Written by Adriana Mara
Prior to the end of the Cold War era, security and defense strategies of European countries were formulated on the assumption that adversaries consisted solely in the form of a state or of an alliance of states. Yet since its formation, the European Union has faced a set of challenges that are quite more complex in form and structure including terrorism and cybercrime that surpass national boundaries. Due to rapid technological advancements and their pervasion in everyday life and critical infrastructure, cybersecurity has become a top priority for the European Union.
New threats involve cybercriminals, cyberterrorists, even foreign intelligence services that either aim for personal profit or for systemic damage. The advantage of these criminal networks over European security systems lies in their decentralized nature that lacks clear hierarchies and in their low entry barriers. More specifically, cyber threats usually are impossible to identify as an attack, as they can consist of anyone with an Internet connection in any place in the world or even multiple attackers distributed across the globe.
In contrast, European defense systems are still predominantly built upon earlier assumptions where an ‘enemy’ used to have the form of a state, yet the threats nowadays most commonly consist of a hybrid form that operates between the physical and digital realm. The physical realm does not only include technological means but also the cultural/sociopolitical perspective of the threat (Jagoda 2012: 25). For example, cyber terrorism takes place in the digital sphere but the ideological context still derives from the physical realm. Although the European Union has made significant progress in coordinating members’ efforts in adapting to new threats, there is a tendency to neglect this cultural and sociopolitical dimension of the cyberspace which causes problems primarily in conceptualizing the issue in the first place and subsequently in the strategic response to it.
Moreover, cyber attacks that aim for systemic damage are not necessarily directed to governments anymore. Recent attacks all over Europe have been directed towards vital infrastructures such as electricity, airport and transport systems, banks, governmental bodies, and corporate firms. It is also quite impossible to distinguish what constitutes a case of cyber conflict. Is an attack on infrastructure or an individual a danger to systemic change or a sign of cyber warfare? As the new cyber threats consist of multiple actors with multiple goals that attack various infrastructures which are interconnected through distributed networks, it would be impossible to assume that total cybersecurity is an actual attainable goal. The more defense systems progress the more cybercriminals adapt to those technologies (Jagoda 2012: 29; Christensen and Petersen 2017: 1444).
The European Union (EU) understands cybersecurity as critical to individuals’ privacy, business, and commerce. This falls under the broader European vision of the ‘Digital Single Market’ that aims to integrate daily functions into the digital realm. Since the development of these asymmetric threats the EU has introduced directives such as the “General Data Protection Regulation” that aims at protecting privacy, the “NIS Directive” that aims at securing operators of critical infrastructure and has established ‘ENISA’ (European Network and Information Security Agency), the agency which is majorly responsible for cybersecurity directives.
Adversely, the United States and the United Kingdom support a narrative which depicts cybersecurity as a danger to national security and stresses the need to employ military forces to deal with the issue. The EU does not reject this argument completely but prefers to conceptualize cybersecurity as a commercial problem that needs to be addressed by civilian authorities.
This European approach of understanding cyberspace as a place with civil dimensions also indicates respect towards the dangers of over-regulating the Internet and of privacy violations. It also recognizes the need for including non-state actors in securing cyberspace. The European Commission has already stated its encouragement of an integrated effort to address cyber threats by involving both the private sector and members of the civil society (European Commission and HREU, 2013).
This aspect is more vital for cybersecurity than other forms of security due to the aforementioned nature of the actors. If threats do not consist of typical enemies, bounded within the notion of the nation-state and do not necessarily attack governments, the EU will be unable to respond to these threats without adopting an inclusive approach.
This article examines the ways of including non-state actors in European cybersecurity policy formulation and concludes that there is a need for creating more distributed policy networks. One of the most prominent ways of doing so is the formation of Public Private Partnerships (PPPs). ENISA defines PPPs as ‘An organized relationship between public and private organizations, which establishes common scope and objectives, and uses defined roles and work methodology to achieve shared goals’ (ENISA 2011: 10). Structured in two parts, the former analyzes the role of the private corporate sector. As technological innovation largely takes part in the private sphere and as critical infrastructure tends to be largely privatized, the role of private actors is ever more important. The latter focuses on the inclusion of civil society organizations, as they are catalysts in maintaining democratic values and building resilience among individuals.
