ArticlePDF Available

National cyber crisis management: Different European approaches

Authors:

Abstract

Cyber crises, as new forms of transboundary crises, pose serious risks to societies. This article investigates how different models of public–private partnerships shape cyber crisis management in four European countries: the Netherlands, Denmark, Estonia, and the Czech Republic. Using Provan and Kenis's modes of network governance, an initial taxonomy of cyber governance structures is provided. The Netherlands have created a participant-governed network, characterized by trust and equality. The Czech and Estonian models resemble a network administrative organization, with an enforcement role for their national cyber security centers. Denmark has adopted a lead-agency model. The article concludes that countries face two binary choices when organizing cyber defense and crisis management. First, national computer emergency response teams/computer security incident response teams can be embedded inside or outside the intelligence community. Second, cyber capacity can be centralized in one unit or spread across different sectors. These decisions fundamentally shape information-sharing arrangements and potential roles during cyber crises.
ORIGINAL ARTICLE
National cyber crisis management: Different
European approaches
Sergei Boeke
Universiteit Leiden Faculteit Campus
Den Haag, Institute of Security and
Global Affairs (ISGA)
Funding information
Municipality of The Hague; Netherlands
Ministry of Defence; Ministry of Secu-
rity and Justice
Cyber crises, as new forms of transboundary crises, pose
serious risks to societies. This article investigates how differ-
ent models of publicprivate partnerships shape cyber crisis
management in four European countries: the Netherlands,
Denmark, Estonia, and the Czech Republic. Using Provan
and Keniss modes of network governance, an initial taxon-
omy of cyber governance structures is provided. The
Netherlands have created a participant-governed network,
characterized by trust and equality. The Czech and Estonian
models resemble a network administrative organization,
with an enforcement role for their national cyber security
centers. Denmark has adopted a lead-agency model. The
article concludes that countries face two binary choices
when organizing cyber defense and crisis management. First,
national computer emergency response teams/computer
security incident response teams can be embedded inside or
outside the intelligence community. Second, cyber capacity
can be centralized in one unit or spread across different sec-
tors. These decisions fundamentally shape information-
sharing arrangements and potential roles during cyber crises.
1
|
INTRODUCTION
Increasing dependence on information technology and the growing interconnectedness of critical infra-
structures (CIs) have led to new vulnerabilities and risks for societies. Whether instigated by malicious
actors or by accident, cyber incidents have the potential to cascade and seriously disrupt the provision
of essential public services. In December 2015, a Ukrainian power station was hacked and nearly a
quarter of a million residents were left, albeit briefly, in the dark (Zetter, 2016). In May 2017, a ran-
somware attack struck more than 40 British hospitals and many other organizations across the world
(Woollaston, 2017). To improve the security and resilience of their CI, states have drafted national
cyber security strategies since the mid 2000s. As frameworks for setting objectives and determining
how to achieve them, they have enjoyed much scholarly and policy attention (Klimburg, 2012). The
institutional arrangements, however, that concern the roles and responsibilities of organizations in
Governance. 2017;116. wileyonlinelibrary.com/journal/gove V
C2017 Wiley Periodicals, Inc.
|
1
Received: 27 February 2017
|
Revised: 6 July 2017
|
Accepted: 8 July 2017
DOI: 10.1111/gove.12309
cyber security and crisis management have been subject to much less academic scrutiny. This applies
as much to which government organization should coordinate and implement cyber policy as it does to
responsibilities in times of crises.
On a practical level, policy makers have struggled to adapt existing bureaucratic structures to infor-
mation and communications technologies, with cybera phenomenon that cuts across many tradi-
tional domains and competences. Invariably, in most countries a government ministry or central
organization has come, by accident or design, to coordinate and/or lead national cyber security policy.
This article investigates how, in four European countriesthe Netherlands, Denmark, Estonia, and the
Czech Republicdifferent government institutions have been tasked with responsibilities in cyber
defense and crisis management and how they cooperate with the private sector. The cyber governance
structures of these countries, except for Estonia, have enjoyed little scholarly attention, with most
articles covering the Anglosphere. The countries have been selected purposefully: Each is small to
medium sized and has an economy that is highly reliant on a dependable IT infrastructure. All four
have an ambitious cyber policy, striving to play a leading role in their region or in the broader field of
international security. Important for the comparative analysis, the political economies of these four
countries do not diverge significantly, each possessing a variation of a coordinated market economy
(Hall & Soskice, 2001). All four are EU and NATO members, although Denmark has an opt-out for
EU Defence cooperation. As a result of global interconnectivity and the transboundary nature of cyber
threats, cyber crisis management by definition includes a strong element of international cooperation.
By combining theoretical insights from the field of public administration with empirical findings
on how four smaller North/Central European countries have organized cyber crisis management, this
article strives to provide an initial taxonomy of governance models. The approach is incontrovertibly
holistic, comprising governmental institutions, publicprivate partnerships, and international coopera-
tion. There is no single blueprint for effective crisis management, but this article will offer a first con-
ceptualization of the encountered approaches and identify some of the important institutional choices
that governments face in this field.
2
|
CYBER CRISIS MANAGEMENT
The field of generic crisis management encompasses the broad spectrum of prevention, mitigation and
incident response, and institutional learning. While a common assumption, the further centralization of
decision making is not necessarily the most effective way of addressing a crisis, with network models
or decentralized authorities often more capable of judging which response would work best (tHart,
Rosenthal, & Kouzmin, 1993). Possibilities include informal decentralization or nondecision making,
and have been confirmed by much of the research since (Boin & Bynander, 2015; Boin & McConnell,
2007; Dynes & Aguirre, 2008). Crisis management is also more than just incident response, with crises
increasingly regarded as processes rather than events (Pearson & Clair, 2008; Roux-Dufort, 2007).
There are many different conceptual models that identify phases in the chain, with, for instance, one
distinguishing five phases for effective (cyber) crisis management: prevention, preparation, contain-
ment, recovery, and learning (Kovoor-Misra & Misra, 2007).
In the four investigated countries, there is no consensus on the definition of a cyber crisis. The
Netherlands, for instance, has defined an ICT crisis as a crisis that has its origin in the IT domain, that
impacts on one or more CI sectors and where generic crisis management structures do not suffice
(Nationaal Co
ordinator Terrorismebestrijding en Veiligheid, 2012, p. 5). Building on the premise that
cyber crises can also strike sectors and organizations that have not (yet) been designated national CI,
this article chooses a more reductive definition, limiting the criteria of a cyber crisis to its cyber
origin and the conviction that generic crisis management structures require adaptation to sufficiently
2
|
BOEKE
address the problem. A different approach is offered by the Czech Act on Cyber Security, which
describes when a state of cyber emergencycan be declared (Cyber Security Act, 2014 Article 21).
