The working of Public-Private Partnerships for the cyber security of Dutch Critical Infrastructure

(1)

The working of Public- Private Partnerships for the cyber

security of Dutch Critical Infrastructure

A comparison between the functioning of the PPP in the Dutch critical energy-

and telecom sector

Master Thesis

Program: MSc Crisis and Security Management, Leiden University Student: Floris Baauw, BSc

Student number: s1429191 Date of admission: 2018-06-10 Word count: 23332 words

Thesis Supervisor: Dr. Vlad Niculescu-Dinca Second Reader: Mr. Sergei Boeke

(2)

Preface

In front of you is my master thesis, the final assignment before completing my study Crisis and Security Management at the University of Leiden. In this research I have dealt with the question of what the public-private partnerships currently add to the cyber security of the critical infrastructure in the Netherlands.

The graduation process generally went smoothly, with a number of bumps along the way. My initial research design was not entirely focused on public-private cooperation, but on chain dependency and the problem of that for the cyber security of the critical infrastructure. Because of the complexity of this subject and the limited time available, after some doubt, I decided not to do this and I changed the subject. In addition, it was a challenge to find respondents prepared to tell about the cooperation in the area of cyber security. The fact that this end product is now in front of you indicates that I have overcome these 'setbacks'. I therefore experienced this graduation project as a very instructive and challenging process. I am grateful for the support and interest I received from many people during this research. During the bumps I encountered on the way, I had support from both dr. V. Niculescu-Dinca and Mr. S. Boeke. In this way, I would like to thank you both for the directions, critical feedback and practical help in finding respondents. In particular, I would like to thank L. Baauw for his input in this study and his help in finding other respondents for the research. Finally, I want to thank my wife, family and friends for their support during this research.

I wish you a lot of fun reading this thesis!

F. Baauw

(3)

Abstract

Cyber security is the new big threat for states and organizations. Public and private actors need to cooperate in order to keep up and stay secure. Public- private partnerships (PPP) seem like the perfect solution for cooperation between the parties.

This research aims to give insight in the current PPP for the cyber security of the Dutch critical infrastructure. With this insight, recommendations can be done for the future shaping of the PPP in the Netherlands.

In the first part of the research, the context of this research is introduced by giving inshight in the cyber security challenges that threaten the critical infrastructure and, in particular, the energy and telecomsector. Following that, in the second chapter the theoretical concepts belonging to PPP and cyber security are introduced and explained. After that, these theoretical concepts are combined in the methodological framework in the third chapter. In the fourth part of this research the case of the Dutch critical infrastructure is further explained to give more context for the analysis of the cases in chapter five. This analysis focuses on the form of the current PPP and the possible positive and negative effects caused by this cooperation. The conclusion of this research suggests that PPP work best for cyber security if they are based on a horizontal hierarchy and mutual dependency. It appears that the telecom sector is more improvising at this point, but both the PPP in the telecom and energy sector can still improve. The current division of the PPP also seems to be out of date, since smaller critical organizations cannot join the PPP. Taking all of this into account, the main finding of this thesis is that PPP have positive effects on the cyber security of critical infrastructure, but there is still improvement possible. Next to that, the complexity that cyber security brings to the critical infrastructure playfield calls for a more decentralized approach from the Dutch government.

(6)

1. Introduction

Cyber security is a subject that is getting higher and higher on the international agenda. Some see it as the new form of warfare (cyberwar), others as an inexpensive way for malicious individuals to cause much damage. Because systems are increasingly being digitized in all layers of society, there are targets for cyber attacks everywhere. A much-discussed sector in this matter is the critical infrastructure (CI) (NCTV, 2018).

The energy sector and the telecom sector are part of this critical infrastructure. When organizations are sabotaged by a cyber attack within this sector, this can have major consequences for the continuity of energy- or telecom organizations.

In 2015, things went wrong in this area in the Ukraine. Through cyber espionage, hackers managed to gain access to a power plant of Ukraine through malware (Dutch Cowboys, 2016). This malware is also called 'BlackEnergy', which gave the hackers access to the systems of the Ukrainian powerplant. Subsequently, because of that opening made possible by BlackEnergy, a killdisk was installed. The killdisk was aimed at turning off the systems of the powerplant at any time. These systems could not be switched on anymore, because the kill disk adjusts the executive programming arbitrarily. The 'BlackEnergy' malware had already been used against the Ukraine, at the time of the elections in 2015. However, the variant that was now used was fully adapted to the systems used by the energy company. Eventually, more than 700,000 people had no power for a number of hours and at the same time several other power plants were also attacked by cyber criminals (Dutch Cowboys, 2016).

In the Netherlands, cyber espionage and cyber attacks are seen as a potentially big problem for the future (NOS.nl, 2018). The Netherlands is an international hub in the digital field and therefore also a possible target for cyber attacks. The director of the Dutch intelligence service, the AIVD, is therefore worried. According to him, cyber attacks are easy to make, because they are cheap and relatively easy to implement (NOS.nl, 2018). The AIVD is therefore worried about the possible negative consequences for critical infrastructure. Situations as those occurred in the Ukraine in 2015 are not inconceivable in the Netherlands. Despite the fact that organizations try to make themselves as resilient as possible in the area of cyber security.

A clear example of this in the telecomsector are DDoS attacks targeted at telecomproviders, such as VodafoneZiggo. In 2015 VodafoneZiggo was hit by a major DDoS attack, causing a disturbance in the internet availability of more than two million of their costumers. The malfunction eventually lasted almost a whole day. The day before, VodafoneZiggo had already been hit by a DDoS attack, but it was not as big. Companies such as VodafoneZiggo

(7)

can thus be attacked in a short time several times with, for example, a DDoS attack, without the company being able to prevent this. The result is a malfunction that causes two million of VodafoneZiggo's three million customers to have no internet during a 12-24-hour time span (RTL News, 2015).

