Content uploaded by Sergei Boeke
Author content
All content in this area was uploaded by Sergei Boeke on Nov 20, 2018
Content may be subject to copyright.
ORIGINAL ARTICLE
National cyber crisis management: Different
European approaches
Sergei Boeke
Universiteit Leiden Faculteit Campus
Den Haag, Institute of Security and
Global Affairs (ISGA)
Funding information
Municipality of The Hague; Netherlands
Ministry of Defence; Ministry of Secu-
rity and Justice
Cyber crises, as new forms of transboundary crises, pose
serious risks to societies. This article investigates how differ-
ent models of public–private partnerships shape cyber crisis
management in four European countries: the Netherlands,
Denmark, Estonia, and the Czech Republic. Using Provan
and Kenis’s modes of network governance, an initial taxon-
omy of cyber governance structures is provided. The
Netherlands have created a participant-governed network,
characterized by trust and equality. The Czech and Estonian
models resemble a network administrative organization,
with an enforcement role for their national cyber security
centers. Denmark has adopted a lead-agency model. The
article concludes that countries face two binary choices
when organizing cyber defense and crisis management. First,
national computer emergency response teams/computer
security incident response teams can be embedded inside or
outside the intelligence community. Second, cyber capacity
can be centralized in one unit or spread across different sec-
tors. These decisions fundamentally shape information-
sharing arrangements and potential roles during cyber crises.
1
|
INTRODUCTION
Increasing dependence on information technology and the growing interconnectedness of critical infra-
structures (CIs) have led to new vulnerabilities and risks for societies. Whether instigated by malicious
actors or by accident, cyber incidents have the potential to cascade and seriously disrupt the provision
of essential public services. In December 2015, a Ukrainian power station was hacked and nearly a
quarter of a million residents were left, albeit briefly, in the dark (Zetter, 2016). In May 2017, a ran-
somware attack struck more than 40 British hospitals and many other organizations across the world
(Woollaston, 2017). To improve the security and resilience of their CI, states have drafted national
cyber security strategies since the mid 2000s. As frameworks for setting objectives and determining
how to achieve them, they have enjoyed much scholarly and policy attention (Klimburg, 2012). The
institutional arrangements, however, that concern the roles and responsibilities of organizations in
Governance. 2017;1–16. wileyonlinelibrary.com/journal/gove V
C2017 Wiley Periodicals, Inc.
|
1
Received: 27 February 2017
|
Revised: 6 July 2017
|
Accepted: 8 July 2017
DOI: 10.1111/gove.12309
cyber security and crisis management have been subject to much less academic scrutiny. This applies
as much to which government organization should coordinate and implement cyber policy as it does to
responsibilities in times of crises.
On a practical level, policy makers have struggled to adapt existing bureaucratic structures to infor-
mation and communications technologies, with “cyber”a phenomenon that cuts across many tradi-
tional domains and competences. Invariably, in most countries a government ministry or central
organization has come, by accident or design, to coordinate and/or lead national cyber security policy.
This article investigates how, in four European countries—the Netherlands, Denmark, Estonia, and the
Czech Republic—different government institutions have been tasked with responsibilities in cyber
defense and crisis management and how they cooperate with the private sector. The cyber governance
structures of these countries, except for Estonia, have enjoyed little scholarly attention, with most
articles covering the Anglosphere. The countries have been selected purposefully: Each is small to
medium sized and has an economy that is highly reliant on a dependable IT infrastructure. All four
have an ambitious cyber policy, striving to play a leading role in their region or in the broader field of
international security. Important for the comparative analysis, the political economies of these four
countries do not diverge significantly, each possessing a variation of a coordinated market economy
(Hall & Soskice, 2001). All four are EU and NATO members, although Denmark has an opt-out for
EU Defence cooperation. As a result of global interconnectivity and the transboundary nature of cyber
threats, cyber crisis management by definition includes a strong element of international cooperation.
By combining theoretical insights from the field of public administration with empirical findings
on how four smaller North/Central European countries have organized cyber crisis management, this
article strives to provide an initial taxonomy of governance models. The approach is incontrovertibly
holistic, comprising governmental institutions, public–private partnerships, and international coopera-
tion. There is no single blueprint for effective crisis management, but this article will offer a first con-
ceptualization of the encountered approaches and identify some of the important institutional choices
that governments face in this field.
2
|
CYBER CRISIS MANAGEMENT
The field of generic crisis management encompasses the broad spectrum of prevention, mitigation and
incident response, and institutional learning. While a common assumption, the further centralization of
decision making is not necessarily the most effective way of addressing a crisis, with network models
or decentralized authorities often more capable of judging which response would work best (’tHart,
Rosenthal, & Kouzmin, 1993). Possibilities include informal decentralization or nondecision making,
and have been confirmed by much of the research since (Boin & Bynander, 2015; Boin & McConnell,
2007; Dynes & Aguirre, 2008). Crisis management is also more than just incident response, with crises
increasingly regarded as processes rather than events (Pearson & Clair, 2008; Roux-Dufort, 2007).
There are many different conceptual models that identify phases in the chain, with, for instance, one
distinguishing five phases for effective (cyber) crisis management: prevention, preparation, contain-
ment, recovery, and learning (Kovoor-Misra & Misra, 2007).
In the four investigated countries, there is no consensus on the definition of a cyber crisis. The
Netherlands, for instance, has defined an ICT crisis as a crisis that has its origin in the IT domain, that
impacts on one or more CI sectors and where generic crisis management structures do not suffice
(Nationaal Co€
ordinator Terrorismebestrijding en Veiligheid, 2012, p. 5). Building on the premise that
cyber crises can also strike sectors and organizations that have not (yet) been designated national CI,
this article chooses a more reductive definition, limiting the criteria of a cyber crisis to its “cyber”
origin and the conviction that generic crisis management structures require adaptation to sufficiently
2
|
BOEKE
address the problem. A different approach is offered by the Czech Act on Cyber Security, which
describes when a state of “cyber emergency”can be declared (Cyber Security Act, 2014 Article 21).
Here the emergency situation is triggered when “information security in information systems or secu-
rity and integrity of services or electronic communication networks is seriously endangered,”leading
to the potential violation of national interests. This definition is rooted in the discipline of information
security, involving confidentiality, integrity, and availability (the CIA-triad) of data. Since the “state of
cyber emergency”grants the Czech government expanded powers, this definition is important from a
legal perspective. Others can remain broad, as in practice politics often determines whether a cyber
incident becomes a cyber crisis.
Cyber crisis management involves both the public and private sectors, and a government’slead
role is by no means self-evident. In the market economies, the overwhelming part of national CI is
operated by the private sector. As a result, public–private partnerships feature as the cornerstone of
many national cyber security strategies. Nonetheless, beyond the attractive sound bite of the impor-
tance of public–private cooperation, there is often an unaddressed divergence of interests, disparity of
basic definitions, and disagreement on who will foot the bill (Carr, 2016). In general, states expect pri-
vate companies to ensure their own cyber security, but cannot offload their own responsibility as the
principal security provider against top-level threats, especially if these emanate from nation states.
