Public–Private Collaboration: Cybercrime, Cybersecurity and National SecurityIntroduction The ecosystem of fighting cybercrime and maintaining cybers
Introduction
The ecosystem of fighting cybercrime and maintaining cybersecurity nowadays consists of interdependent international and national actors linked to national information infrastructure networks and services, including financial and banking systems, energy supply and communication networks. The overall development and innovation of the ICT networks has been, and is largely, dominated and controlled by private industry with little or no regulation or statutory intervention involved. As a result, private rather than public actors often fund, manage and run Internet and communication networks, including critical information infrastructure. This situation calls for new cooperative models of regulation and enforcement between governments and private industry on different levels—national, regional and international. It raises the challenge of developing effective approaches to co- and self-regulation to address offences in cyberspace and make information infrastructure resilient and safe.
With the technical, legal, business complexity of the environment, cybersecurity regulation looks like an intricate riddle. International organisations, national governments, academics, businesses and technical communities are trying to bring the pieces of this puzzle together and reach an agreement on how and who should regulate and protect the cyberworld. Though there is a common understanding that governments cannot supply an adequate level of cybersecurity and fight cybercrime on their own without an involvement of the private sector, there are still fierce discussions on how the industry shall be involved, what is the role of the direct government intervention in this regard, whether the industry should be encouraged or coerced to cooperate and if multi-stakeholder bottom-up approaches can guarantee an adequate level of security of the information networks. The policy dilemma continues brewing without clarity: with all the efforts taken to find a solution to a cybersecurity regulation in the recent years, there is neither a general agreement nor clear answers. The current state of cybersecurity regulation looks like a patchwork of solutions found out rather as a response to the urgent problems than any structured approaches.
Since the 1990s, with the involvement of the Internet service providers (ISPs) to the voluntary cooperation on fighting illegal content online, many forms of public–private collaboration, such as hotlines, industry codes of conducts, awareness raising programs, cooperation agreements between industry and the governments and—later—some successful attempts to establish wide-national cross-sector cooperation in some countries gave a promise of the possible supply of cybersecurity in a form of public–private partnerships. In this regard, the common notion, which dominated in the past several years on the policy making and business level, is that cybersecurity and critical information infrastructure protection require public–private collaboration, multifaceted strategies, hands-off regulation and recognition of the significant role that industry plays in securing the information networks. However, the raising dependency on critical information infrastructures and concerns about the consequences of possible disruptions to the point of catastrophic scenarios made a turn in the policy making and made for the calls for hierarchical top-down command-and-control solutions. The recent discussions and legislative developments, especially on the level of the EU and its member states, raise many concerns among industry and academics about shifting the balance in cybersecurity from bottom-up voluntary approaches and collaboration to a heavier regulation. The rationale behind the attempts of some governments and supranational organisations like the EU to find a regulatory solution to protect critical information infrastructure and the safety of the citizens online is quite reasonable. Cyber-threats have become a reality, and they can possibly have drastic consequences. However, there is still a debate if the move away from voluntary collaboration to a statutory intervention could have even more negative effect to the supply of cybersecurity than no regulation at all.
The current policy and academic discussions in context of the new regulatory developments are mostly debating the issue of the efficiency of public–private partnerships. What gets missing and overlooked in this debate is that there are other forms of co- and self-regulation that have proven to be successful models of industry involvement in cybersecurity. Existing channels of cooperation, information sharing and enforcement might still be in their infancy, suffer from imperfections and be in a need for improvements. However, any debate on whether self- and co-regulation is efficient should, first of all, take into account the existence of different forms of collaboration in addition to public–private partnerships, and, secondly, recognise that cybersecurity includes different domains and areas, which require complex solutions. There is no single “one-size-fits-all” approach.
This chapter analyses the current and potential approaches to self- and co-regulation in fighting cybercrime and providing cybersecurity. It analyses different forms of cooperation—from ad hoc and accidental collaboration to the structured approaches. Furthermore, it examines the issue of the balance between hands-off regulation and statutory intervention and analyses the problems and drawbacks of different forms of regulation.
Section 1.2 of this chapter discusses misconceptions related to the terms “cybercrime”, “national security”, “cyberwar” and consequences of the lack of clear distinction between them. It frames further discussion on the self- and co-regulatory measures in the field of cybersecurity by referring to various domains of regulation and highlighting the problems, which arise from the blurring borders between law enforcement and civil and military defence.
Section 1.3, firstly, provides insights into the historical development of co-regulation and self-regulation as forms of public–private collaboration against cybercrime in the multi-stakeholder environment. It refers to the evolving nature of cyber-threats and explains the complexity of the cybersecurity ecosystem. Secondly, it analyses the differences between theoretical approaches to self- and co-regulation and practical implications of public–private collaboration. Thirdly, it analyses the emerging trend of legislating cybersecurity.
Section 1.4 examines existing types of collaboration between governments and industries at the national and international levels, such as national public–private cybercrime platforms, public–private partnerships on tackling particular problems, industry codes of conduct and emerging models of wide-national and international public–private cooperation initiatives in cybersecurity.
Section 1.5 discusses the problems that existing forms of public–private collaboration may encounter. One of the main issues covered in this section is the degree of governmental intervention and the disadvantages of the recent turn from collaborative bottom-up approach to the statutory intervention. It expresses concerns that the shift from encouraging voluntary collaboration to coercion is a dangerous setback in fighting cybercrime and maintaining cybersecurity. Furthermore, the section analyses such problems of public–private cooperation as limitations related to the mandate of the governments, human rights and safeguards, transparency, accountability, costs and incentives. Finally, the section concludes with answering the question where governmental intervention is an option for making cyberworld safe and secure.
1.2 Cybersecurity, Cybercrime, Cyberwar? Terminology and Misconceptions
Public–private collaboration in the field of cybersecurity includes many private stakeholders involved in a broad range of activities—from hotlines for takedown of illegal content to wide-nation programmes on critical information infrastructure protection, from ad hoc collaboration on tracing child abuse online rings to the jointly funded projects on botnet mitigation. However, despite the success of many of the public–private cooperation projects, there are currently debates about inefficiency of the public–private collaboration and the need of tougher regulatory schemes in cybersecurity. Sceptical voices are mostly raised because of national security concerns. While in the field of fighting cybercrime there is a general agreement that public–private collaboration is the only way to tackle various form of online criminal activity, the discussions on public–private partnerships in cybersecurity are bringing and supporting the opposite point of view: according to some studies, industry is rather reluctant to participate in joint activities, the goals of the public and private sectors are not matching, and public–private partnerships have more limitations that benefits. This discussion will be further addressed in the chapter on the forms of government intervention. However, before starting any debate, it is necessary to understand which domain the “cybersecurity” cooperation actually belongs to. The mixed opinions about benefits of public–private partnerships in cybersecurity come from the misunderstanding of the fact that such partnerships are operating in distinct areas that represent different, though overlapping due to the nature of cyberspace, domains of various governmental bodies.
As is it pointed out by Nye [1], despite the attempts to picture a cyberspace as an “ungoverned lawless Wild West” [1: p. 14], the cyber domain involves various forms of regulation—from strict forms such as government-lead control by the means of criminal law and criminal procedure law related to cybercrime to multidimensional multi-stakeholder forms of governance such as ICANN and Internet Engineering Task Force. Cybersecurity is one of the domains where frameworks for governance do exist, though being managed by different public and private stakeholders. The problems of collaboration in providing cybersecurity arise because the security of information networks is a very complex and multifaceted matter, which has, depending on the field governed, different dimensions and various implications for the governance.
One of the biggest issues in any cybersecurity governance debate is the use of the generic term “cybersecurity”. This “umbrella” term can conflate security problems that might be similar in their technical nature but will have very different consequences in terms of law and regulation and, thus, different set of solutions [2]. The cybersecurity-related terms, such as “cybercrime”, “cyberwar”, “cyberattack” and “cyberterrorism”, in the absence of a clear consensus with regard to their meaning and relative novelty of these terms, are used interchangeably [3] and “with little regard for what they are meant to include” [4]. This practice creates confusion and misunderstanding as to what the issue actually is and which form of legal and regulatory response shall address it. “Sensationalisation” [3] and exaggeration [5: 2] of certain cybercrimes which come from the overuse of terms such as “cyberwar” and “cyber-weapons”, the tendency to “view the situation in catastrophic terms” [6], further contribute to the confusion in distinguishing law enforcement and national security domains.
This perplexity has negative consequences for public–private collaboration, because the forms of cooperation, which are successful in one of the areas of law and regulation, can fail or can hardly be leveraged to another domain. The areas of regulation, such as law enforcement, civil defence and military defence, do overlap because of the nature of cyberspace; however, confusing them can cause misinterpretation with regard to the goals of collaboration, set of stakeholders involved and incentives for both public and private parties. Thus, in the debate on the successfulness of cooperation between governments and private sector in the field of cybersecurity, it is very important to understand in which field cooperation is being carried out.
The misinterpretation of different terms and domains, such as fighting cybercrime, protecting critical information infrastructure and national security, worsens due to the absence of a fine line between these fields. The same technical tools can be used in cyberspace to commit profit-driven crimes and carry out the acts that can be legitimately treated as national security concerns by many governments. For example, the botnets are widely used for committing profit-driven crimes and are one of the tools the cybercrime industry uses to flourish; however, they have also been used for politically motivated attacks and cyber-espionage [7]. The problem of blurring boundaries further contributes to the uncertainty as to how and who shall govern cybersecurity, what are the applicable legal and regulatory regimes and which roles private stakeholders will be playing in safeguarding cyberspace.
Analysis provided in this chapter does not serve the purpose to define cybercrime, cybersecurity and cyberwar—this task would require much more space since, first of all, there is no agreed definition of all those terms [8, 9], and, secondly, there are still debates on the applicability of the term cyberwar in the framework of international law [8]. Further discussion serves the purpose to show the blurring borders between different cybersecurity-related domains and confusions associated with this uncertainty.