Here the emergency situation is triggered when information security in information systems or secu-
rity and integrity of services or electronic communication networks is seriously endangered,leading
to the potential violation of national interests. This definition is rooted in the discipline of information
security, involving confidentiality, integrity, and availability (the CIA-triad) of data. Since the state of
cyber emergencygrants the Czech government expanded powers, this definition is important from a
legal perspective. Others can remain broad, as in practice politics often determines whether a cyber
incident becomes a cyber crisis.
Cyber crisis management involves both the public and private sectors, and a governmentslead
role is by no means self-evident. In the market economies, the overwhelming part of national CI is
operated by the private sector. As a result, publicprivate partnerships feature as the cornerstone of
many national cyber security strategies. Nonetheless, beyond the attractive sound bite of the impor-
tance of publicprivate cooperation, there is often an unaddressed divergence of interests, disparity of
basic definitions, and disagreement on who will foot the bill (Carr, 2016). In general, states expect pri-
vate companies to ensure their own cyber security, but cannot offload their own responsibility as the
principal security provider against top-level threats, especially if these emanate from nation states.
Besides their important role in cyber defense, the private sector can also play a crucial role in incident
response. In times of crisis, IT companies like FireEye or Fox-IT can frequently leverage more cyber
expertise, and more rapidly, than what the public sector of a small country can muster (Stone & Riley,
2013). The logical exponent of these publicprivate partnerships is a governance approach that consists
of networks of various public and private organizations.
In their article examining modes of network governance, Provan and Kenis (2008) identify three
basic models: participant-governed networks, lead-organization-governed networks, and a network
administrative organization. The first model concerns what the authors call shared governanceby
the network members themselves, and is characterized by the equality of members and high levels of
trust within the network. A lead-organization model uses a more centralized and hierarchical approach,
with the lead agency responsible for the coordination of activities and decisions within the network.
The third model, a network administrative organization, involves a separate and external entity to spe-
cifically govern the networks activities. These models are theoretical ideal types: in practice, institu-
tional constructs and procedures often display a combination of characteristics, and elude a clear
categorization. What constitutes a determining trait of a specific model can also be debated. A network
administrative organization, for example, is defined by the external position of its coordinating organ
while the lead organization is regarded as a full member of the network. This distinction cannot easily
be applied in publicprivate partnerships. Nonetheless, the basic framework drawn up by Provan and
Kenis allows a clear conceptualization of the networks governing cyber crisis management.
To structure the classification of transboundary crisis response mechanisms, Boin, Busuioc, and
Groenleer (2014) propose three performative dimensions to assess capacity.
1
First, they judge the
capacity to make sense of a crisis by collecting, analyzing, and disseminating critical information to the
different actors in a network. The second dimension concerns the capacity to coordinate all the resour-
ces for a response, and the third involves gauging the legitimacy of the response constellation. The
aspect of legitimacy and accountability is particularly relevant considering Boin et al.s articlesfocus
on the role of the EU in crisis management, but less so when analyzing the role of national agencies.
For this reason, this article will focus on the two performative dimensions of coordination and sense
making. The coordinative element will explore the roles of government ministries, first in setting cyber
security policy, subsequently in generic crisis management, and finally in cyber crisis management.
This staged approach is required due to the interconnectivity of roles and the fact that cyber crisis
BOEKE
|
3
management is a subset and product of generic crisis management approaches. At all stages, the rela-
tionship with the private sector and the broader international community needs consideration. Of partic-
ular consequence is the embedding of cyber responsibilities in the intelligence community or defense
sector, both of which have mandates, modus operandi, and legal frameworks that significantly set them
apart from other government ministries (Boeke, Heinl, & Veenendaal, 2015).
Computer emergency response teams (CERTs) or computer security incident response teams
(CSIRTs) provide an important sense-making capacity in cyber crises. First developed by the Carnegie
Mellon University after the Morris worm struck the Internet in 1988, CERTs or CSIRTs handle com-
puter security incidents, identify vulnerabilities and threats, and promote cooperation between private
organizations, security vendors, and users (Choucri, Madnick, & Ferwerda, 2014).
2
Initially organized
by sector, the CERT structure was also transitioned to the national country level to permit coordination
of incident response transcending sectoral boundaries. Harmonizing EU practice, the Directive on
Security of Network and Information Systems (the NIS Directive) requires every member state to
designate at a single point of contact responsible for coordinating issues related to network and infor-
mation security and international cooperation (Articles 31 and 34). Despite the spread of this common
organizational format, the mandates and responsibilities of CSIRTs differ significantly per country,
each operating in a unique political and legal environment. Some of the differences and their implica-
tions will be highlighted in the case studies.
For this research, information from open source studies and reports has been complemented by
confidential, semistructured interviews with officials in the national cyber security centers of each
country. The author is grateful for the open and frank conversations with these officials, several of
whom work in the intelligence community and have requested to remain anonymous. There is still a
large divide between policy and academia in cyber security research, as governmental secrecy and
business reticence to share information narrows the availability of primary sources and empirical data
for research.
3
|
THE NETHERLANDS
In the Netherlands, the Ministry of Security and Justice is responsible for coordinating national cyber
security policy. There was little debate on where to embed cyber security, and despite a Parliamentary
motion suggesting a Defence lead, the importance of cybercrime as a primary threat seems to have
made Security and Justice a logical department for coordination (Gewijzigde Motie Hernandez en
Knops, 2010). A National Centre for Cyber Security (Nationaal Cyber Security Centrum [NCSC]) was
established early 2012, one of the products of the first national cyber security strategy that was issued
in 2011. A second cyber security strategy was published in 2013, emphasizing the next step in cyber
security maturity. The focus shifted from awareness to capability, publicprivate partnership to public
private participation, and from structures to networks and coalitions (Ministerie van Veiligheid en Justi-
tie, 2013). Although the NCSC incorporated the former GovCERT, it does not monitor public IT
networks. As a central node in the governments cyber security institutions, it plays an active role in
launching and coordinating cyber security policies. As such, the NCSC was instrumental in drafting
the cyber security bill that makes notification of incidents mandatory for providers of national CI serv-
ices. While these providers must inform the NCSC of possible security breaches, the NCSC does not
enforce these regulations; this is up to the sectoral inspectorates (Officials National Cyber Security
Centre, the Hague, interviews, March and June 2016). This emphasizes the importance attached to the
principles of trust and equality with other participants in the network.