Corporate Actors and Public-Private Partnerships
In order to assess the benefits and challenges of PPPs, one must first conceptualize cybersecurity as a public good. Public goods are characterized by their non-rival nature and their non- exclusivity (Rosenzweig 2012: 7). Security is a perfect example of this concept. A person in a country always benefits from the security it provides and enjoying security does not mean there is “less” left for others.
These features of public goods prompt entities who benefit from the good to neglect their contributions towards it. When these entities contribute to the good until it generates private benefit but not to the extent where it reaches the societal ideal, this gap is called “market failure”. To put this into a cybersecurity context, corporations tend to invest in cybersecurity as long as it fulfills their business needs but are often reluctant to develop cybersecurity in order to protect society overall. As Andersson and Malm explain: “All private firms are responsible to their shareholders for operational business risks and have to prepare for contingencies and emergencies. However, in general, market incentives are not compelling enough for private actors to provide the appropriate level of security for society as a whole” (Andersson and Malm 2007: 146).
Are PPPs a way of bridging this gap? Are these collaborations between public and private actors creating a nexus from which cybersecurity can further develop in order to create resilient societies? These questions are not simple to answer especially since the emergence of the pan- European PPPs. The “European Public-Private Partnership for Resilience” (commonly referred to as EP3R) is the most indicative example as it is a transnational effort that engages national governments, institutions and private actors and one of the very few that take place on the European level. EP3R is an umbrella partnership, i.e. “Umbrella PPPs focus on the full security life cycle, composed of deterrence, protection, detection, response, and recovery” (Porcedda 2014: 6). Cooperation on these complex issues and among the plethora of complex actors naturally requires a high level of coordination and organization. However, PPPs are not bound by a specific outcome or assessment framework, creating this way an uncertainty towards their effectiveness (Christensen and Petersen 2017: 1439; Porcedda 2014: 11).
More specifically, the challenges EP3R and other PPPs face include cultural/structural differences, asymmetric hierarchies, the divergence of motives and interests and most importantly lack of meaningful trust.
Resembling the well-known phrase lost in translation, private and public entities often experience language and communication differences that create misunderstandings and inefficiencies in collaboration. These actors usually have their own perception of common things and function differently depending on their structure. As ENISA explains, “what is operational and what is technical might mean a completely different thing in the different environment and work culture” (ENISA 2017: 35). Although understandably this issue can be improved by time, at the onset of such relationships there should be a clear communication strategy set by all stakeholders in order to facilitate such miscommunications. Here, it should be noted that barriers do not only directly apply to public-private actors but also to public-public and private-private ones. For instance, different corporations encompass different working cultures and most countries differ significantly from each other, resulting in various cooperation methods with each other and EU institutions.
Nevertheless, these miscommunications are not only mere language barriers. Frequently they indicate the underlying divergent interests and motives for participating in such partnerships. Corporations tend to be concerned with financial and reputational risks and how to mitigate their disruptive effects whereas public bodies are concerned with perpetrators and their motives for attacking (Carr 2016: 55; Christensen and Petersen 2017: 1445). Therefore, each actor’s strategy towards responding to threats tends to focus on the aspect that affects their organization the most rather than society as a whole.
Moreover, miscommunications also take place due to lack of trust. Most scholars and assessments from ENISA tend to mention this issue as one of the major factors to inefficacies of PPPs. According to ENISA: “Building trust between public-private, private-private and public- public entities has been considered as one of the biggest challenges of PPPs; eventually maintaining the same level of trust seems more challenging. Most PPPs define trust as an ongoing process, that involves personal relations and consumes a lot of time. In the evolution of a PPP, the trust may be eroded, especially in the case of new members joining, or of the old ones not being active enough, or simply taking advantage of the services that a PPP offers without contributing to any of the defined duties” (2017: 5). Other ENISA reports state that conflicting interests diminish trust and hinder the process of information sharing. As the provision of a public good relies heavily on an actor’s commitment and willingness to contribute towards it, trust between organizations is a very important pillar of this process.