For this reason, among other things, the call for cooperation within and between sectors is increasing. The government facilitates this cooperation in the Netherlands through the National Cyber Security Center (NCSC). This enables critical infrastructure organizations to collaborate in Information Sharing and Analysis Centers (ISACs). Private organizations themselves also come up with initiatives to jointly make cyber security solutions or use the expertise of specialized companies to cover themselves. Yet, experts still call for more and more intensive collaboration in the area of cyber security (NOS.nl, 2018). For example, in the field of DDoS attacks, they argue for a national firewall. Organizations no longer only need to increase their resilience against such attacks, but can also make use of the joint resilience made possible by cooperation (NOS.nl, 2018). So, there is already collaboration in the field of improving cyber security for the critical infrastructure in the Netherlands, but experts are calling for even more and more intensive collaboration and the public-private partnership (PPP) to improve (NOS.nl, 2018 ). Apparently, it is still possible to make the collaboration better and more intensive and to increasingly converge the goals of the public and private organizations. If this does not happen, there is a chance that the collaboration will be used to achieve an organization’s own goals and not to improve safety throughout the sector.

This research will therefore look at the current PPP for the cyber security of the critical infrastructure. This will identify what PPP currently are and in which form they are set up. In addition, consideration will be given to all problems that exist in the field of PPP. The focus will be on the energy sector and the telecom sector.

Both sectors are part of the critical infrastructure, as determined by the NCTV (NCTV, 2018). The telecom sector and in particular the 'cloud suppliers' are, according to the ‘cyber security image’ of the NCTV (2017), a forerunner in the field of cyber security. They are highly self-organizing and self-reliant, because their core business is the provision of cyber security sensitive services. For that reason, there seems to be a different dynamic than in the energy sector, where there is already cooperation, but fewer actions are taken on their own initiative. A comparison of the PPP in both sectors can therefore give interesting results and lead to recommendations with regard to the current cooperation.

(8)

Relevance

The current research in the field of PPP in the cyber security sector of the Netherlands is still scarce. That is one of the reasons why the Cyber Security Council (CSR) in the Netherlands called for research into the various critical sectors, the risks in those sectors and the measures that have to be taken. At this moment scientific literature has an abundance of literature in the area of PPP. However, these studies rarely encompass the cyber security sector, but mostly to other sectors (Koppenjan, 2005 ; van Ham & Koppenjan, 2001 ; Kempenaar et al, 2017). The few studies that do (partially) address this problem are mainly exploratory, or still broad, and call for further research in this sector (Boeke, 2017 ; Carr, 2016). That is why, at this moment, there is a research gap in the field of PPP combined with cyber security in the Netherlands. Research into this particular topic can give new insights, adding to the existing literature and also give recommendations for further research. In general the cyber security literature is still in need of general definitions, theories and concepts. The existing theory on PPPs needs to be tested to see whether or not it applies to cyber security issues. That is why research that focuses on a concept of cyber security is relevant for the evaluation of the field.

Apart from the call for scientific research into this topic, it is clear that CI organizations are essential for society. CI organizations are organizations in the energy sector, telecom sector, financial sector, water sector and health sector, appointed by the government. In general, the products and services they provide are essential for the functioning of the individual and society and if these organizations fail, the implications for society are high. The NCTV identifies four categories that are affected by disruption of the critical infrastructure: economical consequences, physical consequences, societal consequences and cascade consequences (NCTV, 2018). This means that disruption of services causes economical damage, since it will cost money. Moreover, people can die as a consequence of disruption of services, for instance people in hospitals when power runs out. A crisis like this can also affect people emotionally; thus, a societal consequence. Cascade consequences can mean that the disruption of energy supply stops the services of another CI sector, such as financial institutions or telecom organizations. This points at the fact that, due to digitization, CI organizations are increasingly depending on the functioning of their chain and other sectors. Due to the emergence of the 'internet of things', this dependency only gets bigger. It is therefore important that cyber security is adequately adressed throughout all sectors. At the moment, government and private organizations already cooperate in PPP, but there are still calls for further and more intensive cooperation (NOS.nl, 2018). In order to guarantee the continuity of the CI, insights must be provided in the functioning of the PPP and the risk must be mapped, in order to prevent the failure of CI sectors.

(9)

Research question

The goal of the research is to provide a description of the PPP of critical infrastructure organizations in the energy and telecom sector in the Netherlands and to provide an insight into the form of cooperation that is used and the interpretation of the PPP; is there a difference between goals of public- and private organizations? What are the positive and negative effects for cyber security following the PPP in the two sectors? With this information recommendations can then be made with regard to the improvement of the PPP for the energy and telecom sector in the Netherlands.

To achieve this goal, the following research question is asked: what do the current PPP for critical infrastructure of the energy- and telecomsector in the Netherlands tell us about the working of PPP for the cyber security of these sectors?

The focus in this research is on the energy and telecom sectors in the Netherlands, specifically the delivery of electricity and Internet Service Providers (ISP’s).

Reading guide

In the continuation of this thesis, in the second chapter, a body of knowledge concerning cyber security and PPP will be introduced. In the body of knowledge concepts that combine cyber security and PPP will be further explained. Subsequently, in the third chapter, these concepts will be converted into a conceptual model, in order to make clear how the concepts will be used for the analysis. In the fourth chapter, the case description, the selected cases are then explained, so that they can be analyzed by means of the concepts from the theory in the fifth chapter. With the outcomes of this analysis, a conclusion can then be drawn in the sixth chapter, with regard to the research question and recommendations for further research and possible policy changes can be made.

(10)

2. Theoretical framework

In the theoretical framework the concept of cyber security and Public Private Partnerships will be discussed successively. The cyber security concept is discussed to define the research field by indicating what is meant by cyber security and what is relevant for the CI in the Netherlands. Subsequently, the PPP concept will be further explained, divided into the definition, different forms and possible positive or negative effects of PPP.

2.1 Cyber security

In order to carry out a research into the cooperation to enhance the cyber security of CI organizations in the Netherlands, it is important to first understand what is meant by cyber security in this research.

The definition of cyber security appears to be different for every state. The dynamic field of cyberspace causes the existence of multiple definitions and lack of consensus on this matter. Therefore, in this research the definition of the Dutch NCTV will be used when talking about cyber security. The NCTV, publicly responsible for cyber security, formulated the following definition: “Cyber security is being free of danger or damage caused by disturbance or loss of ICT or abuse of ICT. The danger or damage caused by abuse, disturbance or failure may consist of limiting the availability and reliability of the ICT, violation of the confidentiality of information stored in ICT or damage to the integrity of that information.” (NCTV, 2018). In this way the NCTV also includes ICT-failure (malfunction of systems) to be of influence to cyber security. Therefore, cyber security problems are not always caused by intentional malicious actions of criminals or terrorists.