Exponents of the Dutch network model are two cooperative structures designed to improve infor-
mation sharing before and during crises. First, the National Detection Network (NDN), serving many
4
|
BOEKE
ministries and elements of the CI sector, provides advance warning of threats. Sensors and probes in
government networks detect anomalies, fed by a database of indicators of compromise (IoC). The Gen-
eral and Military Intelligence and Security Services (AIVD and MIVD, respectively) provide input and
are able to operate on intrusions. While the level of protection exceeds commercial antivirus software
products, the intelligence sector still considers it ineffective against advanced persistent threats (APTs)
that often use bespoke malware (Senior officials at the MIVD & JSCU, the Hague, interviews, March
2016). Second, the National Response Network (NRN) connects different public and private organiza-
tions on a voluntary basis, allowing them to contribute unique cyber expertise in times of crises. For
example, the water authorities have much know-how on industrial control systems, while the tax
authorities are adroit in mitigating distributed denial of service (DDoS) attacks. Designed to operate
analogous to a bucket brigadethat channels aid to where it is needed, practitioners acknowledge that
public sector response times can be considerably slower than those of companies (Head of DefCERT,
Soesterberg, interview, February 19, 2016).
The Ministry of Security and Justice coordinates national crisis management, although each minis-
try remains responsible for its own sector and leads when a crisis originates there. It also houses the
permanently manned National Crisis Centre. There are several advisory fora that can be activated in
times of crises, their composition tailored to the specific circumstances. As a subset of the National Cri-
sis Plan, the National ICT Crisis Plan regulates crisis management for cyber crises. There are special
provisions for emergency measures and cooperation with Internet service providers (ISPs) and an ICT
response board can be activated (Kaska, 2015). This publicprivate board includes representatives
from ISPs and telecom providers, CI sectors, academics, and CERT professionals. They provide advice
to decision makers at the strategic level. The proposals for this new advisory forum had just been
drafted as the Diginotar crisis unfolded in September 2011, and was used to inform policy makers on
the complex matter of certificate security (Inspectie Veiligheid en Justitie, 2012).
There are several different organizations within the Ministry of Defence that possess cyber capacity
and can fulfill a sense-making role in crises. The Military Police are, together with the national police,
responsible for combating cybercrime. DefCERT, the military CERT, is responsible for monitoring all
military networks, ensuring the security of weapons systems and providing incident response. A cove-
nant between the NCSC and DefCERT allows mutual assistance (Head of DefCERT, Soesterberg,
interview, February 19, 2016). DefCERT is also a partner in the National Response Network and is,
from the Defence perspective, the first in line to provide cyber capacity to civilian organizations in
times of crisis. DefCERT is situated outside the intelligence community, and its primary partners for
information sharing are other military CERTs that are also placed outside the intelligence sector. The
two Dutch intelligence services have bundled their cyber capacity in the Joint Sigint and Cyber Unit
(JSCU). As the employer of the governments primary cryptologists and hackers, they provide the
main defense against high-end APTs. DefCERT has cyber defense as its main mission, but only the
JSCU has the necessary expertise to combat APTs that target ministries and multinationals (Senior offi-
cials at the MIVD & JSCU, the Hague, interviews, March 2016). The separate Defence Cyber Com-
mand is tasked with offensive cyber operations, but as it falls outside the intelligence sector, its
mandate is governed by the regular procedure for deploying military force.
The Dutch network model and consensus culture have facilitated information sharing between the
public and private sectors. There are at least 14 Information Sharing and Analysis Centres (ISACs),
each centered around a sector such as energy or finance (ISACs, 2017). Companies participate on a
voluntary basis and each ISAC sets its own agenda, with the NCSC providing the secretarial facilities.
Representatives of the intelligence sector and the high-tech crime unit of the police frequently attend,
though companies sometimes chose to meet without government officials present. Information on
IoCs, new threats, and best practices are shared and trust between the participating parties has gradually
BOEKE
|
5
grown. For sharing between public and private entities, many of the concerns such as liability protec-
tion and exemption from the Freedom of Information Act have been addressed. Sharing within the
public sector, however, is still hampered by the fragmented institutional landscape. Organizations such
as DefCERT, the NCSC, and the intelligence community each have different databases and many top
secret intelligence reports cannot be directly shared with other government agencies.
The Dutch institutional cyber landscape closely resembles a participant-governed network connect-
ing public and private partners on a basis of trust and equality. The NCSC acts as a central node, facili-
tating cooperation but careful not to impose it. The ability to make sense of a crisis, in the form
IT expertise, is spread across different organizations rather than centralized. This distributed nature is
especially marked within the Ministry of Defence, with offense, intelligence, and defense covered by
different organizations, each sharing limited data with the other. From a national perspective, crisis
management has a strong civilian lead, with the Ministry of Security and Justice responsible for coordi-
nating both national cyber security and generic crisis management. According to Broeders (2014),
uncertainty concerning formal responsibilities during crises has led to the idea that all potentially rele-
vant public and private actors should have a seat at the table, and as the situation unfolds responsibil-
ities will become clear(p. 46).
4
|
DENMARK
Denmark has chosen to adopt a very centralized approach to national cyber security. In 2011, the mili-
tary CERT and government CERT were combined into one to later form the Centre for Cyber Security
(Center for Cybersikkerhed [CFCS]). That year, the government also decided to shift responsibility
from the Ministry of Science, Technology, and Innovation to the Ministry of Defence, embedding the
new CFCS in the foreign intelligence service, the Danish Defence and Intelligence Service (DDIS)
(Järvinen, 2014). The reasoning behind the transfer was a practical one. The country was considered
too small to have a separate government and military CERT, most cyberattacks transcended the civilian
military distinction, and the DDIS (especially its SIGINT branch) possessed Denmarks main cyber
expertise. The CFCS is responsible for formulating cyber security policy, producing threat assessments,
andimplementingtheEUs NIS directive, and has several regulatory tasks (Centre for Cyber Security,
2015). Besides combining capacity in one central node, a strong legal mandate allows the CFCS to
monitor and provide incident response to the main government and private CI networks. The CFCS
thus has the technical equipment and legal authority to conduct deep packet inspection (DPI) in the net-
works of 18 of the 19 government ministries (Officials Centre for Cybersecurity, Copenhagen, inter-
view, May 3, 2016).