Besides their important role in cyber defense, the private sector can also play a crucial role in incident
response. In times of crisis, IT companies like FireEye or Fox-IT can frequently leverage more cyber
expertise, and more rapidly, than what the public sector of a small country can muster (Stone & Riley,
2013). The logical exponent of these public–private partnerships is a governance approach that consists
of networks of various public and private organizations.
In their article examining modes of network governance, Provan and Kenis (2008) identify three
basic models: participant-governed networks, lead-organization-governed networks, and a network
administrative organization. The first model concerns what the authors call “shared governance”by
the network members themselves, and is characterized by the equality of members and high levels of
trust within the network. A lead-organization model uses a more centralized and hierarchical approach,
with the lead agency responsible for the coordination of activities and decisions within the network.
The third model, a network administrative organization, involves a separate and external entity to spe-
cifically govern the network’s activities. These models are theoretical ideal types: in practice, institu-
tional constructs and procedures often display a combination of characteristics, and elude a clear
categorization. What constitutes a determining trait of a specific model can also be debated. A network
administrative organization, for example, is defined by the external position of its coordinating organ
while the lead organization is regarded as a full member of the network. This distinction cannot easily
be applied in public–private partnerships. Nonetheless, the basic framework drawn up by Provan and
Kenis allows a clear conceptualization of the networks governing cyber crisis management.
To structure the classification of transboundary crisis response mechanisms, Boin, Busuioc, and
Groenleer (2014) propose three performative dimensions to assess capacity.
1
First, they judge the
capacity to make sense of a crisis by collecting, analyzing, and disseminating critical information to the
different actors in a network. The second dimension concerns the capacity to coordinate all the resour-
ces for a response, and the third involves gauging the legitimacy of the response constellation. The
aspect of legitimacy and accountability is particularly relevant considering Boin et al.’s article’sfocus
on the role of the EU in crisis management, but less so when analyzing the role of national agencies.
For this reason, this article will focus on the two performative dimensions of coordination and sense
making. The coordinative element will explore the roles of government ministries, first in setting cyber
security policy, subsequently in generic crisis management, and finally in cyber crisis management.
This staged approach is required due to the interconnectivity of roles and the fact that cyber crisis
BOEKE
|
3
management is a subset and product of generic crisis management approaches. At all stages, the rela-
tionship with the private sector and the broader international community needs consideration. Of partic-
ular consequence is the embedding of cyber responsibilities in the intelligence community or defense
sector, both of which have mandates, modus operandi, and legal frameworks that significantly set them
apart from other government ministries (Boeke, Heinl, & Veenendaal, 2015).
Computer emergency response teams (CERTs) or computer security incident response teams
(CSIRTs) provide an important sense-making capacity in cyber crises. First developed by the Carnegie
Mellon University after the Morris worm struck the Internet in 1988, CERTs or CSIRTs handle com-
puter security incidents, identify vulnerabilities and threats, and promote cooperation between private
organizations, security vendors, and users (Choucri, Madnick, & Ferwerda, 2014).
2
Initially organized
by sector, the CERT structure was also transitioned to the national country level to permit coordination
of incident response transcending sectoral boundaries. Harmonizing EU practice, the Directive on
Security of Network and Information Systems (the “NIS Directive”) requires every member state to
designate at a single point of contact responsible for coordinating issues related to network and infor-
mation security and international cooperation (Articles 31 and 34). Despite the spread of this common
organizational format, the mandates and responsibilities of CSIRTs differ significantly per country,
each operating in a unique political and legal environment. Some of the differences and their implica-
tions will be highlighted in the case studies.
For this research, information from open source studies and reports has been complemented by
confidential, semistructured interviews with officials in the national cyber security centers of each
country. The author is grateful for the open and frank conversations with these officials, several of
whom work in the intelligence community and have requested to remain anonymous. There is still a
large divide between policy and academia in cyber security research, as governmental secrecy and
business reticence to share information narrows the availability of primary sources and empirical data
for research.
3
|
THE NETHERLANDS
In the Netherlands, the Ministry of Security and Justice is responsible for coordinating national cyber
security policy. There was little debate on where to embed cyber security, and despite a Parliamentary
motion suggesting a Defence lead, the importance of cybercrime as a primary threat seems to have
made Security and Justice a logical department for coordination (Gewijzigde Motie Hernandez en
Knops, 2010). A National Centre for Cyber Security (Nationaal Cyber Security Centrum [NCSC]) was
established early 2012, one of the products of the first national cyber security strategy that was issued
in 2011. A second cyber security strategy was published in 2013, emphasizing the next step in cyber
security maturity. The focus shifted from awareness to capability, public–private partnership to public–
private participation, and from structures to networks and coalitions (Ministerie van Veiligheid en Justi-
tie, 2013). Although the NCSC incorporated the former GovCERT, it does not monitor public IT
networks. As a central node in the government’s cyber security institutions, it plays an active role in
launching and coordinating cyber security policies. As such, the NCSC was instrumental in drafting
the cyber security bill that makes notification of incidents mandatory for providers of national CI serv-
ices. While these providers must inform the NCSC of possible security breaches, the NCSC does not
enforce these regulations; this is up to the sectoral inspectorates (Officials National Cyber Security
Centre, the Hague, interviews, March and June 2016). This emphasizes the importance attached to the
principles of trust and equality with other participants in the network.
Exponents of the Dutch network model are two cooperative structures designed to improve infor-
mation sharing before and during crises. First, the National Detection Network (NDN), serving many
4
|
BOEKE
ministries and elements of the CI sector, provides advance warning of threats. Sensors and probes in
government networks detect anomalies, fed by a database of indicators of compromise (IoC). The Gen-
eral and Military Intelligence and Security Services (AIVD and MIVD, respectively) provide input and
are able to operate on intrusions. While the level of protection exceeds commercial antivirus software
products, the intelligence sector still considers it ineffective against advanced persistent threats (APTs)
that often use bespoke malware (Senior officials at the MIVD & JSCU, the Hague, interviews, March
2016). Second, the National Response Network (NRN) connects different public and private organiza-
tions on a voluntary basis, allowing them to contribute unique cyber expertise in times of crises. For
example, the water authorities have much know-how on industrial control systems, while the tax
authorities are adroit in mitigating distributed denial of service (DDoS) attacks. Designed to operate
analogous to a “bucket brigade”that channels aid to where it is needed, practitioners acknowledge that
public sector response times can be considerably slower than those of companies (Head of DefCERT,
Soesterberg, interview, February 19, 2016).