For CI organizations, there are multiple cyber threats that can cause significant damage, such as: man-in-the-middle attack, DDoS attack, ransomware, fraud, state actors (CSBN, 2017). In order to protect themselves, organizations try to implement cyber security management into their bussiness management. To reach this, organizations use different forms of cyber security solutions to protect their infrastructure. Examples of frameworks that organizations use are ISO 27032, NIST and COBIT (Pereira, 2015)

The key to actually implement an effective cyber security approach as an organization depends on the extent to which the organization interacts with its environment and cooperates with relevant authorities. Besides the authorities, cooperation with other private organizations is also valuable for learning and understanding about cyber threats (Mentzer et al, 2001).

(11)

2.2 Public-private partnerships

Before giving an impression of the origin of the PPP in the Netherlands, the first question is what PPP are; is there a definition? PPP appear to be primarily a container concept (Sanders, 2014), for which no clear definition exists in literature. That is why in this research we opt for a definition that the PPP describes most clearly:

"A consciously entered into relationship between two or more organizations that, in view of a certain good, value or interest, enter into mutual obligations, in the expectation of achieving results that would not be feasible for each organization individually." (Keuter, MR, 2007)

Attention for the PPP in the Netherlands arose for the first time in the 1980s, when in the development of government policy one also looked at institutional connections. In this way, the concept of PPP was born (Sanders, 2014). Initially, the results of the PPP in the Netherlands in the 1980s were still disappointing, with the result that the popularity of these partnerships declined. Only at the end of the last century did the PPP flourish again in the Netherlands (Klijn & van Twist, 2007). Klijn and Teisman describe PPP as: "a more or less sustainable cooperation between public and private actors in which common products and / or services are developed and in which risks costs and revenues are shared" (in: Klijn & van Twist, 2007). In the literature with regard to PPP, the cost savings of PPP often come up as one of the reasons for entering into a partnership. Sanders notes that although this assumption is widely supported by academics, the question is whether cost savings are always achieved or necessary (Sanders, 2014).

The idea of a cost saving as a result of PPP stems from the dominant period of New Public Management (NPM) in the 1980s and 1990s. According to academics from this period, the government should focus more on developing policy and, in the area of implementation, have to take steps back, or cooperate more with the private sector. In this way, the efficiency and effectiveness of government policy would be increased. A well-known statement that fits this movement is: 'running government like a business' (Box, 1999). This means that public organizations need to function more like private organizations.

The separation between policy development and its implementation was applied in the form of privatization, market forces, privatization and outsourcing (Klijn & van Twist, 2007). The government then fulfils the role of principal and the private actors are the agents. The performance of private actors is monitored through performance management systems. This view of PPP is thus clearly based on the assumptions of the NPM (Klijn & van Twist, 2007).

(12)

In addition to the principles of PPP based on the assumptions of NPM / CNP, PPP also originate from a different body of knowledge. This concerns the literature with regard to governance and networks. This literature assumes that cooperation between parties can lead to the development of better policy. The interaction between public and private actors and the exchange of information that takes place then ensure that the qualities of both sectors can be combined. This would make more specialist information available for policy development. This view of PPP is therefore more focused on a horizontal form of cooperation. The parties depend on each other's expertise. In this case, horizontal coordination would lead to better policy, a higher degree of innovation and a more efficient implementation of the developed policy (Klijn & van Twist, 2007).

At the end of the 1990s, the emphasis in the Netherlands was mainly on PPP on the basis of contracts. The knowledge in the field of PPP was dominated mainly by the PPP Knowledge Center, which worked under the Ministry of Finance. The Knowledge Center found that the PPP often did not work optimally in the following years, or did not get off the ground at all. The reason for this was a lack of commitment from both public and private actors, a difference in goals and too small or too ambitious plans, with regard to PPP. The focus of the Knowledge Center was mainly on the financial benefits of PPP (Klijn & van Twist, 2007). The fact that good management of PPP is also important was not recognized. It was assumed that a PPPartnership will succeed if this partnership provides financial advantages and the right form of contract is chosen between the parties. Empirical research shows that this assumption often does not correspond with reality. According to Klijn & van Twist "... it appears that the way in which interaction processes are organized, the difficult choice of scope extension or narrowing, and ensuring an attractive content play a very big role." (Klijn & van Twist, 2007: 8).

(13)

2.3 Public-private partnerships in the security sector

The general attention paid to PPP in the Netherlands was mainly visible in projects relating to infrastructure and urban renewal, so that the focus often came to lie quickly on cooperation on the basis of a contract (Klijn & van Twist, 2007). In the security sector, co-operation between public and private parties also increasingly arose in the course of the 1990s. Over the years, the private security sector has grown strongly. PPP were mainly used in security situations that were characterized by the complexity of social problems (Montfort et al., 2012). In the area of safety, PPP are not so much used to achieve cost savings, although that is of course seen as a positive side effect. The focus is mainly on the most effective collaboration possible, which benefits innovation, knowledge sharing, service provision, the quality of policy and its implementation (Montfort et al., 2012). The growing demand for PPP in security care would have been caused by rising prosperity and crime. The convictions of Hobbes and Weber that the state is the only one responsible in the fight against crime are no longer tenable. The government realizes that it can not combat crime on its own (Terpstra, J. in: Montfort et al., 2012). The emergence of PPP in safety care provided new theories in the field of management in safety care. This also led to new concepts in the Netherlands, such as integrated safety care. The responsibility for safety was not only placed with the state, but with the entire society and a completely horizontal cooperation should be created (Montfort et al., 2012). In practice, it turned out that this concept was not fully implemented in the intended way, because the police and the municipalities were still seen as the 'leaders' in joint ventures. Theories and perspectives in which the government plays a central role in the partnerships are not sufficient. The government would benefit more from a fully horizontal cooperation, in order to give private actors more responsibility (Montfort et al., 2012: 8).