The embedding of the CFCS in the intelligence community rhymes with its focus on APTs, almost
by definition conducted by adversarial intelligence services. Judging that cybercrime poses a very high
threat to Danish businesses and government, the 2016 threat assessment nonetheless considers cyber
espionage as the most serious threat. The Ministry of Foreign Affairs is subject to almost daily attempts
at intrusions, and the CFCS estimates that cyber criminals generally lack the resources and technical
expertise that state-sponsored or state-driven actors have at their disposal (Threat Assessment CFCS
2016,2016). The CFCSs focus on foreign intelligence cyber operations is facilitated by its own insti-
tutional imbedding. Being in the intelligence community, the CFCS understands the modus operandi
of foreign espionage operations and can obtain signals or human intelligence to complement forensic
evidence in attributing cyberattacks. Cyber defense is considered a team sport, and while the network
exploitation department of the DDIS falls under a different legal regime, there are few internal hurdles
to sharing. Importantly, a CFCS official who also worked in the GovCERT when it fell under the remit
of the Ministry of Science emphasizes that since embedding in the intelligence community, he receives
6
|
BOEKE
significantly more information, and often in a more timely fashion, than before (Officials Centre for
Cybersecurity, Copenhagen, interview, May 3, 2016). Whereas the primary sharing circles for the
Dutch NCSC or the Dutch DefCERT are formed by, respectively, international platforms like FIRST
and like-minded military CERTs outside intelligence, the Danish CFCS receives much from its specific
partners in the intelligence community. Sharing with national consumers is done through tear-lines,
shielding top-secret sources but conveying the essence of the analysis.
The CFCS is not just the lead agency, but also the first responder in situations where sophisticated
hacks have been discovered. There is close cooperation with the civilian security service (Politiets
Efterretningstjeneste [PET]) and law enforcement, to ensure a coordinated approach to address the
diverging interests of the parties involved in a crisis. The networks of a number of companies that pro-
vide CI services are monitored by the CFCS on a voluntary basis. The sharing of information between
the public and private sector is channeled predominantly through the CFCS, holding the main threat
signature database and malware repositories. A legal framework enables extensive sharing of informa-
tion with the private sector (IP addresses, metadata, IoCs). While many companies are members of
CERT/CSIRT communities, the concept of ISACs is not well developed in Denmark. The strong cen-
tral role of the CFCS in monitoring government and CI networks and responding to attacks has possi-
bly deincentivized the development of a bottom-up network model of publicprivate cooperation.
The Ministry of Defence also plays an important role in national crisis management. The Danish
Emergency Management Agency (DEMA) is tasked with the whole spectrum of crisis management,
from ensuring preparedness to the operational response during incidents (DEMA, 2015). The DEMA
integrates the fire service and civil defense force (the Home Guard), and was transferred from the Min-
istry of Interior to the Ministry of Defence in 2004 (Britz, 2007). In times of emergency, the DEMA
can rapidly call up conscripts for assistance (Danish Defence Commission, 2009). The regular crisis
management structure displays the same characteristics as those of the Netherlands, Estonia, and the
Czech Republic. The principles are based around sectoral responsibility (those with a daily responsibil-
ity for a certain service keep this during crises), similarity (following normal operating procedures as
much as possible), and subsidiarity (decision making at the lowest level possible). The generic crisis
management structure has been extensively tested by events, including a large power outage in 2003
and the Cartoon crises in 2005 and 2006 (Wyman, 2011). The Ministry of Defence chairs the Crisis
Management Group, a forum for planning and training. Exercises are organized on a biannual basis,
with the most recent edition simulating a coordinated cyberattack on the electricity and health sectors.
As of yet, a cyber incident has not led to the activation of the national crisis management organization.
Denmark has thus adopted a clear lead agency model, with all capacity invested in the CFCS. Its
central role has made it the hub of government cyber capacity, monitoring networks and regulating
standards, enforcing them when necessary. It functions as a first responder in times of crisis, addressing
incidents where APTs have been detected but also in instances when high-level IT knowledge is
required. The Ministry of Defence has a prominent role in crisis management structures, and the CFCS
embedding fits well with this. At the same time, the embedding of the CFCS within the intelligence
sector defines its partners and determines its information-sharing circles.
5
|
ESTONIA
Just as Denmark transferred the coordinating authority for cyber security to the Ministry of Defence in
2011, Estonia moved in the opposite direction. Arguing that civilian leadership was necessary for tasks
such as regulating security standards in the private sector, Estonia transferred the competence for cyber
security coordination from Defence to the Ministry of Economic Affairs and Communication. Within
this ministry, the Estonian Information Systems Authority (Riigi Infos
usteemi Amet [RIA]) was created
BOEKE
|
7
as the central department for coordinating cyber policy. The RIA sets standards, drafts the national cyber
securitystrategy,andisalsotheleadagencyinrespondingtosecurityincidentsonEstoniannetworks
(Osula, 2015). The CERT-EE combines the national and GovCERT functions and covers the spectrum
from preparation to incident response (Kouremetis, 2015). One year after its establishment, it had its
baptism of fire with the April/May 2007 DDoS attacks. NATO provided technical assistancethe only
time the alliance has deployed cyber expertise to a member state during a crisisbut there was no appe-
tite for political support. Estonia was cautioned that invoking Article 4 or 5 was not an option (Ilves,
2016). There was no forensic evidence that definitively proved that the Russian government was behind
the cyberattacks, but certain indications and Russias refusal to provide assistance in the investigation
afterward certainly suggested a role (Carey, 2013; Mansfield-Devine, 2012).
Besides its task as the coordinator of national cyber security policy, the RIA also has a regulatory
role. It supervises the implementation of standards for the CI sector and has the mandate to impose fines
when companies fail to respect the rules (Osula, 2015). Whereas the CERT-EE focuses on the opera-
tional level, the Cyber Security Service, a department within the RIA, ensures a strategic outlook, map-
ping vulnerabilities in the critical information infrastructure, conducting risk analyses, and supervising
the implementation of necessary measures (Kouremetis, 2015). This enforcement function distinguishes
it from, for example, the Dutch NCSC. Estonia is currently drafting a holistic cybersecurity law.
Concerning capacity, Estonia has a distributed rather than a centralized model. The RIA coordi-
nates and provides incident response, but the combined internal security and foreign intelligence
agency, the KAPO, is responsible for countering cyberattacks that originate abroad and threaten
national security. The cybercrime units within the police and border guards have also been recently
consolidated into one unit. The Ministry of Defence has its own departmentthe Strategic Communi-
cations Centrethat ensures the security and incident response for the military networks (Osula,
2015). According to Estonian officials, these formal organizational boundaries do not impede effective
information sharing (Member Cyber Defence Unit, 2014). An informal culture, where operators and
analysts know each other and possess the necessary security clearances, allows for an efficient
exchange of information between both the public and private sector. The latter is in part due to the
Cyber Defense Unit of the Estonian Defense league, the countrys paramilitary Defence organization.