The Ministry of Security and Justice coordinates national crisis management, although each minis-
try remains responsible for its own sector and leads when a crisis originates there. It also houses the
permanently manned National Crisis Centre. There are several advisory fora that can be activated in
times of crises, their composition tailored to the specific circumstances. As a subset of the National Cri-
sis Plan, the National ICT Crisis Plan regulates crisis management for cyber crises. There are special
provisions for emergency measures and cooperation with Internet service providers (ISPs) and an ICT
response board can be activated (Kaska, 2015). This public–private board includes representatives
from ISPs and telecom providers, CI sectors, academics, and CERT professionals. They provide advice
to decision makers at the strategic level. The proposals for this new advisory forum had just been
drafted as the Diginotar crisis unfolded in September 2011, and was used to inform policy makers on
the complex matter of certificate security (Inspectie Veiligheid en Justitie, 2012).
There are several different organizations within the Ministry of Defence that possess cyber capacity
and can fulfill a sense-making role in crises. The Military Police are, together with the national police,
responsible for combating cybercrime. DefCERT, the military CERT, is responsible for monitoring all
military networks, ensuring the security of weapons systems and providing incident response. A cove-
nant between the NCSC and DefCERT allows mutual assistance (Head of DefCERT, Soesterberg,
interview, February 19, 2016). DefCERT is also a partner in the National Response Network and is,
from the Defence perspective, the first in line to provide cyber capacity to civilian organizations in
times of crisis. DefCERT is situated outside the intelligence community, and its primary partners for
information sharing are other military CERTs that are also placed outside the intelligence sector. The
two Dutch intelligence services have bundled their cyber capacity in the Joint Sigint and Cyber Unit
(JSCU). As the employer of the government’s primary cryptologists and hackers, they provide the
main defense against high-end APTs. DefCERT has cyber defense as its main mission, but only the
JSCU has the necessary expertise to combat APTs that target ministries and multinationals (Senior offi-
cials at the MIVD & JSCU, the Hague, interviews, March 2016). The separate Defence Cyber Com-
mand is tasked with offensive cyber operations, but as it falls outside the intelligence sector, its
mandate is governed by the regular procedure for deploying military force.
The Dutch network model and consensus culture have facilitated information sharing between the
public and private sectors. There are at least 14 Information Sharing and Analysis Centres (ISACs),
each centered around a sector such as energy or finance (ISACs, 2017). Companies participate on a
voluntary basis and each ISAC sets its own agenda, with the NCSC providing the secretarial facilities.
Representatives of the intelligence sector and the high-tech crime unit of the police frequently attend,
though companies sometimes chose to meet without government officials present. Information on
IoCs, new threats, and best practices are shared and trust between the participating parties has gradually
BOEKE
|
5
grown. For sharing between public and private entities, many of the concerns such as liability protec-
tion and exemption from the Freedom of Information Act have been addressed. Sharing within the
public sector, however, is still hampered by the fragmented institutional landscape. Organizations such
as DefCERT, the NCSC, and the intelligence community each have different databases and many top
secret intelligence reports cannot be directly shared with other government agencies.
The Dutch institutional cyber landscape closely resembles a participant-governed network connect-
ing public and private partners on a basis of trust and equality. The NCSC acts as a central node, facili-
tating cooperation but careful not to impose it. The ability to make sense of a crisis, in the form
IT expertise, is spread across different organizations rather than centralized. This distributed nature is
especially marked within the Ministry of Defence, with offense, intelligence, and defense covered by
different organizations, each sharing limited data with the other. From a national perspective, crisis
management has a strong civilian lead, with the Ministry of Security and Justice responsible for coordi-
nating both national cyber security and generic crisis management. According to Broeders (2014),
uncertainty concerning formal responsibilities during crises has led to the idea that “all potentially rele-
vant public and private actors should have a seat at the table, and as the situation unfolds responsibil-
ities will become clear”(p. 46).
4
|
DENMARK
Denmark has chosen to adopt a very centralized approach to national cyber security. In 2011, the mili-
tary CERT and government CERT were combined into one to later form the Centre for Cyber Security
(Center for Cybersikkerhed [CFCS]). That year, the government also decided to shift responsibility
from the Ministry of Science, Technology, and Innovation to the Ministry of Defence, embedding the
new CFCS in the foreign intelligence service, the Danish Defence and Intelligence Service (DDIS)
(Järvinen, 2014). The reasoning behind the transfer was a practical one. The country was considered
too small to have a separate government and military CERT, most cyberattacks transcended the civilian
military distinction, and the DDIS (especially its SIGINT branch) possessed Denmark’s main cyber
expertise. The CFCS is responsible for formulating cyber security policy, producing threat assessments,
andimplementingtheEU’s NIS directive, and has several regulatory tasks (Centre for Cyber Security,
2015). Besides combining capacity in one central node, a strong legal mandate allows the CFCS to
monitor and provide incident response to the main government and private CI networks. The CFCS
thus has the technical equipment and legal authority to conduct deep packet inspection (DPI) in the net-
works of 18 of the 19 government ministries (Officials Centre for Cybersecurity, Copenhagen, inter-
view, May 3, 2016).
The embedding of the CFCS in the intelligence community rhymes with its focus on APTs, almost
by definition conducted by adversarial intelligence services. Judging that cybercrime poses a very high
threat to Danish businesses and government, the 2016 threat assessment nonetheless considers cyber
espionage as the most serious threat. The Ministry of Foreign Affairs is subject to almost daily attempts
at intrusions, and the CFCS estimates that cyber criminals generally lack the resources and technical
expertise that state-sponsored or state-driven actors have at their disposal (“Threat Assessment CFCS
2016,”2016). The CFCS’s focus on foreign intelligence cyber operations is facilitated by its own insti-
tutional imbedding. Being in the intelligence community, the CFCS understands the modus operandi
of foreign espionage operations and can obtain signals or human intelligence to complement forensic
evidence in attributing cyberattacks. Cyber defense is considered a team sport, and while the network
exploitation department of the DDIS falls under a different legal regime, there are few internal hurdles
to sharing. Importantly, a CFCS official who also worked in the GovCERT when it fell under the remit
of the Ministry of Science emphasizes that since embedding in the intelligence community, he receives
6
|
BOEKE
significantly more information, and often in a more timely fashion, than before (Officials Centre for
Cybersecurity, Copenhagen, interview, May 3, 2016). Whereas the primary sharing circles for the
Dutch NCSC or the Dutch DefCERT are formed by, respectively, international platforms like FIRST
and like-minded military CERTs outside intelligence, the Danish CFCS receives much from its specific
partners in the intelligence community. Sharing with national consumers is done through tear-lines,
shielding top-secret sources but conveying the essence of the analysis.