Complex cyber security problems increase the demand for PPP even more. Companies do not always have the means or the (legal) possibility to combat cyber threats. That is why they need cooperation with public parties, who have these possibilities and resources. The private parties in turn have information about threats they are confronted with and the way they deal with them. By sharing this information, both the public and the private parties are better off working together. Carr (2016) is a well-known scholar in the field of PPP in the cyber security sector. She distinguishes PPP in two different forms: first, horizontal, non-hierarchical arrangements characterized by consensual decision making and second, hierarchically organized relationships with one party in a controlling role (Carr, 2016). According to Carr, the horizontal, non-hierarchical form of cooperation is seen as the most desirable form of cooperation. This form of cooperation can be compared with the network

(14)

cooperation does not always seem to be chosen in cyber security practice. The interests of public and private parties do not always correspond and it is therefore important to map these out. Public parties seem to like horizontal cooperation, because responsibility for cyber security can then be outsourced to private organizations. The private organizations seem to use the cooperation mainly to save costs in the field of cyber security (Akersboom, 2012).

2.4 Public-private partership models

From the foregoing it appears that different convictions exist about the way in which a PPPartnership has to be arranged. It is argued that choosing its right form is important for the effectiveness of the partnership (Klijn & van Twist, 2007).

It appears that from the literature multiple forms of PPP can be distinguished, especially PPP according to the alliance model and the concession model are frequently used models (Montfort et al, 2012). These models are largely in line with the two forms that Carr (2016) identifies. Sanders (2014) uses four characteristics to identify the form of PPP: (1) purpose of the cooperation, (2) internal relationship between the actors, (3) outcome of the cooperation and (4) the intended social effect. Below is a discussion of the two models, based on the four characteristics of Sanders.

2.4.1 The alliance model

According to Van Montfort (et al., 2012), this form of PPP is the most common form in the security sector. With the alliance model, as the name suggests, there is an alliance between public and private actors. There is a wide variety of forms of alliances, often adapted to the situation in which the collaboration is located. The alliance model is therefore not one-sided, but can exist in different forms.

The aim of the cooperation (1) is to achieve the safety policy together with PPP, in the alliance model. Characteristic of an alliance form of PPP is that the goal is characterized by mutual dependence on each other. The parties in the cooperation need each other to come to the 'best' solutions to problems. Goals are therefore not chosen by one of the parties, but chosen jointly.

The internal relationship between the actors (2) in the alliance model is based on a horizontal way of working together. There is no client and contractor, but a collaboration where each party is equal. In an alliance formation, it is the intention that the responsibilities and powers are shared between the parties when realizing government policy. There is then no question of closed circuits, in which each actor keeps his own powers in hand (Sanders, 2014). Especially

(15)

with PPP in the security sector it seems difficult to fully realize this. An alliance in the PPP in the security sector often works differently on this point. The government is in fact the party with the monopoly of force, which means that the relationship between the actors tends to be less pronounced. Nevertheless, van Montfort (et al., 2012) mentions the added value of abandoning this important role of the government. A completely horizontal cooperation would yield more results.

The outcome of the cooperation (3) in the alliance model depends on the interaction that exists between the actors. The question is what outcome the PPP has in relation to the realized policy and how that outcome influences the actors. What influence the form of PPP has on the outcome of the cooperation differs per PPPartnership. In an alliance form of PPP it is likely that the outcome is as favourable as possible for all parties, because the interaction is based on horizontal cooperation (Sanders, 2014).

The intended social effect in the alliance model, when used in the security sector, is often an important motive for entering into cooperation. The cooperation is entered into after a security problem has been identified in a certain sector and can not be solved or can only be solved by the government alone. The realization that the government cannot only guarantee safety (van Montfort et al, 2012) contributes to the fact that PPP are used to guarantee safety. The intended social effect is specific to the alliance model based on the government's awareness that safety can only improve through cooperation. The cooperation will then be structured horizontally, with the specific objective of all parties to be able to contribute to social security, which is therefore considered to be in everyone's interest (van Montfort et al, 2012).

2.4.2 The concession model

The concession model of PPP is designed as a transaction model between the public actor and the private actor. It is therefore also called an economic cooperation. The public actor sets out output criteria and leaves the implementation to the private actor. The responsibilities for the developed project are then separated, so that the private party retains a certain degree of autonomy in its actions (van Montfort et al, 2012).

The aim of the cooperation (1) in the concession model is seen in the literature as reducing the transaction costs. In the situation for PPP, cooperation through, for example, administrative procedures could cost a lot of time and money, because all kinds of rules have to be met. When PPP are set up, the parties come closer together and make mutual agreements. The partnership can then be set up in such a way that it can lead to a reduction in transaction costs for both parties (Sanders, 2014). In addition, it is assumed that cooperation with the private

(16)

sector can lead to more innovation. The aim of PPP in a concession form is therefore to save costs and to achieve more innovation (Klijn & van Twist, 2007).

The internal relationship between the actors (2) in the concession model is related to the principal-agent relationship, which is often discussed in performance management literature (Heinrich, CJ & Marschke, G., 2010), in which the government is the 'principal' and the public and private organizations are the 'agent'. The government then sets certain goals, which the public and private organizations must meet. This gives the public and private organizations of the government a certain autonomy to carry out their tasks, while the government can keep abreast of the developments (de Bruijn, 2002; Sanders, 2014).

The outcome of the cooperation (3) is a favourable transaction model for all affiliated parties in the concession model as mentioned above. The cooperation is organized in such a way that the parties do not encounter any hindrances in the interaction with each other.

The intended social effect (4) is often described as the development of new policy or products in the concession form of PPP, which helps society in the best possible way. This is primarily the intended social effect of the public player in the partnership. For private players, the social impact plays a role to some extent if it influences the profit of the private parties (Sanders, 2014). For example, an unsafe entertainment area is not attractive to consumers, which means that they avoid that area. The prevention of that social impact is worth the private parties, because otherwise the profit will fall.

2.4.3 The improvisation model

The improvisation model is not very common, or at least less often studied than the other two models (Montfort et al, 2012). The (1) goal of the collaboration is to tackle problems that play a role in society. In the improvisation model, a situation has arisen in which the public actors have withdrawn, or no longer show initiative. This ensures that private parties take over the initiative and come up with solutions through collaboration. The (2) internal relationship between the actors is therefore characterized by an active private party and a withdrawn public party. The initiative comes from the private parties (Montfort et al, 2012). The (3) outcome of the collaboration is different. Depending on the problems that are being tackled, the collaboration is effective or not. In practice, private parties are often well able to come up with effective solutions, without active help or guidance from a public party. (4) The intended social effect is often described in the improvisation model as developing new solutions to existing problems in society (Sanders, 2014).