1.2.1 Cybersecurity: Different Dimensions and Blurring Borders
The set of threats emerging in cyberspace blurs the boundaries between several areas, which traditionally were considered to be distinct fields of policy and regulation. First of all, the division between internal and external order [10], and as a result of the dichotomy of internal and external policies [11], is being undermined due to the transnational nature of cyberspace. Traditionally, maintaining the public order required law enforcement and criminal justice for internal order and military force and international agreements for mitigation of external threats [10]. Cyber-threats, which can originate from abroad or from the same city and target both external and internal order, are sometimes very hard to be clearly attributed to one of the policy domains.
Secondly, this complexity further increases with the blurring borders between the fields that traditionally used to have a clear distinction: civil defence, military defence and criminal justice (law enforcement) [11, 12]. The fading of boundaries in this field has been caused by the change that cyberspace brings to the concept of aggression and crime. The traditional notion mostly referred to aggression and acts committed in the physical world for both crimes and war. In the case of breach of criminal law, there was a clear domain for criminal justice and policing to prevent crime and to prosecute the offender with the ultimate dominance of reactive approach [8]. This sphere of responsibility was clearly defined by the statutory regulation. It mostly required application of the national law of the sovereign state, and, if there was international component, collaboration between law enforcement agencies across the borders. Mutual legal assistance treaties were mostly enough as a mechanism for assistance in the case of cross-border crime.
The same concept of physical aggression played an important role in the field of war conflict between the states. Brenner [10: 403] highlights that “war is unambiguous in the real-world because it is unique; only nation-states can summon the resources needed to launch a physical land, sea, or air attack on another nation-state”. Aggression for the purpose of military defence meant a physical attack or a threat of it, referred to the territorial issues. This concept allowed for defining the regulatory and policy domain responsible for defence and the applicable legal regime in the case of war.
However, nowadays, because of the anonymity of the Internet and the blurring borders between state and non-state actors, it is much more difficult to make a clear distinction both for the purpose of prevention of and reaction to the cybersecurity threats. States can initiate cybercrimes and cyber-espionage, politically motivated individuals can launch cyberattacks that cannot be attributed to any foreign governments and organised crime groups can tackle businesses to the degree that make it a threat to economic well-being of the nation. The questions that rise in this regard still remain unanswered. How to attribute the cyber-espionage to a particular state? How to distinguish prevention of hacker attacks, which are not backed by state parties (hacktivism) or from state-organised cyber-aggression? Does cross-border surveillance or breaking into the networks carried out by a foreign government constitute a crime or an act of aggression or is there no legal regime applicable to this kind of behaviour?
Theoretically, the domains can be distinguished based on the nature of threats and approaches to addressing them. One of the ways to draw a line is the “two-stream” model suggested by Maurer [13]. His research differentiates two international (on the level of the UN) approaches to the cybersecurity issues: the politico-military stream and the economic stream. The former refers to the use of information technologies for undermining international stability, and the latter includes the criminal misuse of information technologies [13]. This distinction is further supported by Jang and Lim [14], who discuss two main common approaches to the cyber-threats: security-oriented approach that considers cyberattacks as a threat to national security and law enforcement approach that brings the issue of attacks to the domain of criminal justice. The former relates to the efforts to deter and prevent, and the latter focuses on investigation, attribution and prosecution.
While this distinction certainly exists and, moreover, allows drawing a line for the purpose of this analysis, some of the types of “crimes” are debatable concerning how they fall into either economic crime or national security category. For example, while economic espionage can be attributed to cybercrime [14] when it is profit-driven, there are growing concerns that this type of spying on companies can threaten national security, especially when committed by state-sponsored actors [15]. In May 2014, US Department of Justice charged five Chinese citizens with hacking into the networks of the US companies. The indictment linked the espionage to the Chinese government and named members of Unit 61,398 and identified them as the members of the Shanghai-based cyberunit of the People’s Liberation Army.1 This has been the first attempt so far to attribute economic espionage to people “behind the screen” and, moreover, to link the acts not only to particular people, but also to the foreign government. It is outside of the scope of this chapter to make political or legal judgements of this case. However, it does show how the borders between the “national security” stream and the “crime” stream are blurring.
Another example of the efforts to bring national security case to the domain of criminal justice is the investigation into electronic mass surveillance of EU citizens carried out by the Committee on Civil Liberties, Justice and Home Affairs of the EU Parliament. At one of the hearings on the allegations of NSA tapping into the SWIFT database, issues were raised with regard to the involvement of Europol in investigation of the NSA activities and the mandate of Europol in cybercrime investigations. Answering the questions, the Director of Europol, Rob Wainwright, stated that, firstly, no EU member state had made a request to investigate NSA activities, and, secondly, Europol has no mandate to investigate any state espionage allegations. As a result of the inquiry, the European Parliament adopted a resolution of 12 March 2014 “On the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs [2013/2188(INI)]” calling for the “full use” of the mandate of Europol for requesting the competent authorities of the member states to investigate cyberattacks with cross-border impact and, if necessary, enhancing this mandate to allow initiation of Europol’s own investigations.2 In addition to illustrating the tension between mandates of criminal law and national security, this case constitutes yet another attempt to bring two domains together and investigate the national security threats under the mandate of criminal justice.
Some of the experts even say that the distinction is not relevant anymore because the focus should be put on the methodology of the attacks, targets and consequences [12]. This assertion can, to some extent, be true concerning the tools and consequences of the attacks, especially for the private sector in relation to damage control and risk mitigation [3]. However, there is still a relevance of drawing if not clear, but a cleaner line between law enforcement and national security to clarify the “ownership of cybersecurity” [4] to understand which entities should deal with the incident: national security agencies, military or law enforcement [8].
One of the possible options to make a relevant distinction is a criminal attribution. However, attribution also represents a certain challenge due to anonymity of the Internet. Evidently, it is only attribution that can provide the information on whether the source of attack is a criminal or a state actor and define the domain of criminal justice and national security according to the nature of the threat [3]. Yet there is one factor that is difficult to find out, namely motivation of the criminal. Motivation plays an important role: a person behind the cyberattack might be stand-alone criminal backed up by the government or politically motivated hacktivist, or someone with terrorist motives.
Does attribution help to separate domains for the purpose of providing cybersecurity? On one hand, it might be (theoretically) useful to use the attribution for distinguishing different types of security threats, such as national security and crime—this will at least allow defining the domain of cooperation such as criminal justice/national security. On the other hand, attribution itself is in many cases difficult, if not impossible because of the anonymity of the Internet and its transborder nature. Furthermore, attribution requires some efforts of investigating the attack. It means that in order to be attributed and to fall within one of the domains, be it national security or law enforcement, the attack should be investigated first, but it is unclear whether law enforcement or national security entities have to carry out the investigation. Thus, the question of attribution, though being very important for practical purposes—from investigation and prosecution of cybercrime to identifying the risk trends and developing adequate responses in the national security area—can be only of theoretical importance when it comes to drawing a clear distinction between different domains.
It is evident that, despite all the attempts to draw distinction between security mandates using the concepts of criminal law, law of armed conflict and public international law, the whole concept of cybersecurity does not fit traditional concepts used for this distinction [6]. There is a complex set of factors, which assigns a particular problem to the law enforcement or to the agencies responsible for the national security: seriousness of the threat, possible consequences and the scale of the particular problem, just to name a few. Moreover, both national security and crime control bodies may consider the same cybersecurity issue from different angles as a part of their domain. Again, one of the good examples is the risks associated with the use of botnets: they are considered to be a concern for law enforcement agencies because of being used for commission of profit-driven crimes and for national security agencies due to the role they can play in politically motivated attacks and economic espionage [7].
1.2.2 Areas of Public–Private Collaboration on Cybersecurity
The uncertainty, which arises from the blurring borders between cybercrime and national security, has negative effects on the progress of the public–private collaboration in the field of cybersecurity on both policy and operation levels. With blurring borders, ambiguous domains, absence of clear definitions of what crime and cyberwar are and attribution issues, it is hard to develop successful frameworks for collaboration. To understand clearly which private entities and in what way should be involved in addressing particular problem, it is necessary to have an idea which government entities are responsible for a particular issue.
There have been attempts to distinguish domains by, for example, identifying priority areas, like it has been done by the EU Cybersecurity Strategy, which sets several priorities: achieving cyber-resilience, reducing cybercrime, developing cyber defence policy and capabilities; developing industrial and technological resources for cybersecurity and establishing a coherent international cyberspace policy. This division is pretty much in line with the distinction made in academic literature for example, Klimburg [16] distinguishes several mandates in national cybersecurity: military cyber, countering cybercrime, intelligence and counter-intelligence, critical information infrastructure protection, cyber diplomacy and Internet governance, with each of them being addressed by different departments within the nation state. Klimburg [16] argues that despite the fact that the areas of cybersecurity represent different facets of the same problem, each of the fields has its distinct focus and lexicon.
Further difficulties arise from lack of the agreement on what constitutes cybersecurity and what this term actually encompasses. There is no internationally accepted definition of cybersecurity (for example, EU Cybersecurity Strategy does not define it), so the understanding of this term differs from one nation state to another. Cybersecurity can be referred to as a broad concept, which includes security both in online and offline world, or narrowed down only to online safety [17]. Confusion might grow when the meaning of cybersecurity is limited to safeguards and actions to protect networks and information infrastructure with regard to their integrity, availability and confidentiality (CIA crimes). For example, some studies [18] in this regard contend that cybersecurity should be focused on technology-based and code-based threats and should be limited to the crimes that are committed against computers (CIA crimes) and with exclusion of the crimes, which are merely facilitated by the use of computers. If we apply this theory to the public–private collaboration in cybersecurity, the concept of CIA threats covers a wide range of activities related both to civilian and military fields. However, it excludes some very important forms of cooperation related to the illegal content crimes such as online child abuse images and terrorist content. Illegal content does not represent a technical cybersecurity threat since it does not interfere with networks and systems. However, hardly anyone would debate the importance of the fight against child abuse. When cooperation in the field of cybersecurity is limited to technical threats only, a wide range of activities can be excluded and overlooked despite the fact that the initial involvement of the private industry in fighting cybercrime started with creation of hotlines for removal of child abuse content.