The CFCS is not just the lead agency, but also the first responder in situations where sophisticated
hacks have been discovered. There is close cooperation with the civilian security service (Politiets
Efterretningstjeneste [PET]) and law enforcement, to ensure a coordinated approach to address the
diverging interests of the parties involved in a crisis. The networks of a number of companies that pro-
vide CI services are monitored by the CFCS on a voluntary basis. The sharing of information between
the public and private sector is channeled predominantly through the CFCS, holding the main threat
signature database and malware repositories. A legal framework enables extensive sharing of informa-
tion with the private sector (IP addresses, metadata, IoCs). While many companies are members of
CERT/CSIRT communities, the concept of ISACs is not well developed in Denmark. The strong cen-
tral role of the CFCS in monitoring government and CI networks and responding to attacks has possi-
bly deincentivized the development of a bottom-up network model of public–private cooperation.
The Ministry of Defence also plays an important role in national crisis management. The Danish
Emergency Management Agency (DEMA) is tasked with the whole spectrum of crisis management,
from ensuring preparedness to the operational response during incidents (DEMA, 2015). The DEMA
integrates the fire service and civil defense force (the Home Guard), and was transferred from the Min-
istry of Interior to the Ministry of Defence in 2004 (Britz, 2007). In times of emergency, the DEMA
can rapidly call up conscripts for assistance (Danish Defence Commission, 2009). The regular crisis
management structure displays the same characteristics as those of the Netherlands, Estonia, and the
Czech Republic. The principles are based around sectoral responsibility (those with a daily responsibil-
ity for a certain service keep this during crises), similarity (following normal operating procedures as
much as possible), and subsidiarity (decision making at the lowest level possible). The generic crisis
management structure has been extensively tested by events, including a large power outage in 2003
and the Cartoon crises in 2005 and 2006 (Wyman, 2011). The Ministry of Defence chairs the Crisis
Management Group, a forum for planning and training. Exercises are organized on a biannual basis,
with the most recent edition simulating a coordinated cyberattack on the electricity and health sectors.
As of yet, a cyber incident has not led to the activation of the national crisis management organization.
Denmark has thus adopted a clear lead agency model, with all capacity invested in the CFCS. Its
central role has made it the hub of government cyber capacity, monitoring networks and regulating
standards, enforcing them when necessary. It functions as a first responder in times of crisis, addressing
incidents where APTs have been detected but also in instances when high-level IT knowledge is
required. The Ministry of Defence has a prominent role in crisis management structures, and the CFCS
embedding fits well with this. At the same time, the embedding of the CFCS within the intelligence
sector defines its partners and determines its information-sharing circles.
5
|
ESTONIA
Just as Denmark transferred the coordinating authority for cyber security to the Ministry of Defence in
2011, Estonia moved in the opposite direction. Arguing that civilian leadership was necessary for tasks
such as regulating security standards in the private sector, Estonia transferred the competence for cyber
security coordination from Defence to the Ministry of Economic Affairs and Communication. Within
this ministry, the Estonian Information Systems Authority (Riigi Infos€
usteemi Amet [RIA]) was created
BOEKE
|
7
as the central department for coordinating cyber policy. The RIA sets standards, drafts the national cyber
securitystrategy,andisalsotheleadagencyinrespondingtosecurityincidentsonEstoniannetworks
(Osula, 2015). The CERT-EE combines the national and GovCERT functions and covers the spectrum
from preparation to incident response (Kouremetis, 2015). One year after its establishment, it had its
baptism of fire with the April/May 2007 DDoS attacks. NATO provided technical assistance—the only
time the alliance has deployed cyber expertise to a member state during a crisis—but there was no appe-
tite for political support. Estonia was cautioned that invoking Article 4 or 5 was not an option (“Ilves,”
2016). There was no forensic evidence that definitively proved that the Russian government was behind
the cyberattacks, but certain indications and Russia’s refusal to provide assistance in the investigation
afterward certainly suggested a role (Carey, 2013; Mansfield-Devine, 2012).
Besides its task as the coordinator of national cyber security policy, the RIA also has a regulatory
role. It supervises the implementation of standards for the CI sector and has the mandate to impose fines
when companies fail to respect the rules (Osula, 2015). Whereas the CERT-EE focuses on the opera-
tional level, the Cyber Security Service, a department within the RIA, ensures a strategic outlook, map-
ping vulnerabilities in the critical information infrastructure, conducting risk analyses, and supervising
the implementation of necessary measures (Kouremetis, 2015). This enforcement function distinguishes
it from, for example, the Dutch NCSC. Estonia is currently drafting a holistic cybersecurity law.
Concerning capacity, Estonia has a distributed rather than a centralized model. The RIA coordi-
nates and provides incident response, but the combined internal security and foreign intelligence
agency, the KAPO, is responsible for countering cyberattacks that originate abroad and threaten
national security. The cybercrime units within the police and border guards have also been recently
consolidated into one unit. The Ministry of Defence has its own department—the Strategic Communi-
cations Centre—that ensures the security and incident response for the military networks (Osula,
2015). According to Estonian officials, these formal organizational boundaries do not impede effective
information sharing (Member Cyber Defence Unit, 2014). An informal culture, where operators and
analysts know each other and possess the necessary security clearances, allows for an efficient
exchange of information between both the public and private sector. The latter is in part due to the
Cyber Defense Unit of the Estonian Defense league, the country’s paramilitary Defence organization.
The Cyber Defense Unit is a unique volunteer force of IT experts, consisting of a network of cyber
defense expertise across the public and private sector (Cardash, Cilluffo, & Ottis, 2013). The unit has
several objectives, aiming to improve the cyber defense skills of its members, stimulating them to raise
cyber security awareness in their own organizations and to provide cyber defense capacity in times of
national crises. It has attracted much international interest, with a NATO Cooperative Cyber Defence
Centre of Excellence (CCD COE) report highlighting the policy, organizational and legal aspects
behind the concept (Kaska, Osula, & Stinissen, 2013). As participation is on a voluntary basis, mem-
bers cannot be officially called up, unlike, for instance, cyber reservists. Potentially problematic for
large crisis situations is that many private sector members would probably already be engaged in their
own company’s incident response and thus unable to deploy elsewhere. Nonetheless, the concept has
created a network of high-quality IT expertise, transcending organizational boundaries.
The central coordinating authority in emergencies is provided by the National Crisis Management
Committee, falling under the auspices of the Ministry of Interior. This ministry is responsible for civil
protection, internal security, and rescue operations; other ministries are responsible for their own
domains. As such, the Ministry of Economic Affairs and Communication ensures the continuity of the
country’s communication and IT networks. Two legal frameworks govern generic crisis management:
the Emergency Act (2009) and the State of Emergency Act (1996) (Osula, 2015). The government can
declare an “emergency situation”if extraordinary security measures are warranted, or a “state of emer-
gency”in exceptional circumstances where the constitutional order is at risk. The latter, which allows
8
|
BOEKE
severe restrictions of individual rights, has never been declared while the former was instituted during,
for example, the 2007 cyberattacks (Hellenberg & Visuri, 2013).