The Cyber Defense Unit is a unique volunteer force of IT experts, consisting of a network of cyber
defense expertise across the public and private sector (Cardash, Cilluffo, & Ottis, 2013). The unit has
several objectives, aiming to improve the cyber defense skills of its members, stimulating them to raise
cyber security awareness in their own organizations and to provide cyber defense capacity in times of
national crises. It has attracted much international interest, with a NATO Cooperative Cyber Defence
Centre of Excellence (CCD COE) report highlighting the policy, organizational and legal aspects
behind the concept (Kaska, Osula, & Stinissen, 2013). As participation is on a voluntary basis, mem-
bers cannot be officially called up, unlike, for instance, cyber reservists. Potentially problematic for
large crisis situations is that many private sector members would probably already be engaged in their
own companys incident response and thus unable to deploy elsewhere. Nonetheless, the concept has
created a network of high-quality IT expertise, transcending organizational boundaries.
The central coordinating authority in emergencies is provided by the National Crisis Management
Committee, falling under the auspices of the Ministry of Interior. This ministry is responsible for civil
protection, internal security, and rescue operations; other ministries are responsible for their own
domains. As such, the Ministry of Economic Affairs and Communication ensures the continuity of the
countrys communication and IT networks. Two legal frameworks govern generic crisis management:
the Emergency Act (2009) and the State of Emergency Act (1996) (Osula, 2015). The government can
declare an emergency situationif extraordinary security measures are warranted, or a state of emer-
gencyin exceptional circumstances where the constitutional order is at risk. The latter, which allows
8
|
BOEKE
severe restrictions of individual rights, has never been declared while the former was instituted during,
for example, the 2007 cyberattacks (Hellenberg & Visuri, 2013).
Estonian military cyber capacity has strong international connections. The Defence MinistrysStra-
tegic Communications Centre ensures the security of military networks and possesses a cyber range
(Osula, 2015). This is operated and used for training by NATO and has significantly improved incident
response and crisis management expertise. Exemplary is the annual Locked Shields,now the most
advanced technical live-fire cyber defense exercise in the world, organized by the CCD COE and
involving many NATO member states. Participating teams are tasked with defending specific networks
against attempts by the red team to attack, manipulate, or sabotage systems. Besides the technical chal-
lenge, the exercises also incorporate incident response procedures and policy, legal, and media aspects
(Dijk, Meulendijks, & Absil, 2016). As such, international cooperation is further fostered and partici-
pating NATO teams improve their cyber defense expertise.
In conclusion, the RIA fulfills a central node in the Estonian publicprivate partnership concept.
Tasked with coordination and sense making in crises, its role in enforcing compliance is more indica-
tive of a network administrative organization than a shared partnership network. Cyber capacity is dis-
tributed across several ministries rather than centralized in one department, with hubs of expertise at
the CERT.EE, the KAPO intelligence service, the police force, and the Ministry of Defence. Coopera-
tion is facilitated by the informal culture and the network of the Cyber Defence Unit, with its volun-
teers spread over the public and private sectors. In crisis management, the Ministry of Interior is
responsible for coordinating the response.
6
|
THE CZECH REPUBLIC
In the Czech Republic, the National Security Authority (NSA) is responsible for coordinating national
cyber security policy. This government agency, which has ministerial status but no representation in
the Cabinet, received overall responsibility for the coordination of national cyber security in 2011.
Originally, this mission resided with the Ministry of Interior, tasked with combating cybercrime and
having developed many policy initiatives in cyber security. The NCSC was established, operating
under the auspices of the NSA (Min
arik, 2016, p. 12). An extensive cyberattack on Czech infrastruc-
ture in March 2013 propelled cyber security higher up the political agenda and highlighted the impor-
tance of cyber crisis management. A series of DDoS attacks, in some ways comparable to the 2007
Estonia attacks, targeted the Prague Stock exchange, several banks, and media outlets. The damage
was limited as online banking had not yet taken off in the country and the temporary unavailability
was considered a mere nuisance (Kostyuk, 2014). The botnets were traced back to Russia, but here too
assistance in the investigation was refused. The attacks convinced policy makers that the Czech Repub-
lic had served as a test bed for the attackers, and this notion still features in the national cyber security
strategy (National Cyber Security Centre, 2015, p. 11).
The NSAs coordinating role in cyber security complements its other responsibilities in the field of
security clearances, certifying cryptographic devices, establishing and controlling national classification
procedures, and approving the dissemination of classified information to international partners. The
personal role of the director of the NSA and his expertise in the cyber security domain probably also
contributed to the governments decision to transfer authority to this department (Officials at the
National Security Authority, interviews Skype and during CyCon, Tallinn, May 31June 3, 2016).
According to Czech officials, a deliberate choice was made not to embed the NCSC within the intelli-
gence community, as this would significantly complicate information sharing. Primary concerns specif-
ically related to classification issues impeding public to private sharing of information, as well as
reluctance by companies to share information with the intelligence sector for historical reasons
BOEKE
|
9
(Officials National Security Authority, interviews Skype and during CyCon, Tallinn, May 31June 3,
2016). The NSA is responsible for identifying and determining which services constitute critical (infor-
mation) infrastructure (Min
arik, 2016)
Within national cyber security, the NCSC functions as a central hub. It operates the GovCERT func-
tion, which not only manages all cooperation with CSIRTs, both national and international, but also pre-
pares security standards, supports cyber security awareness programs, and stimulates education, research,
and development (Min
arik, 2016). The GovCERTs main constituents are the public sector (ministries
and agencies) and the nations CI. Notwithstanding several exceptions, GovCERT does not perform DPI.
Instead, it operates on the so-called subsidiarity principle,allocating the primary responsibility to organ-
izations themselves, as they are deemed to be best suited to monitoring their own networks. Besides Gov-
CERT, the National CERT (CSIRT.CZ) covers the private sector, including the main ISPs. The two
CERTs have different sharing circles, with GovCERT having strong ties to the international community
through the European Union Agency for Network and Information Security (ENISA) and NATO
(NCIRC). The CSIRT.CZ possesses stronger links with the private sector and has a larger capacity of
technical expertise, forming an important partner for the NSA in crisis management (Officials National
Security Authority, interviews Skype and during CyCon, Tallinn, May 31June 3, 2016).
In the Czech Republic, the Central Crisis Staff provides the main government platform for dealing
with crisis situations. It is convened by the prime minister and is chaired by either the minister of the Inte-
rior or Defence, depending on the exact nature of the crisis. The Central Crisis Staff has the authority to
declare a state of emergencyand holds both advisory and oversight roles, informing the National Secu-
rity Council or government ministers directly during crisis situations. The Cyber Security Act, introduced
in 2015, sets out the most important security standards for the information systems of public authorities
and specifies the procedures for reporting incidents to either GovCERT or CSIRT.CZ, depending on their
origin. The NSA fulfills a pivotal role in ensuring compliance with these security standards and proce-
dures, conducting regular audits to ensure compliance, and issuing fines when required (Andr
s, 2014).