Collaboration in the field of cybercrime does not always include technical aspects of cybersecurity and protection of networks and systems. For example, fighting online child abuse, despite the requirement of technical knowledge and use of the technical tools for investigating crimes and detecting offenders, has different object of legal protection than technical security of the networks and vice versa, not every cybersecurity effort would be related to cybercrime. Investigation and prosecution of crimes as a domain of law enforcement will represent just a narrow field in this complex issue of cybersecurity in addition to bringing criminal acts of committing the cyberattacks to criminal justice domain, the efforts of different stakeholders in cybersecurity ecosystem will include deterrence, network resilience, collection of information on the type of attacks, attribution to the source without prosecution, just to name a few.
This book chapter approaches the issue of public–private collaboration from a broad perspective and focuses on different forms and areas of cooperation, including tackling the problem of cybercrime, protection of critical information infrastructure and national security. For the purpose of this analysis, the first area—cybercrime—covers not only crimes committed against confidentiality, integrity and availability of computer systems, but also content crimes (such as child abuse images and terrorist content) and any other types of crimes committed online. Public–private cooperation in this field can be attributed to “criminal justice domain” and includes prosecution, investigation, detection and an early disruption of crimes committed online, be it crimes against confidentiality, integrity and availability of data or computer-facilitated crimes or crimes related to illegal content. Collaboration in this area is based on the criminal law and criminal procedural law, legal frameworks on the liability of the intermediaries and partially on preventive police law.
The second area of cooperation is the involvement of the private sector in national security. As a distinct field from the criminal justice, it refers to collaboration between industry and governments on such security concerns as politically motivated attacks, economic espionage and serious threats. The third field is alliances between private stakeholders and regulators on cyber-resilience and critical information infrastructure protection. The distinct feature of this area, though it can be considered as part of national security concerns, is that the threats for critical information do not necessarily involve malicious intent. Critical information infrastructure protection includes resilience to weather disasters, technical failures and human errors.
It is hard to separate these three fields clearly, because they are overlapping. However, with this separation (even if the borders are blurring), a certain field of regulation can at least be distinguished and attributed to the particular agencies depending on the country: cybercrime to law enforcement, national security to the governmental bodies such as foreign ministries and intelligence services and critical information infrastructure protection to certain type regulators.
Another important factor is that the same private stakeholders can play multiple roles: one global service provider or financial institution can be a part of public–private partnership programmes in all three areas. For example, such global service providers such as Microsoft and Google are the owners of their internal technological infrastructure, providers of services to their customers, personal data controllers and processors; they can participate in ad hoc cooperation with law enforcement agencies on investigating a particular case, or collaborate on capacity-building programmes, or get involved in the analysis of the threats related to national security.
The participation of private industry in all three fields is necessary but has different dimensions and consequences. While there is a widely accepted notion that government cannot and shall not be expected to fight cybercrime and provide cybersecurity alone, there is a common misunderstanding about the role of the industry in the aforementioned fields, and, as a consequence, unmet expectations and the failure of leveraging good practices and core competences from one area to another. The fundamental problem is that distinct laws regulate those fields and the role of the industry would be different for each of these areas. While many public–private collaboration initiatives reached some degree of success in the criminal justice domain, they cannot yet enjoy the same level of success in the national security field, which tends to be less inclusive. Misconceptions arise when the areas of regulation are mixed, because national security tends to have higher political priority, less number of stakeholders involved in decision-making process and less transparency. According to the study carried out by OECD [19], businesses and civil society are concerned with the trend of increasingly blurring borders between national security and economic/social security and warfare semantics, because this absence of separation can bring “challenging consequences”, such as additional burdens, lack of transparency and less openness.
1.3 Regulating Cybersecurity: What Are the Options?
Before the evolvement of information and communication technologies, fighting crime and providing public security was mostly considered as a domain of national governments. Both criminal law and national security imply sovereignty issues, the duty of the state to protect its citizens and mechanisms of enforcement of the legal and policy frameworks, which require hierarchical structures and command-and-control approaches.
The problem of fighting cybercrime and protecting national interests in cyberspace, in the first place, reflects the tension between non-flexible legal frameworks—which, like criminal law, were not meant to be flexible by their nature—and the non-hierarchical structure and the borderless nature of the information and communication networks that do not fit the traditional top-down command-and-control models. The decentralised architecture of the Internet is eroding old paradigms of the division of responsibilities between government, private sector and civil society, also because in general, the concept of Internet governance has been largely dominated by the idea of a multi-stakeholder model. This transformation of the role of regulators and nation states in governing one of the biggest “enabler” of the modern economy and the idea of hands-off regulation for the sake of technological development allowed the Internet to flourish and penetrate all areas of business and social life.
1.3.1 Cybersecurity as a Multi-stakeholder Environment: Transformation
Until the beginning of 2000s, governments and law enforcement agencies mostly had to intervene only when information security failed and crime happened—the main agenda for the public sector was to criminalise the new types of threats, such as crimes against confidentiality, integrity and availability of computer data and systems, to equip law enforcement agencies with tools—both technical and legal—to investigate and prosecute the new types of infringements and to harmonise substantive criminal law and procedural frameworks on the international level to avoid creations of safe havens for cybercriminals. On this stage, industry was considered mostly as collaborator for investigations or for taking down illegal content online, and it was mainly the ISPs who got involved as a focal point for cooperation. With the growing number of Internet users and, as a result, increasing cybercrime rates, it was obvious that centralised state intervention can often fail to address the problem, because criminals can easily bypass traditional regulatory frameworks in transborder cyberspace [20: 1]. Due to the low reporting rates of cybercrime and cyberattacks [21: 69], it became extremely difficult for governments and law enforcement agencies to detect cybercrime on their own: due to the lack of resources, they could do little more than investigate and prosecute only a “tiny fraction” [22: 5] of cybercrime, let alone follow the complex and constantly changing landscape of cyber-threats. As a consequence, states are increasingly engaging in partnerships with the private sector to tackle cybercrime [23, 24], and co-regulatory and self-regulatory measures were sometimes appraised as being even more effective than criminal law and its enforcement [25]. This trend started in the 1990s with the creation of the first private hotlines for reporting illegal content, mainly related to child abuse, as it will be discussed in Chap. 2 of this edition. Nowadays, self- and co-regulatory approaches exist in many areas of fighting cybercrime both on national and international levels.
However, till the end of the 1990s, when the threat of the millennium software bug attracted a lot of attention, the concept of “cybersecurity” as well as the term itself was not common [16: 12]. National governments were busy struggling with applying old legal frameworks to fighting cybercrime, striving to find new models to involve the private stakeholders in cooperation and trying to define the borders of responsibilities of the intermediaries for illegal content, were mostly leaving the issue of cybersecurity with regard to securing networks and infrastructure to the private sector. One of the important aspects, which set the paradigm for this approach, was the fact that with the commercialisation of the NSFNet in the 1990s, the US government moved the development and management of the infrastructure to the business and non-profit organisations and applied hands-off model to the internet governance, leaving the governance of the domain name system to the private entity—ICANN [26, 27].
The whole development of the Internet was dominated by commercial interests and market forces and followed by the principle of imposing no regulation for the sake of faster development. In this context, the private sector was considered to have enough knowledge and experience to provide security of its networks. Moreover, the private entities were in general opposing any attempts to regulate the Internet because of the general perception that regulation is too slow and government intervention can hamper the development of new technologies [27]. This approach has proven to be a great success for the evolution of the information and communication technologies: in just a few years, industry has developed fast and cost-effective solutions for providing connection and services. Internet boosted economic growth, penetrated all the areas of social life and economy, and, ultimately, became an essential part of everyday life and—as a turning point—brought the growing dependency on information infrastructures. This interdependency of different critical infrastructures, both public and private (banking, energy supply, information technologies, etc.), and their increasing dependence on information networks, which made them vulnerable to crimes and attacks [28, 29], dramatically changed the cybersecurity landscape. New types of attacks such as botnets, where automation plays an important role, brought complex challenges for prevention, detection and investigation of the new types of crimes and new concerns about the possible drastic effects that even a short disruption of the functioning of critical information infrastructures can have. This can be considered as a turning point with regard to reconsidering the role of the governments in cybersecurity field and recognising the cybersecurity issues as one of the high priorities on political agenda.
The consequences of these developments are twofold. On one hand, this increasing complexity drove the development of the new cooperative models for addressing the new challenges and shifted focus from cybercrime and reactive approach (investigation and prosecution) to a far-reaching concept of cybersecurity, which includes also proactive measures such as prevention, detection, awareness raising and information sharing. On the other hand, the pictures of catastrophic scenarios “have produced a rush to regulate cybersecurity” [6]. A possibility of a failure and drastic consequences made policy makers question the reliability of hands-off regulation and consider stronger involvement of the governments into the provision of cybersecurity [26].
This transformation has changed the scene of addressing the problem of cybersecurity into a “complex policy issue, which requires solutions at various levels, both national and international, and by means both non-governmental and governmental” [18]. The ecosystem of cybersecurity itself poses a big challenge: the fast and mostly unregulated development of the information and communication technologies resulted in the “existence of myriad actors in the information security field” [30: 143]. The complexity of this ecosystem raises new issues of determining roles and domains of different stakeholders involved in tackling cybercrime and securing a safe cyber-environment. The growing number of Internet economy intermediaries—not only ISPs but also e-commerce and m-commerce companies, e-payment providers, application developers and software vendors, critical information infrastructure operators and others—became “critical nodes” for preventing and investigating cybercrime and safeguarding security of their systems and networks in their respective sectors [31: 196]. Whether governments want it or not, the fact that cyber infrastructure was built and is owned by private sector and the whole structure of decentralised networks and their history of non-hierarchical regulation make the cybersecurity ecosystem a flexible multi-stakeholder environment with no single entity on the top which can control and manage the processes. The idea that no single government can provide cybersecurity using only its own capabilities without involving private sector has thus become “conventional wisdom” [32: 85].