Estonian military cyber capacity has strong international connections. The Defence Ministry’sStra-
tegic Communications Centre ensures the security of military networks and possesses a cyber range
(Osula, 2015). This is operated and used for training by NATO and has significantly improved incident
response and crisis management expertise. Exemplary is the annual “Locked Shields,”now the most
advanced technical live-fire cyber defense exercise in the world, organized by the CCD COE and
involving many NATO member states. Participating teams are tasked with defending specific networks
against attempts by the red team to attack, manipulate, or sabotage systems. Besides the technical chal-
lenge, the exercises also incorporate incident response procedures and policy, legal, and media aspects
(Dijk, Meulendijks, & Absil, 2016). As such, international cooperation is further fostered and partici-
pating NATO teams improve their cyber defense expertise.
In conclusion, the RIA fulfills a central node in the Estonian public–private partnership concept.
Tasked with coordination and sense making in crises, its role in enforcing compliance is more indica-
tive of a network administrative organization than a shared partnership network. Cyber capacity is dis-
tributed across several ministries rather than centralized in one department, with hubs of expertise at
the CERT.EE, the KAPO intelligence service, the police force, and the Ministry of Defence. Coopera-
tion is facilitated by the informal culture and the network of the Cyber Defence Unit, with its volun-
teers spread over the public and private sectors. In crisis management, the Ministry of Interior is
responsible for coordinating the response.
6
|
THE CZECH REPUBLIC
In the Czech Republic, the National Security Authority (NSA) is responsible for coordinating national
cyber security policy. This government agency, which has ministerial status but no representation in
the Cabinet, received overall responsibility for the coordination of national cyber security in 2011.
Originally, this mission resided with the Ministry of Interior, tasked with combating cybercrime and
having developed many policy initiatives in cyber security. The NCSC was established, operating
under the auspices of the NSA (Min
arik, 2016, p. 12). An extensive cyberattack on Czech infrastruc-
ture in March 2013 propelled cyber security higher up the political agenda and highlighted the impor-
tance of cyber crisis management. A series of DDoS attacks, in some ways comparable to the 2007
Estonia attacks, targeted the Prague Stock exchange, several banks, and media outlets. The damage
was limited as online banking had not yet taken off in the country and the temporary unavailability
was considered a mere nuisance (Kostyuk, 2014). The botnets were traced back to Russia, but here too
assistance in the investigation was refused. The attacks convinced policy makers that the Czech Repub-
lic had served as a test bed for the attackers, and this notion still features in the national cyber security
strategy (National Cyber Security Centre, 2015, p. 11).
The NSA’s coordinating role in cyber security complements its other responsibilities in the field of
security clearances, certifying cryptographic devices, establishing and controlling national classification
procedures, and approving the dissemination of classified information to international partners. The
personal role of the director of the NSA and his expertise in the cyber security domain probably also
contributed to the government’s decision to transfer authority to this department (Officials at the
National Security Authority, interviews Skype and during CyCon, Tallinn, May 31–June 3, 2016).
According to Czech officials, a deliberate choice was made not to embed the NCSC within the intelli-
gence community, as this would significantly complicate information sharing. Primary concerns specif-
ically related to classification issues impeding public to private sharing of information, as well as
reluctance by companies to share information with the intelligence sector for historical reasons
BOEKE
|
9
(Officials National Security Authority, interviews Skype and during CyCon, Tallinn, May 31–June 3,
2016). The NSA is responsible for identifying and determining which services constitute critical (infor-
mation) infrastructure (Min
arik, 2016)
Within national cyber security, the NCSC functions as a central hub. It operates the GovCERT func-
tion, which not only manages all cooperation with CSIRTs, both national and international, but also pre-
pares security standards, supports cyber security awareness programs, and stimulates education, research,
and development (Min
arik, 2016). The GovCERT’s main constituents are the public sector (ministries
and agencies) and the nation’s CI. Notwithstanding several exceptions, GovCERT does not perform DPI.
Instead, it operates on the so-called “subsidiarity principle,”allocating the primary responsibility to organ-
izations themselves, as they are deemed to be best suited to monitoring their own networks. Besides Gov-
CERT, the National CERT (CSIRT.CZ) covers the private sector, including the main ISPs. The two
CERTs have different sharing circles, with GovCERT having strong ties to the international community
through the European Union Agency for Network and Information Security (ENISA) and NATO
(NCIRC). The CSIRT.CZ possesses stronger links with the private sector and has a larger capacity of
technical expertise, forming an important partner for the NSA in crisis management (Officials National
Security Authority, interviews Skype and during CyCon, Tallinn, May 31–June 3, 2016).
In the Czech Republic, the Central Crisis Staff provides the main government platform for dealing
with crisis situations. It is convened by the prime minister and is chaired by either the minister of the Inte-
rior or Defence, depending on the exact nature of the crisis. The Central Crisis Staff has the authority to
declare a “state of emergency”and holds both advisory and oversight roles, informing the National Secu-
rity Council or government ministers directly during crisis situations. The Cyber Security Act, introduced
in 2015, sets out the most important security standards for the information systems of public authorities
and specifies the procedures for reporting incidents to either GovCERT or CSIRT.CZ, depending on their
origin. The NSA fulfills a pivotal role in ensuring compliance with these security standards and proce-
dures, conducting regular audits to ensure compliance, and issuing fines when required (Andr
s, 2014).
Unique in international cyber crisis management, the NSA can declare a “state of cyber emer-
gency.”This can be declared when a threat to information security or communications services poses a
danger to national security. When in force, it significantly expands the authority of the NSA to issue
direct orders to ISPs or entities operating national CI. It can also entail a transfer of authority regarding
critical information infrastructure from the CSIRT.CZ to GovCERT. The state of cyber emergency is
initially established for a period of 7 days, and can be extended to a total of 30 days. If the crisis situa-
tion has not been effectively resolved within this legal time frame, a general state of emergency can be
declared. While to date no such declaration has been issued, the concept has been extensively tested,
for example, in NATO’s CMX 2016 exercise. In the military domain, primary responsibility for cyber
security is held by the Computer Incident Response Capability (CIRC). The Czech government plans
to significantly increase the investment in military cyber defense, including the establishment of a
national Cyber Forces Centre, that falls under military intelligence (Min
arik, 2016, p. 12).
The Czech Republic appears have a similar network governance model to Estonia, with the NSA
regulating as well as enforcing cyber security standards. This displays characteristics of a network
administrative organization. Although the NSA plays a pivotal role in coordinating crisis response,
public cyber capacity to make sense of crises is distributed over several government ministries rather
than centralized in one.