Unique in international cyber crisis management, the NSA can declare a state of cyber emer-
gency.This can be declared when a threat to information security or communications services poses a
danger to national security. When in force, it significantly expands the authority of the NSA to issue
direct orders to ISPs or entities operating national CI. It can also entail a transfer of authority regarding
critical information infrastructure from the CSIRT.CZ to GovCERT. The state of cyber emergency is
initially established for a period of 7 days, and can be extended to a total of 30 days. If the crisis situa-
tion has not been effectively resolved within this legal time frame, a general state of emergency can be
declared. While to date no such declaration has been issued, the concept has been extensively tested,
for example, in NATOs CMX 2016 exercise. In the military domain, primary responsibility for cyber
security is held by the Computer Incident Response Capability (CIRC). The Czech government plans
to significantly increase the investment in military cyber defense, including the establishment of a
national Cyber Forces Centre, that falls under military intelligence (Min
arik, 2016, p. 12).
The Czech Republic appears have a similar network governance model to Estonia, with the NSA
regulating as well as enforcing cyber security standards. This displays characteristics of a network
administrative organization. Although the NSA plays a pivotal role in coordinating crisis response,
public cyber capacity to make sense of crises is distributed over several government ministries rather
than centralized in one.
7
|
COMPARATIVE ANALYSIS
The institutional cyber landscape of the four European countries can be grouped along the three network
models of Provan and Kenis (2008; see Table 1 in the current article). The Dutch publicprivate
10
|
BOEKE
partnership model is closest to the participant-governed network, with the NCSCs relationship with com-
panies and other network nodes based on voluntary participation, equality, and trust. This model corre-
sponds with the Dutch approach of operating through multistakeholder constructions and using
consensus decision making (Karsten, van Veen, & van Wulfften Palthe, 2008). Here the public adminis-
tration moves toward a situation where it no longer contracts specific tasks and monitors their fulfillment,
but rather shapes the conditions of the self-organization of networks. This would constitute a middle way
between the poles of interventionist and hands-off policies (Dunn Cavelty & Suter, 2009). Estonia and
the Czech Republic equally employ a strong publicprivate partnership model, but their coordinating
authorities (the RIA and NSA) set standards and enforce them with fines when necessary. Rather than a
shared governance model, state authority ensures private sector cooperation. This hierarchical element
suggests a model that is closer to the network administrative organization. Finally, the powerful central
monitoring task of the Danish CFCS, combined with its regulatory role, implies a strong lead agency
model. Although all four countries invest in publicprivate partnerships, the network model influences
and shapes the relationship between the public and private sector. The concept of ISACs is furthest devel-
oped in the Netherlands, although several sectors in Europe are developing international sharing plat-
forms (ENISA, 2016). The extensive Dutch publicprivate partnership correlates clearly with its
participant network model. Since Carrs (2016) appraisal of the disjuncture in expectations between the
public and private sector is predominantly based on the United States and United Kingdom, the role of
specific modes of network governance in shaping partnerships in other countries merits further research.
When analyzing the dimension of coordination, it is important to note that in all four countries
generic crisis management structures have been adapted to include IT expertise when needed. The
ubiquitous dependence on information technology implies that even crises that originate in the cyber
domain will have transboundary effects. The cross-sectoral impact of incidents therefore renders a
TABLE 1 Institutional overview of cyber governance responsibilies and models
Netherlands Denmark Estonia Czech Republic
Coordination cyber
security policy
Ministry of Security
and Justice
Ministry of Defence Ministry of Economic
Affairs & Communication
National Security
Authority(NSA)
Coordination generic
crisis management
Ministry of Security
and Justice
Ministry of Defence Ministry of Interior Ministry of Interior/
Ministry of Defence
Main public-sector
CERTs
National Cyber
Security Centre
(NCSC)
DefCERT
Centre for Cyber
Security (CFCS)
CERT-EE GovCERT, CSIRT.
CZCIRC (defense)
Government cyber
capacity
Distributed Centralized Distributed Distributed
Monitoring govern-
ment networks
Ministries have own
responsibility
(NDN)
CFCS conducts DPI Ministries have own
responsibility
Ministries have own
responsibility
Embedding intelli-
gence community
Outside Inside Outside Outside
Network model Participant governed Lead organization Network-
administrative
Network-
administrative
Source. Adapted from Boeke (2016).
BOEKE
|
11
purecyber crisis unlikely. The principle of sectoral responsibility shifts the onus from a ministry rig-
idly tasked with coordinating crisis response to the quality of the relationship with other implicated
agencies. Here, too, network theory can contribute to conceptualizing intra- and intergovernmental
exchanges in times of crises. Within the investigated countries, but also the EU and NATO, networks
of cyber defense expertise have been generated, with regular training exercises such as Locked Shields
improving technical skills as well as broader crisis management competence. Both international organi-
zations recognize the importance of civilmilitary cooperation in cyber defense, and training and exer-
cises incorporate a strong civilian component to ensure a whole of governmentresponse. The
ENISA and the European Defence Agency run various programs to stimulate collaborative security
measures and encourage the adoption of good practices and sharing of resources.
Information sharing plays a central role in coordination. Common security practice and the
NIS directive reinforce the role of CERTs/CSIRTs as foci for coordination and exchange, but much
information sharing still relies on ad hoc and informal relationships (Skopik, Settanni, & Fiedler,
2016). More standardized and automated exchange platforms would enable rapid and direct sharing,
but require federated reputation measures to ensure trust. Several international networks like FIRST do
operate malware information-sharing platforms, but according to one official this predominantly con-
cerns the garden variety malware(Officials Centre for Cybersecurity, Copenhagen, interview, May
3, 2016). IoCs and the modus operandi of complex APTs often involve sensitive information and
can be subject to investigation by the national intelligence service. Here the barriers of government
classification and secrecy issues become apparent. The four investigated country studies suggest that
information-sharing networks are delineated not by ministerial boundaries (even including the Ministry
of Defence), but their position inside or outside the intelligence community.