However, despite the general agreement that governments on their own can make only “poor enablers” of cybersecurity [33] and call for cooperation and multi-stakeholder approaches, there is no clear idea with regard to the models of cooperation. Technical complexity of the digital ecosystem, heterogeneity of stakeholders involved in different layers across jurisdictions, blurring borders between external and internal policy and public and private matters and absence of clear distinction between law enforcement, civil defence and military defence create the situation of regulatory uncertainty which delays the development of effective regulatory solutions [11, 34, 35]. Due to the convergence of services and uncertainty of legal regimes applicable to different cyber-threats (crime, national security, intelligence), regulatory spheres can superimpose and mandates of different agencies dealing with cybercrime and cybersecurity can overlap. Until now, there is no widely accepted model of the distribution of regulatory responsibilities in the ecosystem of cybersecurity answering the question who shall regulate and what [36]. For example, despite the current attempts of the European Union to create homogeneous approach to cyberecurity, the system of mandates of different stakeholders and regulatory bodies in this field in the EU looks like an extremely complex puzzle, where “no-one…has a clear understanding of how all the different pieces fit together” [37: 17]. The international dimension of a problem and the fact that national states can have conflicting security interests further contribute to the increasing complexity of the regulatory challenge [38, 39: 430].
Bearing in mind this uncertainty of regulatory domains, some studies suggest that the new models of regulation should be developed to address cybersecurity problems. The World Bank Group [40: 3–4, 41] suggests that the ecosystem of cybersecurity is moving to the network model: it suggests that instead of focusing on institutions and functions (who shall do and what), the focus has to be shifted to the processes (e.g. fighting SPAM or creation of computer emergency response centres), procedures and information flows between different institutions. Network model refers, instead of specific agencies, to bodies (nodes) performing different functions in the ecosystem of cyberseurity and sharing—formally or informally—information and practices. The network model of the cybercrime and cybersecurity ecosystem, where hierarchical structures of governance are not applicable any more or have to be complemented, raises the challenge of creating better regulatory approaches in which the central question is, how cooperative governance can achieve the desired outcomes of reduction, detection and investigation of crimes. Dupont [34] refers to the “nodal” regulation and the concept of regulatory pluralism which is based on the belief that “by relying on diverse, complementary and self-reinforcing regulatory instruments, policies can be implemented in a manner that is more responsive to the specific context, resources and constraints of a particular sector” as to one of the possible ways to address cybersecurity problems. Gercke et al. [36] and Tropina [42] suggest the concept of “smart regulation”, which will be able to analyse the threats, to detect if intervention is needed and to develop new tools for dealing with the problems instead of applying old means that were not meant to regulate a decentralised environment. All these models assume that the gap between traditional models of governmental intervention and complex technological environment can be bridged only by approaching it with the new flexible cooperative models that include both public and private stakeholders and can combine the nodes of both legal and extra-legal regulation and facilitate the “reflexive and cohesive approach” [43: 19] to cybersecurity—necessary in a transnational decentralised network world.
While national governments have the power to establish and enforce legal and regulatory frameworks, the private sector understands the changing and converging nature of the ICT environment and has greater adaptability towards new technologies and services. Private actors have more expertise and resources and possess the necessary knowledge to investigate cybercrime and single out relevant cybersecurity threats, analyse them and produce an adequate response to them [11]. The private sector’s knowledge and adaptability complement the resources and expertise of the government in the enforcement of criminal law, crime investigation and governments’ mandate in foreign policy and diplomacy.
However, despite the clear need for mutual support between the governments and the private sector in cybersecurity and cybercrime field, the “ways and means of this assistance are fiercely debated” [16]. The concept on how to achieve the involvement of the private industry varies significantly in terms of approaches to the degree of governmental intervention, combination of regulatory tools and economic and policy incentives. In general, three ways can be identified, but they are often confused concerning their nature: regulation, co-regulation and self-regulation. Interestingly, despite the general acknowledgement of the need for state and private sector to partner with each other, in many cases, suggested approaches to such “partnerships” rather tend to be governmental intervention rather than cooperation, when duties and responsibilities are imposed on private actors with some degree of control from the governments. One of the prominent examples in this regard is the EU Cybersecurity Strategy, which is calling for a collaborative approach between industry and governments to secure the cyberspace. However, despite this declaration, one of the measures the strategy proposes is obligatory reporting of security breaches, which, of course, implies the participation of the private sector in the information sharing, but excludes the voluntary element and uses the coercion instead. Such measures cannot be attributed to collaboration or partnerships since they are just an example of a pure statutory regulation. This is why it is necessary to understand what self- and co-regulation is and what it is not.
1.3.2 Self- and Co-regulation: Theoretical Approaches and Practical Implementation
The shift from the concept of information security driven mostly by market demand to the cybersecurity as a part of policy agenda happened in the beginning of the 2000s [44]. This turn was caused by the growing critique of hands-off concept caused by the governments’ concerns about protecting critical information infrastructures. The change of attitude raised a question as to what kind of model of regulation is applicable to the increasingly unruly cyberworld. The choice between top-down hierarchical approach and completely bottom-up approach or a combination of these two can be generally considered as a choice between different options to implement and enforce regulation. These approaches vary depending on the balance between the degree of governmental intervention and voluntary participation of the industry and include market-based solutions, self-regulation, co-regulation and statutory regulation [45: 5]. The most desirable solutions, which are referred to for the complex multi-stakeholder system of cybersecurity, are self-regulation and co-regulation as a compromise, which, on one hand, allows to avoid laissez-faire approach to the issues of the critical importance and, on the other hand, ensures that the development of the information technologies is not hampered by direct governmental intervention.
Though self-regulation and co-regulation by definition presume different levels of state intervention, there are various perceptions and practices within these two forms of regulation. Depending on the level of state involvement, two approaches to privatisation of regulation can be identified: top-down and bottom-up. Since co-regulation presumes the direct involvement of public actors in the regulatory process, especially with regard to enforcement, such regulatory mechanism is primarily considered or understood to take a “top-down” approach [46: 12] and to complement legislation rather than be an alternative to legal ordinances. On the contrary, self-regulation (at least in theory) is initiated by private stakeholders and established independently from the adoption of legal orders and, thus, follows a “bottom-up” approach [46: 12]. It should be noted, however, that even if self-regulation implies implementation and enforcement by private stakeholders themselves without the involvement of statutory obligations, this in fact often does not mean that the state stays away from the effort to impose self-regulation.
Both models exist in different jurisdictions. The co-regulatory approach as a strict form of collaboration happens when self-regulation involves public authority, reference in legislation or is introduced, overseen and/or enforced by the power of legal ordinance [47]. The degree of interference may vary from agreements between government and industry to the obligation of self-regulation imposed by law. In some cases, the lack of coordinated legal provisions can be the reason for co-regulation: in the Netherlands, co-regulatory procedures for taking down illegal content were implemented because the provisions of Criminal Code on ISP liability stipulate obligatory content removal, but no relevant procedure had been provided in legislation [48: 24].
The degree of softer government intervention in co-regulatory efforts may vary. It can take the form of support provided by government with regard to the creation of different organisations, associations and forums. The state can take part in the elaboration of agreements between the ISP associations and law enforcement agencies or provide support to the hotlines or reporting platforms carrying out awareness campaigns.
As distinct from co-regulation, which includes state participation and enforcement as a necessary component, self-regulation is represented by non-hierarchically organised private actors, such as industry associations and organisations that implement different mechanisms for self-regulation within the industry. The involvement of these actors in fighting cybercrime and providing cybersecurity varies from ad hoc collaboration upon police request to sustainable self-regulation, for example private hotlines for reporting illegal content. Many forms of self-regulation include the state either as initiator or participant, even when the enforcement of self-regulatory measures is assured by the private sector. It has often been asserted that the most successful cases of self-regulation involve some participation of the state in one form or another [49]. In contradiction to the perception of self-regulation as voluntary coordination, some studies argue that self-regulation could have a mandatory element, for example, by high-level statutory backing, or by self-regulatory bodies being specified in statute [47].
Despite the existence of different forms of self- and co-regulation, the current debate around private sector’s involvement into cybersecurity is mostly revolving around public–private partnerships, which represent the distinct form of co-regulation. Two critical points should be made for the clarity of understanding of public–private collaboration in cybersecurity and cybercrime. First of all, the existing channels of collaboration, information sharing and other activities are much broader than the concept of public–private partnership and they have already more or less achieved the short- and medium-term goals of advancing the involvement of the private sector in cybersecurity. Secondly, the debate about public–private partnerships frequently gets this term misunderstood. Not every existing channel of collaboration and cooperation form, even if it is structured and sustainable, can be considered as a public–private “partnership”. In theory, the ideal form of true partnership represents entities with “equivalent power over the relationship and at least somewhat differing goals and objectives agree to compromise their interests and jointly develop an action plan to achieve mutual gain for each other’s objectives as well as mutual objectives” [50]. Any form of regulated self-regulation, mandatory reporting or even governmental coercion for regulated private entities to self-regulate certain areas would not be a partnership, but rather represent a form of direct governmental intervention. The scope of this book chapter goes beyond the debate on public–private partnerships and tries to analyse other valuable forms of collaboration, including ad hoc cases, to show the complexity of the issue and the degree of the involvement of the private sector.
Another misconception with regard to the forms of self- and co-regulation in cybersecurity is related to the choice of “bottom-up” versus “top-down” approaches. One of the examples is the so-called regulated self-regulation. For instance, in Germany the framework for self-regulation with regard to protecting minors online is established by the law that stipulates the duty of the self-control associations to make sure that their members act within the rules of the treaty for the protection of youth. Furthermore, several self-regulatory associations operating in Germany represent the case of “regulated self-regulation”, a form of self-control that is initiated by the government: the state creates a framework for self-regulation and then gives the industry the leading role in developing the rules [23, 51]. Though being called with the use of the term “self-regulation”, this form represents top-down approach with the direct intervention of the state to initiate safe regulation and to create a framework for it. The industry has no choice, even in the case if there are no other “incentives” than the state coercion.
