Much media and scholarly attention has been focused on cyber threats and the cyber security strategies that governments have rolled out in response. Institutional arrangements - how and where cyber security is embedded in government organizations – has enjoyed much less scholarly attention. This is either less glamorous to research, more difficult to categorize and compare or hindered by a dearth of sources and empirical data. After all, the social sciences side of cyber security research is still characterized by much theorizing on a narrow empirical basis (not unlike terrorism research!). Too much information is stamped secret by governments or kept under wraps by private parties.
On a practical level, policy makers have struggled to adapt existing bureaucratic structures to the cross-cutting phenomenon of cyber security. In most countries a government ministry or central organization has come, by accident or design, to coordinate and/or lead national cyber security policy. From a legal, organizational and even sociological perspective it matters which ministry is responsible for coordinating cyber security or which takes the lead during cyber crises. The mandate, network, standard operating procedures and culture of a ministry will shape and funnel decisions in certain directions. While there is no agreed definition on a cyber crisis, the increasing interconnectedness of society and interdependency of critical infrastructure guarantees that many crises will invariably have a strong IT-component, either in origin, effect or response.
Network theory and the concept of public private partnerships offer good frameworks to analyze cyber crisis management structures. After all, most of critical infrastructure in liberal democracies is in private hands, and many different public organizations will have to liaise and cooperate with each other. By using these concepts an initial taxonomy of cyber governance structures can be identified. By complementing this with empirical research on the situation in four different countries, new facts and insights can be injected in a debate that is often too theoretical and distant from policy. Rather than the focusing on Anglo-Saxon countries, as much cyber security literature does, it is worthwhile to also research European approaches. In particular the Netherlands, Denmark, Estonia and the Czech Republic lend themselves to a comparative analysis. These are each small to medium sized countries, have a high internet penetration rate and their societies and economies are highly reliant on a dependable IT-infrastructure.
Comparing European models
While each country has its own unique political culture and institutions, three distinct models can be identified: a model based on network trust (the Netherlands), where the central coordinating cyber security authority operates on the basis of equality with its partners in the private sector. Estonia and the Czech Republic have a model that resembles a network administrative organisation, with their national cyber security centre (NCSC) also enforcing government regulation through fines. Finally Denmark has a clear lead agency model, with its NCSC in its foreign intelligence service. The government and military Computer Emergency Response Team (CERT) have been bundled into one unit that provides first response in times of crisis.
There is no standard template or ideal way of organizing cyber security governance and crisis management. Many countries, and certainly the four in this research, have adapted and changed institutional arrangements along the way. This process of maturity has for instance led Denmark and Estonia to shift responsibility for national cyber security from one ministry to another. They chose opposite policies, however, with the first shifting responsibility to the ministry of Defence, the latter away from it. Many other insights are distilled from the case studies. The primary axes concern the institutional choice of embedding their cyber security centre inside the intelligence community or outside, and whether to centralise capacity in one unit or to follow a distributed model. These choices lay at the foundation of information sharing and roles during cyber crises. There are valid arguments for both a distributed landscape and more centralized one, but the advantage of the latter is that there is no doubt whom to call in times of crisis.
Read the full article on which this blog post is based: National cyber crisis management: different European approaches, Governance (2017)