(17)

2.5 Complications of PPP for Critical Infrastructure Protection (CIP)

In the Netherlands the organizations in the energy sector are cooperating in an Information Sharing and Analysis Centre (ISAC). In this centre, facilitated by the NCSC, organizations come together to share information about cyber security policies, threats and strategies (NCSC, 2018). These forms of cooperation, facilitated or instructed, point to the existence of PPP.

PPP are often used to arrange the security of critical infrastructure. The state depends on the cooperation with private actors and the private actors in their turn need the state to coordinate the CIP (Dunn-Cavelty & Suter, 2009). Dunn-Cavelty & Sutter argue that, in line with what Carr argues, the network form of cooperation works best for PPP. The research they did on the PPP in CIP showed that PPP were originally not intended to help public and private organizations secure the state, but was more focused on improving efficiency (following the NPM movement of ‘running the government like a business’). The problems that arise when using PPP to secure critical infrastructure are therefore a logical consequence of misuse of the PPP, according to Dunn-Cavelty & Sutter. There are discussed five problems in their research:

Problem 1. The state has no way of monitoring whether private companies are fulfilling their functions in the area of CIP .

Problem 2. Public–private cooperation is often difficult due to diverging interests.

Problem 3. PPP can only be carried out with selected companies and must be small, since they are based on mutual trust. The number of PPP must remain limited, since an overly large number would exceed the government’s capacities.

Problem 4. There is a dissonance between the logic of security and the logic of PPP. The core function of the state cannot be outsourced. (Dunn-Cavelty & Suter, 2009)

The first four problems can be tackled by using a network form of cooperation, according to Dunn-Cavelty & Suter. The network form of cooperation is based on self-regulating networks and therefore the role of the state is no longer one of controlling, but of coordinating and stimulating the actors that cooperate with them. The relation between government and private organizations is not based on contracts anymore, but on coordination of self-regulating networks. The state acknowledges that CIP cannot be handled by state alone and that there is a need for private influence in core-state functions. The way to involve PPP in CIP is for the government to coordinate and stimulate self-organization (Dunn-Cavelty & Suter, 2009).

(18)

The fifth problem Dunn-Cavelty and Suter mention is much harder to solve, since the state is expected to carry out their tasks in CIP. The debate about what can be outsourced and what cannot be outsourced is always ongoing (Dunn-Cavelty & Suter, 2009).

2.6 Improvements of PPP for Critical Infrastructure Protection

Because this research looks at the effects of a public-private partnership, it is important to now discuss the potential effects from the literature. The literature on public-private partnerships shows that there are several effects that, depending on the intensity of the PPP, increase or decrease. In this study the following three positive effects of PPP are discussed: (1) PPP improve the interaction between the actors in the partnership, (2) working with PPP ensures cost savings for public and private actors and (3) PPP provide better plans (in this case better policy) (Eversdijk, Korsten, 2008, van Keulen, Hoek, 2003, Klijn & van Twist, 2007)

The first assumption (PPP improve the interaction between the actors in the partnership) seems to be a logical consequence of PPP. PPP are set up in order to achieve better cooperation and thus achieve goals that actors cannot achieve alone. The fact that better cooperation can only come about if the interaction between the actors intensifies, is then a logical reasoning.

The question is whether this assumption actually follows from practice; do PPP actually improve the interaction between the actors? The answer to that question is reflected in the management literature with regard to network management. Network management is a form that public administrators use to explain policy processes. A frame of reference for this is network control, which is also frequently used in the Netherlands. In order to be able to realize a specific product, intensive consultation between public and private parties is necessary through the formation of a coalition. The basic principle of network management is, among other things, to monitor the interaction between the actors and to promote them as much as possible. This is done through evaluations of the collaboration and sometimes even the appointment of a process manager. Such a network-driven approach of a project would in this way ensure better interaction between the actors (Eversdijk, A., & Korsten, A., 2008) The second assumption concerns the cost savings that PPP would mean for all actors. This assumption is often used by the government in promoting PPP (NCSC, 2018). The idea of a cost reduction through cooperation between public and private actors can be traced back to

(19)

the idea of a business government inspired by New Public Management. Acceptance of private methods and means to produce goods and services would make the government work more efficiently. This higher efficiency ensures cost savings. Heldeweg and Sanders (2011) build on the idea of a commercial government. The government would in fact (among other things) prevent market failure by setting up PPP to absorb a failing market. A part of market failure that is relevant to PPP in safety care is the incomplete information. As long as actors do not share their information with each other by working together, the optimal result in society cannot be achieved. PPP provide a solution for this incomplete information, which also saves costs (Sanders, 2014:). In addition, cost savings in the security sector can also be achieved by spreading the responsibilities as a result of a PPPartnership. The government can take a step back in the field of its deployment of police and other means to guarantee safety, because private parties contribute to the prevention of safety problems (van Montfort et al, 2012).

The third assumption that PPP would provide better plans or policies is also seen as a common consequence of PPP. The government could use the expertise of the private sector in order to arrive at an optimal and innovative policy with regard to the development of a good or service. Achieving better policy is also referred to as part of the process management (Eversdijk & Korsten, 2008). By means of PPP the process is cast in a network-driven form, whereby the public and private actors interact in a different way in the development of policy in the development phase. Because the parties use each other's expertise and all interests in the process are taken into account, 'tailor-made policy' can be developed (Heldeweg & Sanders, 2011).

2.7 Subquestions

Based on previously discussed theories, a number of sub-questions can be drawn up. These are used to give direction to the further course of this research and to discuss the concepts in a structured way. This helps to answer the research question. The following sub-questions will be used:

Energysector

- What form of cooperation is used in the PPP of the energy sector; alliance, concession or improvisation?

(20)

- Do the PPP have a cost-saving effect in the area of cyber security for participating parties in the energy sector?

- Do the PPP have an influence on the implementation of cyber security policy in the energy sector?

- Are there negative effects as a result of PPP in the energy sector?

- Do the PPP improve the overall approach to cyber security in the energy sector?

Telecomsector

- What form of cooperation is used in the PPP of the telecom sector; alliance, concession or improvisation?

- Do the PPP have a positive effect on the interaction in the telecom sector?

- Do the PPP have a cost-saving effect in the area of cyber security for participating parties in the telecom sector?

- Do the PPP have an influence on the interpretation of cyber security policy in the telecom sector?

- Are there negative effects as a result of PPP in the telecom sector?