Although self-regulation in theory shall be driven by market forces and the idea of resolving issues and advancing policy objectives without legislative intervention or a pressure from the state, it is hard, but not impossible, to find a pure example of bottom-up industry driven self-regulatory initiatives, which have not been at least to some extent informally encouraged by governments [31]. Despite the theoretical concept of top-down approach, governments can get involved in self-regulation indirectly, by approving the activity on one of the stages, or—even more tacit—by implementing legal provisions that lead to some forms of self-regulation and coordination within the industry. Publicly, debated legal frameworks and policy issues in the multi-stakeholder environment can help to set frameworks for self-regulation and co-regulation and encourage industry involvement [31: 14]. Thus, the need for self-regulation, though being “bottom-up” driven, in many cases still comes either as a result of statutory law supporting it or as a response to the indirect state coercion. When the government has no agenda for promoting and supporting self-regulation or does not implement legislation which would increase the willingness of the private sector to cooperate on cybersecurity, the private sector itself can be very sceptical about self-regulation or initiatives may be undermined by state apathy towards, lack of driving forces and uncertainty of, current legal statutes.
1.3.3 Legislating Cybersecurity?
The legal uncertainty of different regulatory domains related to various aspects of cybersecurity raises the question as to which legal frameworks should be used for regulation, be it direct governmental intervention or softer approaches such as self- and co-regulation. In this regard, distinction can be made between public–private collaboration in the field of tackling cybercrime and in the field of other cybersecurity concerns. Cybercrime always requires a strong involvement of public authorities [35: 2] because investigation and prosecution involves legal frameworks related to criminal and criminal procedural law. Any public–private collaboration represents an additional layer on the top of the frameworks providing direct governmental intervention. Criminal law is the sole domain of national governments and law enforcement agencies. This domain cannot and shall not be privatised. Thus, any cooperation between public authorities and private actors operates within the strict legal frameworks of criminal procedural law, international cooperation and jurisdiction. This, however, does not exclude a certain degree of flexibility with regard to prevention and detection of cybercrime—different self- and co-regulation initiatives, such as awareness raising campaigns, detection of malicious activity and takedown of botnets, can be added as another dimension of the efforts to tackle cybercrime.
Criminal law, however, though plays a very important role in securing safe online environment, cannot tackle the whole of complex of sophisticated threats related to critical information infrastructure procession and national security, because this field of law is meant to punish for severe breaches of the public order and not to identify relevant threats and develop an adequate response to them. The obvious need for collaboration and information sharing raised the question as to which extent such cooperation should be regulated and whether there is a need for an appropriate legislation. In this regard, the problem of bottom-up and top-down approaches becomes a very important issue for both industry and governments. This problem deepens due to the international dimension of cyber-threats: different approaches, which might be taken in various jurisdictions, can contribute to the possible fragmentation of the attempts to address the global problem of cybersecurity.
The problem of fragmentation has become very visible in the last couple of years with several attempts to legislate participation of the private sector in cybersecurity taken on both national and international level, which showed significant differences in the choice between statutory regulation and encouraging voluntary participation of the industry. The former approach has been chosen on the level of the European Union in the proposed draft of Network and Information Security (NIS) Directive, which introduced a far-reaching reporting obligations and mandatory information sharing in a form of direct regulation. According to the European Commission’s proposal, the draft of the directive included critical information infrastructure operators and information society services into the scope of mandatory reporting and information sharing obligations. While EU Parliament excluded the latter from the draft, the current amendments proposed by the European Council brought back to the draft of the document not only the list of information society service operators proposed by the European Commission, such as cloud service providers and social networking websites, but also suggested to include national domain name registries and web-hosting platforms. At the same time, European Council proposed a clause that the decision on which entities are to be included into the obligatory reporting of security breaches should be taken by the member states. There are also attempts to regulate cybersecurity on the national level taken by some of the EU countries. For example, Germany in its draft of the IT security law introduced several new obligations, in addition to reporting obligations for the critical infrastructure operators.
The above-mentioned attempts represent clear top-down approach to the participation of private sector in cybersecurity. A contrary way to legislate cybersecurity is adoption of the laws that are framing public–private collaboration and trying to provide incentives for the private sector to participate in joint efforts. One of the examples of such legislation is the Cybersecurity Directive and Executive order in the USA. Adopted in 2013–2014, this approach implements encouraging instead of coercion and tries to provide incentives for reporting and information sharing.
The notion behind toughening the regulation in cybersecurity is the idea that the interests of private and public partners are not matching, and the private sector is not interested in providing the level of cybersecurity that would be enough for the nation and society, and, thus, shall be regulated. There are several possible regulatory approaches emerging as a response to the “unwillingness” of private sector to collaborate. One of them is pure top-down regulation with strict duties and liabilities. Another one is softer, but still represents a top-down model: regulated self-regulation. The degree of the latter may vary from self-regulation codes developed by the governments, when all the industry players are forced to follow the obligations established by these documents, or mandatory frameworks for the industry. The problem of shifting regulatory landscape and the drawbacks of the attempts to legislate cybersecurity will be further discussed in the Sect. 1.5, after the overview of current initiatives which go far beyond the concepts of public–private partnerships and include the constantly evolving forms of public–private collaboration.
1.4 Existing Initiatives: From Illegal Content Towards Cyber-Resilience
The development of cybersecurity policy went from the task of fighting cybercrime to the complex of solutions involving proactive and holistic approaches. However, the evolvement of public–private collaboration started with the cooperation related to tackling cybercrime. As it will be further analysed in the Chap. 2 of this book, first initiatives, back to the 1990s, included mainly cooperation for taking down illegal content and reporting online child abuse. Successful establishment of private hotlines for reporting illegal content together with further development of information technologies has been driving the new concept of public–private collaboration in fighting cybercrime in a multi-stakeholder environment. Growing dependency on information technologies and new threats, such as botnets, decentralised services (cloud computing), phishing and sophistication of social engineering techniques for committing online frauds called for further participation of different intermediaries in the process of securing a safe cyberspace. Industry and Internet intermediaries in this context became a growing focal point for Internet policy on national and, later, on international levels [31: 9]. Nowadays, the scope and scale of public–private collaboration in fighting cybercrime and providing cybersecurity goes far beyond illegal content issues and involves different areas of ICT markets and various forms of cooperation: from ad hoc to long-term public–private partnerships and nationwide joint cybersecurity initiatives.
1.4.1 Fighting Cybercrime: Forms of Cooperation
1.4.1.1 Hotlines and Reporting Platforms—The First Forms of Collaboration
One of the first types of collaboration between the private sector and governments in fighting cybercrime was private reporting platforms and hotlines established in the 1990s. In particular, the first hotlines for reporting illegal content were promoted by the European Union Action Plan and the UK’s Internet Watch Foundation (IWF). The IWF—a private industry-based self-regulatory body—runs as a hotline for reporting online child abuse content. It was announced in September 1996 with the support of the UK government as a private body supported financially by the ISPs [52: p. 307]. Another example of public–private collaboration in this field is the pan-European hotline association INHOPE, formed in 1999 and expanding rapidly in Europe in the beginning of the 2000s. Funded by Safer Internet Action Plan and Microsoft, this association aims to coordinate and build capacity in reporting illegal content [49]. The development of this form of collaboration is analysed in the Chap. 2 in detail.
1.4.1.2 Industry Codes of Conducts
Another form of self- and co-regulation is codes of conduct (or codes of practices) on cybersecurity and cybercrime, which have been adopted in many states. These codes of practice set rules on behaviour of the private industry players in particular circumstances: respect for privacy, protection of minors and application of filtering software. The most common form with regard to addressing cybercrime is the ISPs’ codes of conduct, for example, notice-and-takedown code of conduct in the Netherlands, “Voluntary self-control of multimedia providers” that forbids providing access to illegal content (e.g. pornography or content that is harmful for minors), Australian ISP code of practice on cybersecurity.
1.4.1.3 Public Awareness Campaigns
Furthermore, government and private industry can cooperate on raising public awareness on cybersecurity and cybercrime. One of the examples of such collaboration is the “Stay Safe Online” project of the National Security Alliance in the USA, which was launched in 2010 as a public awareness campaign in partnership between the US Department of Homeland Security, the Federal Trade Commission and private industry [53: 27]. Such awareness campaigns might be directed either on situational awareness (for example, to the mitigation of a particular cybersecurity threat or introduction of cybersecurity measures) or long-term educational programmes aiming to build and sustain end-users’ knowledge on how to protect themselves online [54].
1.4.1.4 Education and Capacity Building
The knowledge and expertise of private industry can significantly benefit governments through educational and capacity-building programmes for law enforcement agencies. Some successful initiatives, such as International Centre for Missing and Exploited Children, provide training programmes for police officers and prosecutors around the world to fight online child abuse. Under this initiative, Microsoft and the International Centre for Missing and Exploited Children are cooperating with more than 30 financial institutions worldwide, including credit-card companies, to establish a system that can detect online commercial transactions involving offences against children [55: 94]. Another successful capacity-building initiative is the 2Centre project established in 2010 and supported by Microsoft and the European Commission. 2Centre represents cooperation between law enforcement agencies, industry and academia to deliver training to key cybercrime personnel.