The binary choice of embedding a national CERT inside or outside the intelligence community can
have several important consequences (Boeke, 2016). First, as attested by the Danish official with expe-
rience of both, CERTs inside the intelligence community can receive more data and information than
those outside, benefiting from additional streams of classified sources. Second, the institutional em-
bedding will determine to a certain extent the scope of the centers own information-sharing circle,
funneling a focus on partners within its own community. Inside intelligence, the modalities of interna-
tional sharing remain complex, with elements such as reciprocity and institutional trust (in case of the
Five Eyes countries
3
) allowing significant exchanges of data and analyses (Clough, 2004). Outside
intelligence, information sharing generally follows similar principles, such as a reliance on personal
trust relationships and the willingness to share sensitive information being inversely proportional to the
size of the receiving network. Finally, there are significant legal, policy, and ethical implications of
embedding CERTs/CSIRTs in the intelligence community. This deserves more research.
The technical capacity to make sense of an IT crisis is concentrated in CERTs/CSIRTs, and here
the binary choice concerns centralization or sectoral specialization. This applies to both the public and
private sectors, and involves more than a choice between synergies or tailored expertise. An example
of a ground-breaking centralization initiative in the private sector concerns the Nordic Financial CERT
that will serve banks in Norway, Sweden, Finland, and Denmark (Nordic banks collaborate on fight-
ing cybercrime,2017). In the public sector, Denmark has opted to combine the government and mili-
tary CERT into one; the other three countries have chosen to keep them apart, with the Czech
Republic even fielding separate government and national CERTs. In the centralized Danish model, the
CFCS has a clear first-responder role in cyber crisis management. In the Netherlands, the NCSC can
draw extra capacity from DefCERT in times of crises. DefCERT is included in the National Response
Network, but the Joint Sigint Cyber Unit with high-end capacity against APTs is not formally prepared
for a role in crises. In Estonia, the unique concept of the volunteer Cyber Defence Unit has linked a
network of professionals across public and private domains, with an informal culture allowing for
12
|
BOEKE
quick information sharing. There are valid arguments for both centralization and sectoral specialization,
but it is clear that a distributed cyber landscape requires intensive interagency cooperation to mitigate
some of the disadvantages. These are overlaps and gaps in the different databases, complex sharing
arrangementsand questions of personnel management, with talent often gravitating to where the work
is most exciting (intelligence/offense rather than monitoring). From an incident response perspective,
at least centralization leaves no doubt whom to call in times of crises.
8
|
CONCLUSION
While the institutional arrangements in each country are strongly influenced by the combination of
unique socio political cultures and context, it is clear that governance models are still under construc-
tion and subject to adjustments. With the exception of the Netherlands, all investigated countries have
transferred the coordinating role for national cyber security from one ministerial department to another,
with the GovCERT changing house each time. Using Provan and Keniss (2008) modes of network
governance theory, a first taxonomy of cyber governance landscapes can be provided. The Dutch
NCSC has succeeded in involving many private actors through the principles of trust, equality, and
voluntary participation. On the opposite end of the spectrum, the Danish lead agency model provides,
according to several practitioners, a better defense against APTs. Estonia and the Czech Republic have
taken original measures to improve their cyber crisis management policy. As each country has its own
unique political and economic ecosystem, it is difficult to transpose best practices from one system to
the other without considering the broader context.
From an institutional perspective, countries are faced with two important choices when organizing
their cyber defense and crisis management structures. The first concerns whether to embed their
national or government CERT inside or outside the intelligence community. In this research, only Den-
mark has chosen the former, but other European examples are provided by the United Kingdom and
Spain.
4
The consequences are of a practical as well as principled nature, and involve legal and ethical
questions linked to democracy and the rule of law. The second institutional choice concerns whether to
centralize cyber capacity in one unit or distribute it according to mission and mandate. Opposite poles
are offered by the Danish (centralized) and Dutch and Czech (distributed) models. The effectivity ques-
tion has been left unaddressed in this article; not only are specific analyses of past crises required, but
normative performance remains difficult to define. The Diginotar crisis (2011) and the cyberattacks on
the Estonian infrastructure (2007) and the Czech banking sector (2013) were all managed by their
nations generic crisis management structures, and specific arrangements for cyber crises were incorpo-
rated or significantly adjusted afterward. Governments, after all, invest much time in preparing for cri-
ses and, once they have occurred, seldom let them go to waste.
ACKNOWLEDGMENTS
The author would like to thank the anonymous reviewers for their constructive comments and the
officials in the different National Cyber Security Centres for their time and valuable insights. Den-
nis Broeders, Max Geelen, and Liisi Adamson also provided helpful comments.
ENDNOTES
1
For their research on EU crisis management capacity, Boin et al. (2014) have nonetheless narrowed the classification of
networks to a binary distinction: a network model versus a lead-agency model. To better encompass the broader field of
various national PPP structures, this article proposes to adhere to the Provan and Kenis (2008) models.
BOEKE
|
13
2
This article uses the two acronyms synonymously, although a CERT is a registered trademark that requires a user to
obtain permission from CERT/CC. A CSIRT can have a broader scope of duties.
3
The United States, the United Kingdom, Canada, Australia, and New Zealand.
4
The United Kingdoms National Cyber Security Centre is a part of the Government Communications Headquarters
(GCHQ), and Spains CCN-CERT falls under the remit of the Centro Nacional de Inteligencia (CNI).
REFERENCES
Andr
s, J. (2014). Czech cyber security: Finally ahead of Europe? SVAT Cyber Security.
Boeke, S. (2016). First responder or last resort? The role of the Ministry of Defence in national cyber crisis man-
agement in four European countries. Universiteit Leiden, the Netherlands.
Boeke, S., Heinl, C. H., & Veenendaal, M. A. (2015). Civil-military relations and international military cooperation
in cyber security: Common challenges & state practices across Asia and Europe. Presented at the Cyber Con-
flict: Architectures in Cyberspace (CyCon), Seventh International Conference on, IEEE, Tallinn, pp. 6980.
https://doi.org/10.1109/CYCON.2015.7158469
Boin, A., Busuioc, M., & Groenleer, M. (2014). Building European Union capacity to manage transboundary crises:
Network or lead-agency model? Regulation & Governance,8, 418436.
Boin, A., & Bynander, F. (2015). Explaining success and failure in crisis coordination. Geografiska Annaler: Series
A, Physical Geography,97, 123135.
Boin, A., & McConnell, A. (2007). Preparing for critical infrastructure breakdowns: The limits of crisis management
and the need for resilience. Journal of Contingencies and Crisis Management,15,5059.