- Do the PPP improve the overall approach to cyber security in the telecom sector?

Comparison of energy- and telecomsector

- How do the PPP of the telecom sector relate to the energy sector? what are similarities and differences?

(21)

3. Research design and methodology

In the previous chapters the subject of this research was introduced and the theoretical concpets used in this research were further eleborated on. To answer the research question choices in the research design were made. In this chapter these choices will be further explained. This lead to the following design:

o Comparative case study design;

o Based on convenience and purposive sampling combined;

o Unit of analysis: Dutch critical infrastructure of the energy and telecomsector

o Unit of observation: experts affiliated with the PPP of the energy and telecomsector for cyber security;

o The method of gathering the data is done by interviews and desk research

3.1 Design

In this research a comparative case study is chosen. This type of design improves external validity, compared to a single case study, and is also needed to give an answer to the research question; to give answer to the question of the working of the PPP for cyber security in the CI sector it is valuable to use as much cases as is possible. The comparative case study design allows for a deeper investigation into two cases, making it effective for descriptive research (Yin, 2003). This is why two cases are selected from CI sectors in the Netherlands. In this research that will be the energy sector and the telecom sector. For the energy sector case the focus will be on electricity supplier organizations. For the telecom sector the focus will be on Internet Service Providers. The choice of these two cases is based on convenience sampling. I currently work at Eneco, which is an electricity supplier. This gives me the possibility to easily approach cyber security officers of the company.

This also applies to the telecom sector case. I already have contact with the CEO of Intermax, an Internet Service Provider, and some of his employees, because of personal relationships. This contact will be used to achieve snowball sampling. Next to the snowball sampling, the choice of cases is also based on purposive sampling. Current reports from the NCTV suggest the telecomsector is more advanced then the other CI sectors in organizing cyber security (CSBN, 2017). This research can be used to find out whether or not the form and functioning of PPP in the telecomsector helped improve the cyber security of the sector, compared to other sectors.

(22)

3.2 Data gathering

To further eleborate on the cooperation in the energy sector and the telecom sector, information available about the ISAC’s of both sectors will be used. The goal of the ISAC’s is to help facilitate the sharing of information about cyber security by CI organizations. This means that looking into the ISAC for the energy and telecom sector can provide valuable information for the cases. Next to the ISAC’s other existing PPP’s will also be explored, to give an complete as possible image of the two sectors.

To gain insight, available data is used, such as government reports, company reports and relevant stakeholder reports. The reports used consists of the Cyber Security Image of the Netherlands, which gives an overview of the status of the cyber security of the critical sectors in the Netherlands. Also, information from the NCSC is used to explain the functioning of the ISACs. There are also some reports from outside experts that are usefull (Verhagen, 2016 ; Munnichs et al, 2017).

Also, semi-structured interviews are held with experts from the energy and telecomsector. The questions in the interviews will be based on the concepts and indicators mentioned in the scheme at the beginning of this chapter. Transcripts of the interviews will be made, enabling citations of the interviews to be used in the research.

The experts that are used in this research are:

o L. Baauw, Managing Director of the Intermax Group. The Intermax group consists of multiple companies focused on internet services, cyber security and cloud-engeneering.

o M. Steltman, Managing Director of DINL (Digital Infrastructure Netherlands). The DINL is a foundation that focuses on the development of the digital infrastructure in the Netherlands. Cyber security is therefore an important subject for the DINL. The DINL represents digital suppliers, such as cloudsuppliers, datacentres, Internet Service Providers and many other organizations. The DINL is therefore in constant contact with the government and other relevant parties.

o O. de Weerdt, Managing Director of the NBIP. The NBIP is a non-profit organization that originated when the new Telecommunication law was introduced in the Netherlands in 2002. The NBIP facilitates joint investments in cyber security solutions, such as the NaWaS. The initiative for the NBIP came from private telecom organizations. The NBIP cooperates with the government on a small scale, but is eager to expand this cooperation into a full PPP.

o A. Spoelstra, Chief Information Security Officer at Eneco. Eneco supplies electricity to hundreds of thousands of individuals and companies. Next to that Eneco also

(23)

generates energy. This is why Eneco is considered a critical infrastructure organization and member of the Energy ISAC. Spoelstra is the one attending the ISAC meetings. o R. Marchal, working on an assignment from Tennet and the NCTV. His assignment is

to help construct and improve the strategic alliances and PPPs that exist for cyber security in the energy sector. Marchal describes it as: ‘I am the oil man between public and private organizations’ and ‘I am sort of a walking public- private partnership’.

3.3 Operationalization of concepts

The concepts that are used in this research were already discussed in chapter two. The operationalization helps to explain how the concept derived from the theory will be used and measured in the continuation of this research. The table below gives insight to the operationalization of the different concepts that are used.

Concepts Definitions Indicators Sources

PPP – alliance model Partnership between public and private actors, characterized by forming a strong to moderate alliance between the parties involved - Horizontal hierarchy - Mutual dependency; input from both sides - ISAC’s - Expert interviews and desk research PPP – concession model Partnership between public and private actors, characterized by a principal-agent relationship - Vertical hierarchy - Output criteria - Principal-agent form of partnership - Expert interviews and desk research

(24)

improvisation model between public and private actors, characterized by initiatives from private parties in response to a retiring public actor

- Private actor initiatives - Facilitating public actor

interviews and desk research Positive effect PPP: improved interaction Possible improved interaction between actors as a consequence of a PPP - Frequence of consultation - Number of PPP’s - Willingness to share information - Expert interviews and desk research Positive effect PPP: cost reduction Possible cost reduction for actors as a consequence of a PPP - Privatization of government tasks - Information efficiency - Private sector security

initiatives - Expert interviews and desk research Positive effect PPP: improved security policy Possible improved policy as a consequence of a PPP - Consultment of private actors for policy development

- Visual contribution of private actors to policy development - Expert interviews and desk research Negative effects PPP Possible negative effects of PPP’s, influencing overall cyber security - 4 problems of Dunn-Cavelty & Suter (2009)

- Expert interviews and desk research

(25)

In this scheme three indicators are added to be able to measure improved interaction. These indicators are added because the theory does not give clear indicators to measure the possible improved interaction.

3.3 Validity and reliability

There are three points that have to be adressed following the choices that are made in the research design: internal validity, external validity and reliability. These are discussed in the following paragraphs.