1.4.1.5 Ad hoc Collaboration and Call for Structured Approaches
Many contacts with private parties in fighting cybercrime are made on a case-by-case basis rather than by memoranda of understanding [29: 38]. Such cases of ad hoc private–public collaboration include, for example, the so-called Mikado operation carried out in Germany in 2006. In 2004, a German TV station had identified a website offering the download of child pornography with payments via Internet credit-card transaction into a specific account. Twenty-two German credit-card firms were asked to scan all their clients’ credit-card transactions from 2004 and identify those clients who had transferred specific amounts of money into the accounts of criminals. The cooperation with banks took place on a voluntary basis, and transactions on millions of credit cards were checked without the consent of their owners. This led to the identification of more than 300 persons who had purchased child-abuse material [56: p. 16]. Ad hoc collaboration can also be carried out on the international level: for example, cooperation between the American, Moroccan and Turkish police, and Microsoft led to the arrests of the developers and distributors of the Zotob Virus [57, 58].
1.4.2 Cybersecurity: A Call for More Structured Approaches
The raise of the cybersecurity issues on the top of political agenda and the urgent need to address a complex set of threats put a significant pressure on both governments and, as a result, on private parties to build new forms of cooperation which were, as it is characterised by Thomas [59], mostly “built upon pre-existing relationships, historical connections and organisational structures originally intended for other purposes in fashioning the first generation of cybersecurity PPPs—yielding structures that often reflect expedience rather than thoughtful design”.
1.4.2.1 Urgent Response: Ah hoc Collaboration
The millennium software bug was already mentioned as a turning point for widening the scope of security initiatives from reactively addressing the problems of cybercrime to the development of the concept of cybersecurity. In this regard, Lewis [27] refers to the response to “Year 2000 Problem” (Y2K) as to a first new approach to addressing public problem of information security. Though the potential threat turned out to be exaggerated, the way to solve it gave a promise of new cooperative models, where governments and private industry combine their efforts in addressing the potential vulnerability of the information networks. The approach to Y2K was twofold and represented a combination of voluntary cooperation and coercion: on one hand, it involved government’s efforts to collaborate voluntary and educate users and businesses about the problem; on the other hand, the government was exercising its mandate through Securities and Exchange Commission (SEC) regulations and made the private industry to report on the efforts they made to respond to the threat [27].
Another notable effort of voluntary collaboration—Confiker working group—was also born out of the sense of urgency to address the problem of vulnerabilities. The threat posed by sophisticated botnet worm Confiker, which infected millions of computers all around the world, forced representatives from the industry, academia and non-profit organisations to form a working group which managed to stop the spread of the worm. Interestingly, the participation of the governments in this working group was based on the concept of equal footing: they were not initiating the efforts and did not take any leading role there [18]. This group, again, represents an ad hoc collaboration, which successfully addressed the problem and was dismissed after the solution was found.
Such ad hoc initiatives together with the experience of cooperation gained from tackling the problem of cybercrime to a certain extent proved the ability of public and private parties to collaborate at least on ad hoc basis to address the urgent problems. Later, the need for a structured approach [29: 38] created more sophisticated and cross-sector forms of alliances, especially in mitigating cybersecurity threats, critical information infrastructure protection and investigating cybercrime, which were created to serve long-term goals. One of the examples of such collaboration in many countries was creation of CERTs, which in many countries represent a teamwork involving academia, governments and private sector.
1.4.2.2 Towards Long-term Collaboration and Structured Approaches
One of the first attempts to establish and frame long-term collaboration structures was an “unprecedented” [60: 226] public–private agreement between Google and the National Security Agency where Google was seeking to benefit from the NSA’s expertise in evaluating the vulnerabilities in its hardware and software and get a better understanding on system penetration and, in turn, offers to share with the NSA any data about the nature of the harmful codes that were used by intruders [61: 1–2].
The first successful long-term initiatives in cybersecurity were represented by government-industry botnet mitigation agreements, which became one of the main tools for tackling the problem of malicious software. Since ISPs have been recognised as a critical point in botnet detection, several countries involved intermediaries or their associations in ongoing malware and botnet mitigation programmes. These programmes include such projects as:
-
Japanese Cyber Clean Centre project [31: 114];
-
A partnership of German ISPs (led by Eco) and the BSI Bot-Frei, which detects and notifies infected customers and provides assistance to clean users’ computers;
-
Anti-botnet treaty in the Netherlands which represents a partnership of 14 Dutch ISPs and the Telecom Regulatory Authority (OPTA) covering 98 % of the Dutch market;
-
Botnet MoU project in Denmark: a cooperation framework between ISPs and CERTs [62] and many others.
The threat of malware and botnets and the perceived success of the national projects on botnet mitigation on the national level encouraged ENISA to include botnet mitigation to the agenda of the European Public Private Partnership for Resilience—EP3R [63]. This partnership actually was one of the first attempts to establish cross-national partnerships in the area of cybersecurity and was initially considered as a very promising initiative. However, its performance up to now has very mixed reviews. Robinson [37] highlights two major challenges. Firstly, there was no clarity with the mandate on the EU body that should be facilitating the partnership. Secondly, EP3R has failed to understand the incentives of stakeholder and encourage them to participate. Irion [32] criticises the lack of engagement in information sharing and exchange, which could have become a motivation for private actors to participate, the concept of “trusted participation” limiting involvement to senior representatives and the lack of transparency and accountability.
Analysis of factors that caused the failure of EP3R can definitely contribute to learning lessons and avoiding repetition of the same mistakes in future initiatives. International strategic alliances between public and private parties would inevitably be the next necessary step to fight cybercrime and maintain cybersecurity, since many of the critical infrastructure sectors are privately owned and dependency on information technologies grows not only on the national but also on the international level. The benefits from such alliances can include increased reporting of the incidents to police, effective and timely information sharing, efficient work with digital evidence in cross-border investigations, reduced costs, avoidance of effort duplication and better capacity building for law enforcement agencies [55: p. 95].
1.4.2.3 Cybersecurity: National Initiatives and Projects
The possible way forward for creation of international anti-cybercrime public–private partnerships is to adopt the best practices from wide-national cybersecurity initiatives that have been developed in some states. For example, the Netherlands carried out a project, “National infrastructure against cybercrime”, which implied joint public–private assessment of cybersecurity measures and included Cybercrime Reporting Unit, the High Tech Crime Team of the National Police Services Agency, National Alerting Service, the government’s Computer Emergency Response Team and cross-industry stakeholders running critical infrastructure. The initiative consists of various components covering a broad spectrum of measures to fight cybercrime and sustain cybersecurity: a contact point, reporting unit, trend watching, monitoring and detection, information distribution, education, warning, development, knowledge sharing, surveillance, prevention, termination and mitigation. In 2012, the Netherlands set up a new platform for public–private collaboration, namely National Cyber Security Centre (NCSC) to improve the coordination among different agencies and stakeholders involved in fighting online crime [64]. The centre aims at focusing on developing and offering expertise and advice, supporting and implementing responses to threats or incidents and strengthening crisis management [65].
Another project focusing on broader public–private collaboration has been established in Australia, where the government launched the Cyber Security Operations Centre in collaboration with AusCERT and Trusted Information Sharing Network for Critical Infrastructure Protection (TISN). Under the umbrella of the TISN, CERT Australia operates the three sectoral exchanges to share technical information in the banking sector, communication sectors and owners and operators of control systems in power and water utilities [66].
These national cross-sector collaboration programmes can be a starting point for future consideration. Best practices of establishing, enforcing and maintaining collaboration between public and private parties towards different sectors can be leveraged on the international level. Other examples of the national initiatives include different partnerships, both sector-specific and cross-sector:
-
Swiss Reporting and Analysis Centre for Information Assurance (MELANI), which represents collaborative attempt to secure computer systems of businesses and individual users and protection of critical national infrastructures.
-
The Centre for the Protection of National Infrastructure (CPNI) in the UK, which aims to protect national security by providing protective security advice and has relationships with private and public sector partners such as National Technical Authority for Information Assurance, National Counter Terrorism Security Office and the Counter Terrorism Security Advisor network.
-
A sectorial initiative in Austria project “Cybersecurity ICT—Risk Assessment of the Austrian Power Sector”, which involved public and private sectors and a national regulatory authority, was based on voluntary participation. The project aimed to assess the cybersecurity risks and develop possible solution and, after successful completion, was extended to the gas sector and developed a set of new aims such as implement recommendations and exchange the knowledge with international partners.
-
Cyber Security Coalition in Belgium is recently (October, 2014) launched by the partners from three sectors. The initial aim of the coalition is to bring together more than 50 key players from the academic world, the business sector and the public authorities to share knowledge and experiences and jointly obtain an overall picture of the cybersecurity landscape.
1.5 Problems and a Way Forward
Many of the existing collaborative initiatives in the field of cybersecurity and cybercrime emerged from an ad hoc urgency and the necessity to solve current problems. These models did not have time and capacity for analysis of the best suitable structures and development of systematic approaches. Thomas [59] points out that some of the public–private partnerships achieved success “in spite of perceived flaws in partnership design and governance”. In the past few years, public–private collaboration based on voluntary (or at least they were referred to as “voluntary”) approaches have been criticised in the literature due to different factors. Mostly, critiques of the public–private partnerships in the field of cybersecurity mention the unwillingness of the private sector to collaborate, lack of incentives and clear strategies, badly defined goals and objectives, non-matching interests of public and private partners and limitations of enforcement and inability to produce an optimal outcome [27, 32, 67, 68].
Due to the growing concerns related to catastrophic scenarios of possible cybersecurity apocalypses on one hand, and perceived failure of collaboration models especially in the form of public–private partnerships on the other hand, strong voices for a tougher governmental intervention have been raised both in the academic literature and among legislators. As it was discussed in this chapter, the misunderstanding of the terms “cybercrime” and “national security” leads to the adoption of cybersecurity strategies that propose tougher regulation for both sectors without understanding that existing channels of collaboration differ and so do the legal frameworks for different domains.