7
|
COMPARATIVE ANALYSIS
The institutional cyber landscape of the four European countries can be grouped along the three network
models of Provan and Kenis (2008; see Table 1 in the current article). The Dutch public–private
10
|
BOEKE
partnership model is closest to the participant-governed network, with the NCSC’s relationship with com-
panies and other network nodes based on voluntary participation, equality, and trust. This model corre-
sponds with the Dutch approach of operating through multistakeholder constructions and using
consensus decision making (Karsten, van Veen, & van Wulfften Palthe, 2008). Here the public adminis-
tration moves toward a situation where it no longer contracts specific tasks and monitors their fulfillment,
but rather shapes the conditions of the self-organization of networks. This would constitute a middle way
between the poles of interventionist and hands-off policies (Dunn Cavelty & Suter, 2009). Estonia and
the Czech Republic equally employ a strong public–private partnership model, but their coordinating
authorities (the RIA and NSA) set standards and enforce them with fines when necessary. Rather than a
shared governance model, state authority ensures private sector cooperation. This hierarchical element
suggests a model that is closer to the network administrative organization. Finally, the powerful central
monitoring task of the Danish CFCS, combined with its regulatory role, implies a strong lead agency
model. Although all four countries invest in public–private partnerships, the network model influences
and shapes the relationship between the public and private sector. The concept of ISACs is furthest devel-
oped in the Netherlands, although several sectors in Europe are developing international sharing plat-
forms (ENISA, 2016). The extensive Dutch public–private partnership correlates clearly with its
participant network model. Since Carr’s (2016) appraisal of the disjuncture in expectations between the
public and private sector is predominantly based on the United States and United Kingdom, the role of
specific modes of network governance in shaping partnerships in other countries merits further research.
When analyzing the dimension of coordination, it is important to note that in all four countries
generic crisis management structures have been adapted to include IT expertise when needed. The
ubiquitous dependence on information technology implies that even crises that originate in the cyber
domain will have transboundary effects. The cross-sectoral impact of incidents therefore renders a
TABLE 1 Institutional overview of cyber governance responsibilies and models
Netherlands Denmark Estonia Czech Republic
Coordination cyber
security policy
Ministry of Security
and Justice
Ministry of Defence Ministry of Economic
Affairs & Communication
National Security
Authority(NSA)
Coordination generic
crisis management
Ministry of Security
and Justice
Ministry of Defence Ministry of Interior Ministry of Interior/
Ministry of Defence
Main public-sector
CERTs
National Cyber
Security Centre
(NCSC)
DefCERT
Centre for Cyber
Security (CFCS)
CERT-EE GovCERT, CSIRT.
CZCIRC (defense)
Government cyber
capacity
Distributed Centralized Distributed Distributed
Monitoring govern-
ment networks
Ministries have own
responsibility
(NDN)
CFCS conducts DPI Ministries have own
responsibility
Ministries have own
responsibility
Embedding intelli-
gence community
Outside Inside Outside Outside
Network model Participant governed Lead organization Network-
administrative
Network-
administrative
Source. Adapted from Boeke (2016).
BOEKE
|
11
“pure”cyber crisis unlikely. The principle of sectoral responsibility shifts the onus from a ministry rig-
idly tasked with coordinating crisis response to the quality of the relationship with other implicated
agencies. Here, too, network theory can contribute to conceptualizing intra- and intergovernmental
exchanges in times of crises. Within the investigated countries, but also the EU and NATO, networks
of cyber defense expertise have been generated, with regular training exercises such as Locked Shields
improving technical skills as well as broader crisis management competence. Both international organi-
zations recognize the importance of civil–military cooperation in cyber defense, and training and exer-
cises incorporate a strong civilian component to ensure a “whole of government”response. The
ENISA and the European Defence Agency run various programs to stimulate collaborative security
measures and encourage the adoption of good practices and sharing of resources.
Information sharing plays a central role in coordination. Common security practice and the
NIS directive reinforce the role of CERTs/CSIRTs as foci for coordination and exchange, but much
information sharing still relies on ad hoc and informal relationships (Skopik, Settanni, & Fiedler,
2016). More standardized and automated exchange platforms would enable rapid and direct sharing,
but require federated reputation measures to ensure trust. Several international networks like FIRST do
operate malware information-sharing platforms, but according to one official this predominantly con-
cerns the “garden variety malware”(Officials Centre for Cybersecurity, Copenhagen, interview, May
3, 2016). IoCs and the modus operandi of complex APTs often involve sensitive information and
can be subject to investigation by the national intelligence service. Here the barriers of government
classification and secrecy issues become apparent. The four investigated country studies suggest that
information-sharing networks are delineated not by ministerial boundaries (even including the Ministry
of Defence), but their position inside or outside the intelligence community.
The binary choice of embedding a national CERT inside or outside the intelligence community can
have several important consequences (Boeke, 2016). First, as attested by the Danish official with expe-
rience of both, CERT’s inside the intelligence community can receive more data and information than
those outside, benefiting from additional streams of classified sources. Second, the institutional em-
bedding will determine to a certain extent the scope of the center’s own information-sharing circle,
funneling a focus on partners within its own community. Inside intelligence, the modalities of interna-
tional sharing remain complex, with elements such as reciprocity and institutional trust (in case of the
Five Eyes countries
3
) allowing significant exchanges of data and analyses (Clough, 2004). Outside
intelligence, information sharing generally follows similar principles, such as a reliance on personal
trust relationships and the willingness to share sensitive information being inversely proportional to the
size of the receiving network. Finally, there are significant legal, policy, and ethical implications of
embedding CERTs/CSIRTs in the intelligence community. This deserves more research.
The technical capacity to make sense of an IT crisis is concentrated in CERTs/CSIRTs, and here
the binary choice concerns centralization or sectoral specialization. This applies to both the public and
private sectors, and involves more than a choice between synergies or tailored expertise. An example
of a ground-breaking centralization initiative in the private sector concerns the Nordic Financial CERT
that will serve banks in Norway, Sweden, Finland, and Denmark (“Nordic banks collaborate on fight-
ing cybercrime,”2017). In the public sector, Denmark has opted to combine the government and mili-
tary CERT into one; the other three countries have chosen to keep them apart, with the Czech
Republic even fielding separate government and national CERTs. In the centralized Danish model, the
CFCS has a clear first-responder role in cyber crisis management. In the Netherlands, the NCSC can
draw extra capacity from DefCERT in times of crises. DefCERT is included in the National Response
Network, but the Joint Sigint Cyber Unit with high-end capacity against APTs is not formally prepared
for a role in crises. In Estonia, the unique concept of the volunteer Cyber Defence Unit has linked a
network of professionals across public and private domains, with an informal culture allowing for
12
|
BOEKE
quick information sharing. There are valid arguments for both centralization and sectoral specialization,
but it is clear that a distributed cyber landscape requires intensive interagency cooperation to mitigate
some of the disadvantages. These are overlaps and gaps in the different databases, complex sharing
arrangements’and questions of personnel management, with talent often gravitating to where the work
is most exciting (intelligence/offense rather than monitoring). From an incident response perspective,
at least centralization leaves no doubt whom to call in times of crises.
