes the potential for the election of 'unwanted' members into the board of directors (Bulten, de Jong, Breukink, & Jettinghoff, 2017, p. vi).
Shortly put, due to the alteration of the statutes the government has received a decisive say in Fox Crypto which is aimed to exert control and to keep unwanted influences away. Because these controls are not developing over time but rather instated top-down, it ties in directly to the Bureaucratic based pattern of control. It also highlights the asymmetrical bargaining power of the private party as the transaction characteristics of this pattern imply.
Control mechanisms
In terms of rigid behaviour controls, it is also important to look at the 'Algemene Beveiligingseisen voor Defensie Opdrachten' or ABDO, both the 2006 version and the renewed 2017 version. This document, which sets out the requirements which must be met for parties dealing with contracts for the Dutch military, is thorough (Algemene Beveiligingseisen
voor Defensieopdrachten, 2017). If a party does not meet these requirements, it is not
accepted as a potential candidate for a contract. This classification is reviewed before every (new) assignment. Broadly put, the Dutch Military Intelligence Service (MIVD) examines if a party meets the requirements, employees dealing with classified information are screened, and an employee is assigned as the Cyber-official which is the contact with the MIVD. In terms of