1.5.1 Limitations: Mandate of the Governments in Criminal Law and Security
Public–private collaboration is not a flawless solution. It has its limitations, especially in the field of detecting, investigating and prosecuting cybercrime. Due to the unique mandate of the government and the nature of criminal law, public–private collaboration in the investigation or prevention serves the purpose to attribute or avert criminal acts, but it can never substitute proper legal frameworks. First of all, the power to enforce rules in the field of criminal law is limited to the governments and has to follow very strict safeguards and procedures, because of the human rights component involved in the criminal investigations. Thus, any approaches for collaboration, be they ad hoc or structured, should operate within strict rules protecting the rights of suspects, victims and any other citizens and entities which might be affected by criminal investigations. Any self-regulatory initiatives have to be built upon those legal frameworks. Secondly, the existence of public–private collaboration cannot alone guarantee appropriate investigation of the crime and prosecution of offenders. For example, the agreements or codes of conduct adopted by industry cannot completely prevent or eliminate certain forms of cybercrime, such as the distribution of child pornography. Moreover, in the absence of proper cybercrime legislation and procedural frameworks for investigation, offenders can easily circumvent industry codes of conducts due to transnational nature of cybercrime [36].
Another constraint related to cybercrime is the conflict between cross-border nature of the Internet and the sovereignty issues. Criminal law is a domain of the nation state and despite the necessity for harmonisation of criminal law and procedural frameworks and collaboration both between law enforcement agencies in different countries and law enforcement and private industry, the investigation and prosecution of cybercrime is solely a duty and responsibility of the nation state [11]. This is why some sensitive matters such as human rights, bulk collection of information, transfer of communication data between ISPs and law enforcement agencies are usually discussed on the level of the nation state. In this regard, frameworks for collaboration which go beyond investigation and prosecution of cybercrime have fewer limitations because of the absence of strict legal borders determined by criminal law and, thus, can be more flexible.
1.5.2 Degree of Governmental Intervention
The challenge posed by the unique mandate of the governments brings the next issue, namely the degree of governmental intervention, which is necessary to achieve security and policy objectives. Again, the situation differs for cybercrime and national security (including information infrastructure protection). In the case of cybercrime, many countries have already adopted legal frameworks in the area of criminal law and criminal procedure law, so the problem here is not to legislate, but to, first of all, make the existing frameworks operable and, secondly, build the sustainable channels of collaboration between governments and industry. In the case of cybercrime, it is very hard to avoid regulation and intervention, especially when human rights component is concerned, such as in the case of freedom of speech protection and in the case of illegal content takedown, enforced data retention, production order, disclosure of traffic data, interception capabilities, just to name a few. Strict frameworks do not leave much room for flexibility in investigations, so public–private collaboration with “voluntary” element is usually directed on training, awareness, quick channels for handling information, better procedures for safeguards and human rights and customer care.
A very different picture can be seen in the field of national security and CIIP where mostly hands-off approaches were common till recently. In the last few years, there have been attempts to legislate cybersecurity and to adopt frameworks aiming to build “better” or more structured approaches to public–private collaboration in this field. Most of those initiatives deal with information sharing and incident reporting obligations. There is, however, a growing concern that some of the new policy and legislation initiatives, such as EU NIS directive, may aim to replace collaborative models with those reliant on tough regulation exercised by governments and coercing industry.
The best analogy for describing the proposals for tough regulation and coercing is made by Clinton [69: p. 103] and is worth to be quoted in full3:
… this type of relationship would be like one spouse saying to the other, “Honey, your job is going to be to do all the things necessary to secure our family. You will have to generate the money, buy the house, clean the house, pay the bills, buy the food, cook the dinner, have the kids, raise the kids, etc. My job will be to evaluate how well you do your job. And, of course, if you don’t meet my specifications, there will be severe penalties.” The partnership described in this construction is similar to a parent–child relationship, wherein the parent (government) feels the need to exhibit some tough love on an uncooperative and immature child (the private sector).
The analogy breaks down, however, when one realizes that in this case the “child” (industry) is actually far bigger, stronger, and has more resources than the supposed parent. Indeed, it is the parent (government) in this case that is ultimately reliant on the child for cyber security.
It is understandable that the governments are under the pressure to “do something”, and since regulation and coercion are the tools that many governments are used to rely on, implementation of mandatory requirements seems to be an obvious way (and much easier one compare to a long path of building mutual trust and confidence) to force industry to provide an adequate level cybersecurity. This change, however, is more than a shift in choice of the tougher regulatory approach. Many efforts have been taken to build public–private collaboration so far, and implementation of tough regulation and pure coercion might undermine all the efforts [70].
Another problem is misunderstanding with regard to regulatory mandates. The call for tougher regulation on public–private collaboration in cybersecurity usually refers to cybercrime. However, due to the different rules and channels and activities for collaboration, what is working in cybercrime will not work for cybersecurity and vice versa. Governments, instead of taking into account already existing mechanisms, opt for regulated self-regulation and prefer to establish their own private sector entities that are supposed to run collaboration programs, leaving the private sector with no choice but work with these organisations [50]. Clinton [50] refers to these kinds of organisation as to “setting up the parallel universe” and suggests leveraging the core competences of existing organisation which have long-established links with the industry, such as industry associations, instead of competing with them.
It is clear that some of the initiatives rather go to the direction of regulation and try to force the industry to “collaborate” such as the EU Cybersecurity Strategy. Further efforts are now being made to toughen regulation and it is not clear which version of it will be passed yet, to adopt of the EU NIS directive. The draft of the NIS directive and all the debates around it represent a good case to illustrate how the concepts of regulation, self-regulation and co-regulation can get confused when it comes to mandate of the governments and collaboration between public and private sectors.
1.5.3 EU NIS Directive: From Voluntary Collaboration to Statutory Regulation?
EU NIS directive introduced mandatory reporting obligations of security incidents instead of voluntary collaboration. These reporting obligations cover a wide range of information society services and critical information infrastructure operators. The scope of this requirement has been criticised as unprecedented and unnecessary broad [37, 71]. The list of market operators included information society services that have never been regulated before. Annex II of the proposed directive included the following list of market operators:
-
e-commerce platforms
-
Internet payment gateways
-
Social networks
-
Search engines
-
Cloud computing services
-
Application stores.
The inclusion of information society services was fiercely discussed on the national and international level with regard to the vagueness of the definition of the market players, ambiguity of the reporting obligation and unprecedented shifting of approaches from encouraging voluntary cooperation to statutory regulation. As a result of these discussions, in March 2014, the EU Parliament excluded the information society services from the scope of the proposed directive.4 However, later in October 2014, the debate around the scope of the obligation moved to the level of the Council of the European Union, which not only added all the information society services excluded by the European Parliament but also extended the list of information society services by including Internet exchange points, national domain name registries and web-hosting services [72]. In addition, due to the lack of consensus with regard to which entities should be a subject of the reporting obligation, the Council of the European Union proposed to leave to the national governments’ power to define the scope of the reporting obligation by identifying entities that meet the definition of operators.5
Some of the EU member states discuss similar regulations even ahead of the adoption of the EU NIS directive. The most notable example in this regard is the German draft of IT security law, which is partially based on the same proposal as that made in the EU NIS draft Directive: it imposes security obligation and requires incident notification. In some parts, however, it goes even further than the EU proposal and introduces a set of new obligations, increasing the regulatory burden for telecommunication providers and information society services (Telemedien).
Telecommunication providers, in addition to the reporting obligations, have to6:
-
notify the Federal Network Agency in case of the impairment of telecommunication networks and services which can lead to significant security violations or unauthorised access to telecommunication and data processing systems of the end-users;
-
inform affected subscribers/users if the providers become aware of impairments which originate from the users’ data processing systems (such as malware) and in addition, provide information about appropriate, effective and accessible technical means allowing those subscribers/users to discover and remove such impairments.
Furthermore, commercial information society services are obliged to:
-
implement technical and organisational measures to generally protect the telecommunication and data processing systems against unauthorised access;
-
offer a reasonably secure authentication procedure in case of personalised services.
The outcome of the bill is still unknown, because the draft is currently being debated. It is very likely, however, that the Bill will be passed, even despite the concerns affected private entities raised with regard to the new regulatory burden [74].
The overview of the recent discussions in the EU represents just a snapshot of the current state of an ongoing debate on the legislating cybersecurity and choosing between bottom-up and top-down approaches. At the moment when this chapter was being written, the outcome of the debate is still uncertain. Both EU NIS directive and the draft of the German IT security law might undergo a set of changes and get passed in different versions. However, what is currently happening highlights several critical problems of self- and co-regulatory approaches in cybersecurity that might have significant impact on the future collaboration in this field.
The first problem is the whole concept of “collaboration” and “public–private partnership”. Though the current channels of cooperation have been created as a response to urgency, though there is luck of the structured approaches, existing forms of collaboration have been constantly evolving and gaining certain reliability. Imposing the new regulatory scheme, which by the means of statutory regulation forces private industry to “collaborate”, means disregarding all existing efforts and already trusted channels.
Furthermore, attempts to turn to the use of coercion raise the questions of trust and enforceability of the obligations. Cybersecurity is rather a concept or a process, than a result, and trust in relationship between the governments and a private industry is an intangible issue that cannot be enforced or imposed by just simply implementing mandatory obligations for sharing information about threats. Thus, one of the drawbacks of the top-down approaches is the possible lack of trust and lack of opportunities to build it. The Council of the European Union refers to the debates among EU members with highlighting this issue [72: 3]:
…some delegations point to the fruitful experience gained on the basis of voluntary notification and argue that trust cannot be imposed whereas others, on the other hand, believe that the Directive should result in firm commitments as well as allow for the building of confidence and trust over time
The current debate about trust and commitment both on the national and international level resembles chicken and egg issue. The answer as to what comes first—trust or commitments—to a large degree is influenced by the current state of voluntary collaboration in the particular country. The governments are pressured to do something and some of them believe that structured approaches and regulation might create the trust with time. However, this is a dangerous approach with regard to the whole “partnership” concept, because it excludes voluntary element and puts pressure—probably, on those private entities, which already do something [37: 19].
Furthermore, regulation of information society services is unprecedented. Many of the information society services have already become a part of voluntary collaboration. The new regulation can disregard existing channels (or even destroy them) and create unnecessary regulatory burden.