3.3.1 Internal validity

When ensuring internal validity the question is asked whether the concepts used in this research can logically explain the outcome of the research. This means that the used methods should ensure that the concepts can actually lead to a logical and correct answer to the main question by means of the theory.

The use of expert interviews can be a problem for internal validity. The experts can be biased, or feel forced to give socially desirable answers to questions asked about their opinion of the cooperation. In this research the problem of social desirability is prevented by using a mix of experts. There are interviews with experts that stand further away from the actual PPP and interviews with experts that have or had personal experience with the PPP. Bias can still pose a problem, that is why the interviews will be semi-structured, giving the chance to have some influence on possible biases during the interviews.

3.3.2 External validity

When assuring external validity, the question is whether the sample findings can be justifiably generalized to the complete population of the sample.

Because only two cases will be used from the critical infrastructure the Netherlands, external validity will be limited. This is however a general problem of comperative case study’s (Bryman, 2015). Also, feasibility of this research design does not allow for more than the two chosen cases to be used, given the time available for this research project. Next to that, the goal of the research is to give a descriptive insight into the PPP for cyber security in critical infrastructure in the Netherland and learn from this. In this way the field of PPP for cyber security in the Netherlands can be explored and reasons for further research can be found.

(26)

A possible pitfall (and problem for both internal and external validity) can be the willingness of certain actors to cooperate in this research. Information about the cooperation forms and activities of the organizations and their cyber security approaches can be sensitive, causing the organizations to act carefully with regard to providing information. Limited information and data would affect the validity of this research.

3.3.3 Reliability

When assessing the reliability of a research project, the question is whether or not the same outcome will arise when the research is conducted again after some time. Using experts interviews as source of data can be of influence on the reliability, because people change and may tell one thing right now but something else in a few months. For instance a member of one of the ISACs can be positive about the functioning of the ISAC, because he or she is a member. When they are removed from the ISAC because they are no longer relevant, their opinion about the ISAC can change easily. This also has to do with social desirability; respondents can give answers they think they are supposed to give. This problem can be handeld by asking the same questions to multiple experts. Of the answers are to some extent similar and not completely different, this means that the data is probably valuable and not influenced by ‘the mood of the day’. Also, semi structured interviews allow for further eleboration on questions, making it possible to some extent to influence this problem.

(27)

4. Cyber security of the Dutch Critical Infrastructure

In the area of (cyber) security of the critical infrastructure in the Netherlands, there is a wide variety of agencies and partnerships: the NCTV and NCSC, the NBIP and others. A lot has happened in the field of CIP over the past few decades, also in the area of cyber security. This chapter provides an introduction to the way in which the cyber security of the critical infrastructure is dealt with in the Netherlands. This will look at the emergence of the current partnerships, institutional arrangements in the area of cyber security and strategies that have been adopted for the future.

4.1 CPNI

CPNI, in full CPNI.nl, is the forerunner of the current NCSC in the Netherlands. The name stands for Center for the Protection of the National Infrastructure. Previously, CPNI was also known as NICC. CPNI was primarily intended as a platform, within and from which knowledge was shared with Dutch (critical) infrastructure organizations. The CPNI was housed at TNO. The aim of the CPNI was to share knowledge with organizations in order to guarantee the continuity of these organizations. One way to achieve this goal was the Cybercrime Information Node (IKC). In addition, CPNI also continued to conduct surveys to support the resilience of the critical infrastructure. The CPNI mainly focused on improving the PPP within the sectors. In addition, it also encouraged the establishment of cross-sectoral and international partnerships. An example is the cooperation between the energy and water supply sector. These sectors have started to cooperate among themselves through their ISACs, because they realized that there were similarities between the sectors and that the organizations are also dependent on each other. This also applies, for example, to the telecom sector, which depends on a continuous supply of electricity. Such dependencies have ensured that the ISACs, at the time of the existence of the CPNI, increasingly cooperated with each other (CPNI.nl, 2012).

(28)

4.2 IKC/ISAC’s

The IKC was created as an initiative of the NICC / CNIP. The IKC is a platform in which organizations known as critical infrastructure can request information and share it with other organizations. An important part of this are the ISACs. An ISAC (Information Sharing and Analysis Center) is a consultative body, established for each sector of the critical infrastructure in the Netherlands. This means that there are ISACs for the following sectors: Port, Airport, Financial Institutions, Multinationals, Telecom, Nuclear, Healthcare, Water, Managed Service Provider (MSP), Insurance, Government, Government and Management and Pensions (NCSC, 2018).

Within the IKC in general and the ISACs specifically, (confidential) information is shared by critical infrastructure organizations and the government. The information shared within the ISACs is categorized into four types, according to the traffic lights protocol:

Red: secret information that is only intended for the participants in the consultation. This information is shared orally and may not be shared outside the ISAC.

Yellow: limited secret information that can only be shared with people within the organization that need this information to perform their function.

Green: this information may be shared with several people inside and outside the organization, but publishing or posting on the web is prohibited.

White: public information that can be freely distributed.

The person who brings in the information indicates the level of confidentiality. In this way it is clear for each member how they should deal with this information (NCSC, 2018). This ensures that the information discussed within the ISACs usually remains confidential.

In 2011, the CPNI gave a global insight into what is discussed within the ISACs:  modus operandi (national and international) incidents;

• trends in threats such as botnets and phishing;

• developments in national and international areas such as the National Cyber Security Strategy, the National Cyber Security Council, the National Cyber Security Center, the cyber component within the Counterterrorism Alert System (ATb), National Roadmap for safe process control systems and the European Network for Cyber Security;

(29)

• studies such as the National Threat Assessment, the Cyber Security Assessment and the Vulnerability Analysis Spionage, the cyber espionage scenario within the National Risk Assessment, the research into the qualification and certification of information security officers, various studies of ENISA and threat analyzes of the sectors themselves;

• (ICT) business continuity; • quantifying information security; • economic impact of cybercrime;

• mobile devices (including 'Bring Your Own Device'); • social media;

• monitoring and logging;

• Process Control Systems (including 'How to deal with legacy systems?' And the Benchmark Security PCS environments);

• the dangers of monoculture within a company; • electromagnetic pulse and the protection against it; • security of collaboration platform software;

• security by design;

• control frameworks, risk analysis and IT governance (with overarching standards frameworks);

• information security standards per sector and general (CPNI.nl, 2012).