A primary reason for not being able to easily forge relationships of trust between public and private actors is the reluctance of sharing information. Despite access to information being a fundamental desire for all parties in PPPs, the willingness to reciprocate information is quite low. For public bodies, sharing information could imply the sharing of classified material or risk somehow exposing these materials to third parties. Additionally, as information deriving from public actors is expected to be accurate, there is a long bureaucratic process to verify information before releasing it which often results to lags in time-sensitive situations. For private actors, holding onto information provides companies with a market edge which may be lost once information is distributed as PPPs often encompass multiple competitors that might end up accessing the information (Carr 2016: 58-59). Information sharing is regularly viewed by all actors as a form of power-sharing that might make the actor vulnerable.
Also, since we have explained cybersecurity through a public good perspective, not sharing information could be seen as a form of free-riding. Making use of the available information without reciprocating the contribution. This practice not only results in the underprovision of the good but generates further societal damage (Irion 2013: 89).
Another cause for diminished trust is the reluctance to accept accountability and responsibility in the case where a failure occurs (Irion 2013: 89). As Carr puts it: “the private sector has consistently (and perhaps understandably) expressed an aversion to accepting responsibility or liability for national security and regards cybersecurity within a cost/benefit framework rather than a ‘public good’ framework.” (: 61-62). The power diffusion that knowledge sharing creates also requires the diffusion of responsibility and often actors are not willing to accept their share. Similarly to private actors, public actors may also attempt to avoid responsibility for national/European security. (: 44). This deadlock, calls for greater willingness to accept accountability and for the need to establish explicit guides from the beginning of the partnership.
The challenges that have been examined throughout this chapter present significant obstacles to PPPs. However, scholars are still quite optimistic about utilizing these differences in order to generate innovation and efficient cybersecurity policies. For instance, Christensen and Petersen propose their idea of “partnering through dissent” (:1449). This concept embraces these differences and reservations and argues that they entail the exchange of novel ideas and creativity towards finding ways to cooperate that may turn PPPs into a success. They also emphasize how reputational risk is increasingly becoming important for private corporations. Such risk, refer to the importance of corporate social responsibility, resilience and the role of companies as active members of the social sphere (:1437). This changing nature of companies may create loyalty and willingness to envisage cybersecurity as a public good.
Despite some inefficiencies in PPPs, the EU has made a major step in creating a transnational framework for tackling cybersecurity issues. As we have seen such challenges include aversion to sharing information, accepting responsibility and forging relationships of trust. Since ultimate cyber security does not exist, institutions, governments, and corporations should embrace productive failure and push for more trust and sharing between them as well as accept their share of responsibility. This way, PPPs will not be a form of privatized policy-making but rather a holistic effort to reach societal optimal levels of security. However, in order to ensure that this information sharing remains within democratic boundaries, civil society should also actively participate within cybersecurity policy-making. The second part of this article will focus on the importance of including members from the academic sector, not-for-profits, and even individuals in order to ensure fundamental rights and resilience.
References
Andersson, J. J., & Malm, A. (2007). “Public-private partnerships and the challenge of critical infrastructure protection”. In I. Abele-Wigert & M. Dunn (Eds.), International CIIP handbook 2006 (Vol. 2). Center for Security Studies, ETH Zurich.
Carr, M. (2016). “Public-private partnerships in national cyber-security strategies”. International Affairs, 92(1), 43-62.
Christensen, K., & Petersen, K. (2017). “Public-private partnerships on cybersecurity: a practice of loyalty”. International Affairs, 93(6), 1435-1452.
European Commission and HREU (2013) “Joint Communication to the European Parliament, The Council, The European Economic, and Social Committee and the Committee of the Regions. Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace”, JOIN 1 final.
European Network and Information Security Agency (2011). “Cooperative Models for Effective Public-Private Partnerships. Desktop Research Report”, Luxembourg: Publications Office of the European Union.
European Network and Information Security Agency (2017). “Public-Private Partnerships (PPP). Cooperative models”.
Jagoda, P. (2012). “Speculative Security” in Cyberspace and National Security: Threats, Opportunities, and Power in a Virtual World, Washington DC: Georgetown University Press, pp. 21-36.
Porcedda, M. (2014). “Public-Private Partnerships: A Soft Approach to Cybersecurity? Views from the European Union”. SSRN Electronic Journal. doi: 10.2139/ssrn.3169945
Rosenzweig, P. (2012). “Cybersecurity and Public Goods. The Public/Private “Partnership”. Emerging Threats Essays, Hoover Institution, Stanford University, pp. 1-36.