8
|
CONCLUSION
While the institutional arrangements in each country are strongly influenced by the combination of
unique socio political cultures and context, it is clear that governance models are still under construc-
tion and subject to adjustments. With the exception of the Netherlands, all investigated countries have
transferred the coordinating role for national cyber security from one ministerial department to another,
with the GovCERT changing house each time. Using Provan and Kenis’s (2008) modes of network
governance theory, a first taxonomy of cyber governance landscapes can be provided. The Dutch
NCSC has succeeded in involving many private actors through the principles of trust, equality, and
voluntary participation. On the opposite end of the spectrum, the Danish lead agency model provides,
according to several practitioners, a better defense against APTs. Estonia and the Czech Republic have
taken original measures to improve their cyber crisis management policy. As each country has its own
unique political and economic ecosystem, it is difficult to transpose best practices from one system to
the other without considering the broader context.
From an institutional perspective, countries are faced with two important choices when organizing
their cyber defense and crisis management structures. The first concerns whether to embed their
national or government CERT inside or outside the intelligence community. In this research, only Den-
mark has chosen the former, but other European examples are provided by the United Kingdom and
Spain.
4
The consequences are of a practical as well as principled nature, and involve legal and ethical
questions linked to democracy and the rule of law. The second institutional choice concerns whether to
centralize cyber capacity in one unit or distribute it according to mission and mandate. Opposite poles
are offered by the Danish (centralized) and Dutch and Czech (distributed) models. The effectivity ques-
tion has been left unaddressed in this article; not only are specific analyses of past crises required, but
normative performance remains difficult to define. The Diginotar crisis (2011) and the cyberattacks on
the Estonian infrastructure (2007) and the Czech banking sector (2013) were all managed by their
nation’s generic crisis management structures, and specific arrangements for cyber crises were incorpo-
rated or significantly adjusted afterward. Governments, after all, invest much time in preparing for cri-
ses and, once they have occurred, seldom let them go to waste.
ACKNOWLEDGMENTS
The author would like to thank the anonymous reviewers for their constructive comments and the
officials in the different National Cyber Security Centres for their time and valuable insights. Den-
nis Broeders, Max Geelen, and Liisi Adamson also provided helpful comments.
ENDNOTES
1
For their research on EU crisis management capacity, Boin et al. (2014) have nonetheless narrowed the classification of
networks to a binary distinction: a network model versus a lead-agency model. To better encompass the broader field of
various national PPP structures, this article proposes to adhere to the Provan and Kenis (2008) models.
BOEKE
|
13
2
This article uses the two acronyms synonymously, although a CERT is a registered trademark that requires a user to
obtain permission from CERT/CC. A CSIRT can have a broader scope of duties.
3
The United States, the United Kingdom, Canada, Australia, and New Zealand.
4
The United Kingdom’s National Cyber Security Centre is a part of the Government Communications Headquarters
(GCHQ), and Spain’s CCN-CERT falls under the remit of the Centro Nacional de Inteligencia (CNI).
REFERENCES
Andr
s, J. (2014). Czech cyber security: Finally ahead of Europe? SVAT Cyber Security.
Boeke, S. (2016). First responder or last resort? The role of the Ministry of Defence in national cyber crisis man-
agement in four European countries. Universiteit Leiden, the Netherlands.
Boeke, S., Heinl, C. H., & Veenendaal, M. A. (2015). Civil-military relations and international military cooperation
in cyber security: Common challenges & state practices across Asia and Europe. Presented at the Cyber Con-
flict: Architectures in Cyberspace (CyCon), Seventh International Conference on, IEEE, Tallinn, pp. 69–80.
https://doi.org/10.1109/CYCON.2015.7158469
Boin, A., Busuioc, M., & Groenleer, M. (2014). Building European Union capacity to manage transboundary crises:
Network or lead-agency model? Regulation & Governance,8, 418–436.
Boin, A., & Bynander, F. (2015). Explaining success and failure in crisis coordination. Geografiska Annaler: Series
A, Physical Geography,97, 123–135.
Boin, A., & McConnell, A. (2007). Preparing for critical infrastructure breakdowns: The limits of crisis management
and the need for resilience. Journal of Contingencies and Crisis Management,15,50–59.
Britz, M. (2007, May). Translating EU civil protection in the Nordic states—Towards a theoretical understanding of the
creation of European crisis management capacities. Presented at the European Union Studies Association’sTenth
Biennial International Conference, Montreal, Canada. Retrieved from http://aei.pitt.edu/7714/1/britz-m-11d.pdf
Broeders, D. (2014). Investigating the place and role of the armed forces in Dutch cyber security governance.
https://doi.org/10.13140/RG.2.1.3974.3849
Cardash, S. L., Cilluffo, F. J., & Ottis, R. (2013). Estonia’s cyber defence league: A model for the United States?
Studies in Conflict & Terrorism,36, 777–787.
Carey, C., III. (2013, March 27). The international community must hold Russia accountable for its cyber militias.
Small Wars Journal. Retrieved from http://insct.syr.edu/the-international-community-must-hold-russia-accountable-
for-its-cyber-militias/
Carr, M. (2016). Public-private partnerships in national cyber-security strategies. International Affairs,92,
43–62.
Centre for Cyber Security. (2015). The Danish cyber and information security strategy. Retrieved from http://www.
fmn.dk/eng/news/Documents/Danish-Cyber-and-Information-Security-Strategy-EN-vers.PDF
Choucri, N., Madnick, S., & Ferwerda, J. (2014). Institutions for cyber security: International Responses and global
imperatives. Information Technology for Development,20,96–121.
Clough, C. (2004). Quid pro quo: The challenges of international strategic intelligence cooperation. International
Journal of Intelligence and Counter Intelligence,17, 601–613.
Cyber Security Act, 181. (2014). Retrieved from https://www.govcert.cz/download/legislation/container-nodeid-1122/
actoncybersecuritypopsp.pdf
Danish Defence Commission. (2009). Danish defence—Global engagement. Copenhagen, the Netherlands: Danish
Ministry of Defence.
Danish Emergency Management Agency. (2015). Crisis management in Denmark. Birkerød, Denmark: Danish
Emergency Management Agency.
Dijk, A. D., Meulendijks, J. M. G., & Absil, F. G. J. (2016). Lessons learned from NATO’s cyber defence exercise
locked shields 2015. Militaire Spectator,185(2), 65–74. Retrieved from http://www.militairespectator.nl/sites/
default/files/teksten/bestanden/Militaire%20Spectator%202-2016%20Dijk.pdf
14
|
BOEKE
Dunn Cavelty, M., & Suter, M. (2009). Public–private partnerships are no silver bullet: An expanded governance
model for critical infrastructure protection. International Journal of Critical Infrastructure Protection,2, 179–187.
Dynes, R. R., & Aguirre, B. E. (2008). Organizational adaptation to crises: Mechanisms of coordination and struc-
tural change. In A. Boin (Ed.), Crisis management (pp. 320–325). Los Angeles, CA: SAGE.