Another pitfall of the NIS directive regulatory model is the differences concerning the international component and the global nature of cybersecurity problem. For example, in the USA, despite several attempts to adopt more strict regulation7 [75], recently adopted cybersecurity legislation8 takes different approach and tries to create incentives for voluntary cooperation. Thus, with the adoption of the EU NIS directive, the USA and European Union member states can experience significant differences in their approaches to global problems, which require rather consistency, harmonisation and collaboration [76: 5, 77]. Further fragmentation of approaches to public–private collaboration might happen if the EU will pass a directive with the clause that each country can decide which entities fall under mandatory reporting as it has been proposed by the Council of the European Union. The general disagreement on governmental intervention among the EU member states is already clear on the stage of debating the scope of the directive. It is very likely that when it comes to implementation on the national level, not only the main goal of the directive—harmonisation of the policies and strategies and creation of the pan-European approach to NIS—will not be achieved, but the outcome might be a patchwork of incompatible policy and regulatory approaches which will create compliance challenges for the multinational entities or global services providers operating in different jurisdictions.
1.5.4 Safeguards
Other likely risks associated with public–private partnerships, especially those in investigating cybercrime, include the negligent creation of opportunities for corruption, mishandling of investigations, loss or lack of confidence and transparency [55: 95]. Ahlert et al. [78] also raised a particular issue of the transparency and accountability of the notice-and-takedown procedures, arguing that content removal can take a form of private censorship with no limits upon the judgements of the private party. Other frequently discussed problems are the deficit of control, limitation of enforcement in cross-border environment [79: 52], privacy concerns and lack of mechanisms to protect the rights of individuals when the private parties are empowered to regulate and enforce regulation.
The transparency and accountability problems are inevitable due to the complexity of the ecosystem and large and diverse number of state and non-state actors involved in cybersecurity, which cuts across mandates of different governmental bodies (e.g. criminal justice, armed force, national security) and also legal and technical complexity of cybersecurity field [80: 18–19]. Furthermore, the oversight of the collaboration on the national level can fail when it extends across the borders or beyond the mandate of the particular regulator on the national level [80: 18–19].
Another issue emerging as a result of sensationalisation of the concept of cybersecurity and prioritisation of cybersecurity above any other issues is human rights and safeguards. This problem arises from the focus of debate on security, where security issues dominate over discussions on civil right and liberties and administrative actors getting more and more central role in establishing security policy, for example in the EU [11].
Though some studies argue that collaborative models for cybersecurity have more advantages such as privacy and civil liberties because they leave “network monitoring responsibilities for private networks where they belong—with the private sector operators—rather than having governmental agencies monitor those networks” (Center for democracy and technology: 7), which promotes transparency for addressing the civil liberty issues publicly. While this argument can certainly be relevant concerning transparency and accountability, the problem that needs to be addressed is still the implementation of the proper safeguards when bulk data are collected and monitored and protection of personal data when the information is shared. This problem has another dimension with regard to cybercrime investigation and prevention collaboration, because of the blurring borders of different legal regimes. The shift from reactive to proactive approach in policing cybercrimes is especially dangerous in terms of human rights and safeguards [8]. The data can be collected in the absence of suspicion or private industry that can be actively participating in monitoring data and traffic. While in criminal investigations, this can be solved by implementing strict safeguards concerning procedural law frameworks, and in the area of cybersecurity and information sharing and prevention and early disruption, the absence of clear safeguards in now combined with the bulk collection and monitoring. This can impede the privacy rights of millions of Internet users. The possibility of such sharing is stressed in the study of the European Parliament on National Programmes for mass surveillance of personal data in EU member states [81]. The study refers to the testimony of the Europol Director Rob Wainwright, who admitted during the European Parliament hearing that the data got by the Europol agents might possibly come from different sources including intelligence agencies of the EU member states and from outside the EU, such as NSA [81: 37]. In this regard, collection of data only from lawful sources and by lawful means as well as implementation of human rights safeguards and data protection measures should be one of the top priorities for public–private collaboration, especially when sensitive information is shared in the absence of suspicion or for the aim of prevention of cybersecurity incidents.
1.5.5 Incentives and Costs
Other problems arise from the necessity to implement self-regulatory measures on a cost-effective basis. For example, in Germany, the efforts of some ISPs to establish an age-verification system were undermined by the lack of international standards, the complexity of the procedure and the lack of coordination within the industry: customers may easily switch to the ISP that does not implement age-verification measures [51]. The lack of resources and industry incentives to implement self-regulation was reported in New Zealand, where the attitude among the industry towards voluntary obligations is to consider them a burden rather than a cost-effective solution [82]. The cost issue has also been among the main problems in the USA, where the government relies on public–private partnerships in maintaining cybersecurity, while commercial organisations might see computer security as a cost and do not value the corresponding benefits [83].
A cost-effective solution in this sense is one of the key points to get industry involved: while cybersecurity initiative presumes that industry should have the discretion to step up such efforts, this is not self-evident, because the market is first and foremost driven by price, and even if consumers or governments care about security, there might be lack of adequate market signals for all interested parties: consumers, industry and government [84].
Though successful cases of self-regulation and co-regulation in tackling the problem of cybercrime can be witnessed in many states, there are still problems with regard to the promotion, implementation and enforcement of these measures and also concerning the structural approaches and clear frameworks. Moreover, the economic complexity of cyberspace infrastructure makes it hard to manage public–private initiatives in fighting cybercrime [55: 95].
1.5.6 Way Forward: Is Statutory Regulation Still an Option?
Summing up, self-regulation is most likely to be effective when there is a collective interest among the industry stakeholders to solve particular issues and trust between public and private partners; private players are capable of defining clear objectives and frameworks for co- or self-regulatory schemes; the likely solution meets legitimate consumer and citizen expectations; the rules are enforceable either privately or with the support of the government [31: 14]. Development of public–private partnerships can be seriously hampered by the lack of any of those criteria. Lack of interest among industry and the absence of coordinated initiatives or government support will hold the developments back even in case of increasing concerns on Internet safety among private stakeholders. Passiveness of any of the two parties, public or private, will have the same effect.
It is also very important to understand what public–private “collaboration” actually means and where is the border between self- and co-regulation and direct governmental intervention. No government can expect “pure” bottom-up approaches in the complex environment. In contrast, “voluntary” does not always mean coming from the industry without any governmental participation. The true collaboration requires efforts and financial contributions from both parties. Thus, before the public sector has not tried to provide incentives, financial assistance, not attempted to build trust though encouraging the existing channels and developing the new approaches, it cannot be said that self- and co-regulation have failed to meet expectations. There is a need to learn from both successful and unsuccessful models of cooperation, including those which failed to add real value to the goal of securing cyberspace, or those which were lacking transparency, or did not have enough support from either governments or private sector, which were not open and inclusive. Implementation of the strong statutory regulation with the compliance requirements under “one-size-fits-all” approach, demanding commitments from the industry, might seem the easier way compared to the long path of building trust and learning from the mistakes. However, the rapidly evolving cybersecurity threats require quick reaction and adaptation from the industry, in which strict requirements for regulatory compliance might possibly hamper, and instead of achieving a greater level of cybersecurity, the statutory regulation might in the longer perspective decrease it.
1.6 Conclusion
Government intervention and voluntary approaches in the field of cybersecurity are not mutually exclusive. The dichotomy “hands-off approach versus statutory regulation”, which is frequently discussed in the context of cybersecurity, is rather confusing and misleading: cybersecurity requires a combination of strict legal frameworks of criminal law and criminal procedure, safeguards and data protection measures with a careful hands-off approach and trust-building measures when it comes to identifying quickly evolving threats, sharing information and developing an adequate response. Apparently, finding the right balance in the complex ecosystem is hard due to the myriads of stakeholders involved, different areas of regulatory domains and fast-evolving cyber-threats. However, cybersecurity is both a concept and a process, which are hard to be measured adequately. There would be no ideal “state” of cybersecurity—while information technologies are evolving, existence of these technologies and their vulnerable and transborder nature are the primary factors for the evolvement of cybercrime and cyber-threats. Thus, the process of identifying the new threats, predicting and mitigating the risks would always be a part of the cybersecurity efforts, since there is no silver bullet solution to stop infringements in cyberspace once and forever.
As a part of the collaborative efforts, self- and co-regulation in the last two decades have become an essential part of national and international strategies to fight cybercrime and maintain cybersecurity. Both governments and private stakeholders mutually benefited from joint efforts to secure overall community threat prevention and better understand the interests of each other [85: 10]. Involvement of the industry, be it voluntary or with a shadow of the state in the form of self- or co-regulation, is being achieved at the national level in many countries. This involvement has gone far beyond the first form of cooperation such as ad hoc collaboration for investigating particular cases of cybercrime or blocking and removing illegal content. Co- and self-regulation have taken the forms of industry cybercrime codes of conduct, public–private reporting platforms, multi-industry public–private collaboration programmes against cybercrime, national botnet detection and mitigation projects involving ISPs, just to name a few.
With all the substantial efforts that have already been taken in building solutions for co- and self-regulation in fighting cybercrime and addressing cybersecurity threats, the shift from supporting voluntary approaches to the state coercion and mandatory security obligations disregards the trust and capacity that have been built in the last decade. Instead of taking a possibly counterproductive step, it would be better to enhance the effectiveness of the existing models and build upon them. Like any relationship between partners, public–private collaboration encounters problems; however, changing the whole partnership paradigm to command-and-control model is not the right solution. Instead, the efforts should be directed to developing coordinated approach, providing efficient government support, promoting inclusiveness and finding cost-effective solutions. The key issue for governments is to raise interest among private industry and to find incentives for co- and self-regulation. Though pure self-regulation shall ideally follow a “bottom-up” approach, there is still a need for promoting these measures, encouraging private actors to take voluntary obligations in order to address cybersecurity problem. At the same time, harmonisation of efforts to promote self- and co-regulation needs to be coordinated at an international level to avoid fragmentation of approaches to a truly transnational problem of cybersecurity.