4.3 NCSC

The NCSC was set up in 2012 as a supplement to organizations such as CPNI.nl and other partnerships that were already set up in the area of the cyber resilience of Dutch critical infrastructure companies. In the meantime, most of these organizations have been merged within the NCSC. The aim of the NCSC is to jointly increase the digital resilience of Dutch society. They do this by providing insight and action perspective.

As mentioned earlier, the ISACs are facilitated by the NCSC. In addition to the ISACs, the NCSC also directs international cooperation. The Computer Emergency Response Teams (CERTs) are a good example of this. CERTs are partnerships that work for cross-border cyber security solutions. In addition to the CERTs, the NCSC is also active in the International Watch and Warning Network (IWWN), which aims to allow government representatives from different countries to share insights and information with each other. This mainly concerns best practices in the area of policy implementation (NCSC, 2018).

(30)

In addition to international cooperation, the NCSC is also focused on offering coordination at the time of a cyber incident. This is done in the form of an ICT Response Board (IRB). This is a collaboration between ICT experts from the telecom, energy and water sector and ICT experts from the government. The IRB is put into operation at the time of a serious incident. Only the people who are relevant to the incident in question will be deployed; ICT experts of the energy sector react in a crisis in the energy sector and experts in the telecom sector react in a crisis in the telecom sector. This makes the NCSC an important part of the national cyber crisis response (NCSC, 2018).

Besides the IRB, there are also the National Detection Network (NDN) and the National Response Network (NRN). The NDN aims to detect cyber incidents as quickly as possible through collaboration, so that all sectors of Dutch organizations can respond to them. Organizations can share detected incidents or possible problems via the NDN with other parties. The NRN is set up to link the IRB and vital sectors at the time of a cyber crisis. This should help to increase the response capacity of both private and public organizations (NCSC, 2018).

For all these parts of the NCSC that have been discussed previously, it is designed to promote the PPP. The NCSC therefore arose from the need to cooperate more, because cyber threats are too comprehensive to tackle alone. The core tasks of the NCSC are therefore aimed at facilitating this PPP. The tasks can be divided into three parts:

1. Organizing (public-private) cooperation within the domain cybersecurity. This involves switching between public and private stakeholders. The aim is to strengthen the cooperation by bundling and enriching existing expertise and experience within cybersecurity.

2. Building trust with all stakeholders. As a result, the NCSC is well informed about the content about cybersecurity and connected to relevant programs and developments.

3. Preparing and coordinating ICT crisis management throughout the entire chain. (NCSC, 2018).

(31)

4.4 Cyber security image and strategy Dutch government

The NCSC provides an annual overview of the current situation in the Netherlands in the field of Cyber security: the Cyber Security Assessment Netherlands (CSBN). This describes the threats in the field of cyber security and which interests these threats can affect. In this context, CSBN mainly looks at the threats that apply to critical infrastructure in the Netherlands and, to a lesser extent, to the threat that exists for individual citizens. Following the latest CSBN, the following actors can cause various types of threats:

o Professional criminals o States o Terrorists o Cyber vandals o Hacktivists o Internal actors o Private organizations

o System failure or ICT failure (no actor)

Government organizations and private organizations are particularly concerned by the actions of these actors in the area of disruption or even takeover of ICT, or stealing and subsequently publishing or selling confidential information. In addition, defacement is an emerging threat used by hacktivists. During defacement, hackers take over sites from organizations in order to manipulate the information that is shared with them. This can have harmful consequences for (the reputation of) these organizations (Cyber Security Assessment 2017).

There are various means that the aforementioned actors use to commit a cyber attack. In the latest cybersecurity image, there is a lot of attention for the 'Internet of Things' (IoT). The IoT mainly consists of (consumer) electronics. These electronics are often not properly secured, because the passwords are standard or in any case not strong. In addition, the producing companies do not often invest in sound security of the devices, because this generates more production costs. This weak security ensures that these devices can be hacked relatively easily by malicious parties to enable, for example, DDoS attacks.

These DDoS (Denial of Service) attacks are another means that is frequently used to attack public and private organizations in the Netherlands. There has also been an increase in the number of DDoS attacks in recent years, partly due to the vulnerable IoT devices. In 2016, the Dutch management organization Internet Providers (NBIP) processed 681 DDoS attacks, so about two per day. Fox-IT registered approximately 25,000 attacks targeted at Dutch IP

(32)

that lasted for hours or even days. This is partly dependent on the size of the botnet that attackers use; a large botnet keeps an attack longer than a small botnet (CSBN, 2017).

Another means that gained popularity among cyber criminals in 2016 and 2017 is ransomware. Ransomware, as the name implies, ensures that software from organizations or individuals is 'held hostage'. Users can no longer access their data or use their device. Only when a ransom is paid will the data or the device be released again. Devices are often corrupted via infected mail with ransomware. When this virus is then in the system of an organization, it can be used by the cyber criminals.

Ransomware is often distributed via email, but that is not the only virus that cyber criminals use. It appears that contamination via email is still one of the most used methods of cyber criminals. Phishing by means of sending e-mails is one of the most used means in addition to ransomware. Cyber criminals still earn a lot of money with this. In addition, phishing is also used to infiltrate the underlying Managed Service Providers via individual users. Most e-mail users are often insufficiently aware of the essential dangers of phishing e-mails and how to recognize them. This also causes dangers for public and private organizations, because confidential information can be obtained in this way. Industrial espionage can also come about in this way and have major consequences for private organizations (CSBN, 2017).

4.4.1 Telecommunications law

The telecommunications law dates back to 1998, but in the past decades the law has been amended several times. The areas where ISP and other telecom companies in the field of cyber security are most affected by are privacy and tapping. This tapping is regulated in what is also known as the 'tapping law'. This law stipulates that all telecom providers must make technical arrangements to allow their services to be tapped. This gives the intelligence services or the police the possibility to obtain data from ISP with a court order. Making this technically possible is costly and legally complicated (NBIP, 2018).

4.4.2 Cyber strategy and policy

In recent years two National Cyber Security Strategies (NCSS) have appeared, containing the vision and the policy to be pursued within Dutch society. The first strategy (NCSS 1) mainly focused on setting up cyber security measures and starting to improve resilience, through as

The working of Public-Private Partnerships for the cyber security of Dutch Critical Infrastructure