European Union Agency for Network and Information Security. (2016). Report on cyber security information shar-
ing in the energy sector. Retrieved from https://www.enisa.europa.eu/publications/information-sharing-in-the-
energy-sector
Gewijzigde motie (nader) Hernandez en Knops over een visie over de aanpak van cybercrime/cyberwarfare (t.v.v.
32500 X, nr. 24) (2010). Retrieved from https://www.parlementairemonitor.nl/9353000/1/j9tvgajcor7dxyk_
j9vvij5epmj1ey
Hall, P. A., & Soskice, D. (Eds.). (2001). Varieties of capitalism: The institutional foundations of comparative
advantage. Oxford, NY: Oxford University Press.
Hellenberg, T., & Visuri, P. (2013). Analysis of Civil Security Systems in Europe Country Study Estonia, Anvil pro-
ject. Retrieved from http://anvil-project.net/wp-content/uploads/2013/12/Estonia_v1.0.pdf
Inspectie Veiligheid en Justitie. (2012). Rapport: Evaluatie van de rijkscrisisorganisatie tijdens de DigiNotar-crisis.
Den Haag.
ISACs. (2017). Retrieved from https://www.ncsc.nl/english/Cooperation/isacs.html
Järvinen, H. (2014). Danish government plans to create a Center for Cybersecurity with privacy-invasive powers. EDRi.
Retrieved from https://edri.org/danish-government-plans-create-center-cybersecurity-privacy-invasive-powers/
Karsten, L., van Veen, K., & van Wulfften Palthe, A. (2008). What happened to the popularity of the polder model?
Emergence and disappearance of a political fashion. International Sociology,23,35–65.
Kaska, K. (2015). National cyber security organisation: The Netherlands. Tallinn, Estonia: NATO CCD COE.
Kaska, K., Osula, A.-M., & Stinissen, J. (2013). The Cyber Defence Unit of the Estonian Defence League: Legal,
policy and organisational analysis. Tallinn, Estonia: NATO CCD COE.
Klimburg, A. (Ed.). (2012). National cyber security framework manual. Tallinn, Estonia: NATO CCD COE.
Kostyuk, N. (2014). International and domestic challenges to comprehensive national cybersecurity: A case study of
the Czech Republic. Journal of Strategic Security,7,68–82.
Kouremetis, M. (2015). An analysis of Estonia’s cyber security strategy, policy and capabilities. In Proceedings of
the 14th European Conference on Cyber Warfare and Security 2015 (pp. 404–412). Presented at the European
Conference on Cyber Warfare and Security. Reading, UK: Academic Conferences and Publishing International.
Kovoor-Misra, S., & Misra, M. (2007). Understanding and managing crises in an “online world.”In C. M. Pearson,
C. Roux-Dufort, & J. A. Clair (Eds.), International handbook of organizational crisis management (pp. 85–104).
London, UK: Sage.
Mansfield-Devine, S. (2012). Estonia: What doesn’t kill you makes you stronger. Network Security,2012,12–20.
Member Cyber Defence Unit. (2014, November 18–19). RSIS-Leiden University Centre for Terrorism and Counter-
terrorism (CTC) Roundtable on Civil-Military Relations in Cyberspace, Singapore.
Min
arik, T. (2016). National cyber security organisation: Czech Republic (2nd ed.). Tallinn, Estonia: NATO CCD
COE.
Ministerie van Veiligheid en Justitie. (2013). Nationale Cybersecurity Strategie 2: Van bewust naar bekwaam. The
Hague, the Netherlands: Nationaal Co€
ordinator Terrorismebestrijding en Veiligheid.
Nationaal Co€
ordinator Terrorismebestrijding en Veiligheid. (2012). Nationaal Crisisplan ICT. Den Haag, the Nether-
lands: Ministerie van Veiligheid en Justitie.
National Cyber Security Centre. (2015). National Cyber Security Strategy of the Czech Republic for the period from
2015–2020. National Security Authority. Retrieved from https://www.enisa.europa.eu/topics/national-cyber-
security-strategies/ncss-map/CzechRepublic_Cyber_Security_Strategy.pdf
Nordic banks collaborate on fighting cybercrime. (2017). Retrieved from https://www.nordea.com/en/press-and-
news/news-and-press-releases/press-releases/2017/04-10-08h00-nordic-banks-collaborate-on-fighting-cybercrime.
html
BOEKE
|
15
Osula, A.-M. (2015). National Cyber Security Organisation: Estonia. Tallinn, Estonia: NATO CCD COE.
Pearson, C. M., & Clair, J. A. (2008). Reframing crisis management. In A. Boin (Ed.), Crisis management
(pp. 1–24). Los Angeles, CA: SAGE.
President Toomas Hendrik Ilves’s opening speech at CyCon in Tallinn on June 1. (2016). Retrieved from https://
president.ee/en/official-duties/speeches/12281-president-toomas-hendrik-ilvess-opening-speech-at-cycon-in-tallinn-
on-june-1-2016/index.html
Provan, K. G., & Kenis, P. (2008). Modes of network governance: Structure, management, and effectiveness.
Journal of Public Administration Research and Theory,18, 229–252.
Roux-Dufort, C. (2007). A passion for imperfections: Revisiting crisis management. In C. M. Pearson, C.
Roux-Dufort, & J. A. Clair (Eds.), International handbook of organizational crisis management (pp. 221–252).
Thousand Oaks, CA: SAGE.
Skopik, F., Settanni, G., & Fiedler, R. (2016). A problem shared is a problem halved: A survey on the dimensions
of collective cyber defense through security information sharing. Computers & Security,60, 154–176.
Stone, B., & Riley, M. (2013). Mandiant, the go-to security firm for cyber-espionage attacks. Retrieved from http://
www.Bloomberg.com.
’t Hart, P., Rosenthal, U., & Kouzmin, A. (1993). Crisis decision making: The centralization thesis revisited.
Administration & Society,25,12–45.
Threat Assessment CFCS: The Cyber Threat against Denmark. (2016). Retrieved from https://fe-ddis.dk/cfcs/
CFCSDocuments/Threat%20Assessment%20-%20The%20cyber%20threat%20against%20Denmark.pdf
Woollaston, V. (2017, May 15). The NHS trusts and hospitals affected by the Wannacry cyberattack. WIRED.
Retrieved from http://www.wired.co.uk/article/nhs-trusts-affected-by-cyber-attack
Wyman, J. S. (2011). Emergency management in Denmark: Lessons learned at home and abroad. In D. McEntire
(Ed.), Comparative emergency management: Understanding disaster policies, organizations, and initiatives
from around the world. Retrieved from https://www.training.fema.gov/hiedu/aemrc/booksdownload/
compemmgmtbookproject/
Zetter, K. (2016, March 3). Inside the cunning, unprecedented hack of Ukraine’s power grid. WIRED. Retrieved
from https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
How to cite this article: Boeke S. National cyber crisis management: Different European
approaches. Governance. 2017;00:1–16. https://doi.org/10.1111/gove.12309
16
|
BOEKE