Britz, M. (2007, May). Translating EU civil protection in the Nordic statesTowards a theoretical understanding of the
creation of European crisis management capacities. Presented at the European Union Studies AssociationsTenth
Biennial International Conference, Montreal, Canada. Retrieved from http://aei.pitt.edu/7714/1/britz-m-11d.pdf
Broeders, D. (2014). Investigating the place and role of the armed forces in Dutch cyber security governance.
https://doi.org/10.13140/RG.2.1.3974.3849
Cardash, S. L., Cilluffo, F. J., & Ottis, R. (2013). Estonias cyber defence league: A model for the United States?
Studies in Conflict & Terrorism,36, 777787.
Carey, C., III. (2013, March 27). The international community must hold Russia accountable for its cyber militias.
Small Wars Journal. Retrieved from http://insct.syr.edu/the-international-community-must-hold-russia-accountable-
for-its-cyber-militias/
Carr, M. (2016). Public-private partnerships in national cyber-security strategies. International Affairs,92,
4362.
Centre for Cyber Security. (2015). The Danish cyber and information security strategy. Retrieved from http://www.
fmn.dk/eng/news/Documents/Danish-Cyber-and-Information-Security-Strategy-EN-vers.PDF
Choucri, N., Madnick, S., & Ferwerda, J. (2014). Institutions for cyber security: International Responses and global
imperatives. Information Technology for Development,20,96121.
Clough, C. (2004). Quid pro quo: The challenges of international strategic intelligence cooperation. International
Journal of Intelligence and Counter Intelligence,17, 601613.
Cyber Security Act, 181. (2014). Retrieved from https://www.govcert.cz/download/legislation/container-nodeid-1122/
actoncybersecuritypopsp.pdf
Danish Defence Commission. (2009). Danish defenceGlobal engagement. Copenhagen, the Netherlands: Danish
Ministry of Defence.
Danish Emergency Management Agency. (2015). Crisis management in Denmark. Birkerød, Denmark: Danish
Emergency Management Agency.
Dijk, A. D., Meulendijks, J. M. G., & Absil, F. G. J. (2016). Lessons learned from NATOs cyber defence exercise
locked shields 2015. Militaire Spectator,185(2), 6574. Retrieved from http://www.militairespectator.nl/sites/
default/files/teksten/bestanden/Militaire%20Spectator%202-2016%20Dijk.pdf
14
|
BOEKE
Dunn Cavelty, M., & Suter, M. (2009). Publicprivate partnerships are no silver bullet: An expanded governance
model for critical infrastructure protection. International Journal of Critical Infrastructure Protection,2, 179187.
Dynes, R. R., & Aguirre, B. E. (2008). Organizational adaptation to crises: Mechanisms of coordination and struc-
tural change. In A. Boin (Ed.), Crisis management (pp. 320325). Los Angeles, CA: SAGE.
European Union Agency for Network and Information Security. (2016). Report on cyber security information shar-
ing in the energy sector. Retrieved from https://www.enisa.europa.eu/publications/information-sharing-in-the-
energy-sector
Gewijzigde motie (nader) Hernandez en Knops over een visie over de aanpak van cybercrime/cyberwarfare (t.v.v.
32500 X, nr. 24) (2010). Retrieved from https://www.parlementairemonitor.nl/9353000/1/j9tvgajcor7dxyk_
j9vvij5epmj1ey
Hall, P. A., & Soskice, D. (Eds.). (2001). Varieties of capitalism: The institutional foundations of comparative
advantage. Oxford, NY: Oxford University Press.
Hellenberg, T., & Visuri, P. (2013). Analysis of Civil Security Systems in Europe Country Study Estonia, Anvil pro-
ject. Retrieved from http://anvil-project.net/wp-content/uploads/2013/12/Estonia_v1.0.pdf
Inspectie Veiligheid en Justitie. (2012). Rapport: Evaluatie van de rijkscrisisorganisatie tijdens de DigiNotar-crisis.
Den Haag.
ISACs. (2017). Retrieved from https://www.ncsc.nl/english/Cooperation/isacs.html
Järvinen, H. (2014). Danish government plans to create a Center for Cybersecurity with privacy-invasive powers. EDRi.
Retrieved from https://edri.org/danish-government-plans-create-center-cybersecurity-privacy-invasive-powers/
Karsten, L., van Veen, K., & van Wulfften Palthe, A. (2008). What happened to the popularity of the polder model?
Emergence and disappearance of a political fashion. International Sociology,23,3565.
Kaska, K. (2015). National cyber security organisation: The Netherlands. Tallinn, Estonia: NATO CCD COE.
Kaska, K., Osula, A.-M., & Stinissen, J. (2013). The Cyber Defence Unit of the Estonian Defence League: Legal,
policy and organisational analysis. Tallinn, Estonia: NATO CCD COE.
Klimburg, A. (Ed.). (2012). National cyber security framework manual. Tallinn, Estonia: NATO CCD COE.
Kostyuk, N. (2014). International and domestic challenges to comprehensive national cybersecurity: A case study of
the Czech Republic. Journal of Strategic Security,7,6882.
Kouremetis, M. (2015). An analysis of Estonias cyber security strategy, policy and capabilities. In Proceedings of
the 14th European Conference on Cyber Warfare and Security 2015 (pp. 404412). Presented at the European
Conference on Cyber Warfare and Security. Reading, UK: Academic Conferences and Publishing International.
Kovoor-Misra, S., & Misra, M. (2007). Understanding and managing crises in an online world.In C. M. Pearson,
C. Roux-Dufort, & J. A. Clair (Eds.), International handbook of organizational crisis management (pp. 85104).
London, UK: Sage.
Mansfield-Devine, S. (2012). Estonia: What doesnt kill you makes you stronger. Network Security,2012,1220.
Member Cyber Defence Unit. (2014, November 1819). RSIS-Leiden University Centre for Terrorism and Counter-
terrorism (CTC) Roundtable on Civil-Military Relations in Cyberspace, Singapore.
Min
arik, T. (2016). National cyber security organisation: Czech Republic (2nd ed.). Tallinn, Estonia: NATO CCD
COE.
Ministerie van Veiligheid en Justitie. (2013). Nationale Cybersecurity Strategie 2: Van bewust naar bekwaam. The
Hague, the Netherlands: Nationaal Co
ordinator Terrorismebestrijding en Veiligheid.
Nationaal Co
ordinator Terrorismebestrijding en Veiligheid. (2012). Nationaal Crisisplan ICT. Den Haag, the Nether-
lands: Ministerie van Veiligheid en Justitie.
National Cyber Security Centre. (2015). National Cyber Security Strategy of the Czech Republic for the period from
20152020. National Security Authority. Retrieved from https://www.enisa.europa.eu/topics/national-cyber-
security-strategies/ncss-map/CzechRepublic_Cyber_Security_Strategy.pdf
Nordic banks collaborate on fighting cybercrime. (2017). Retrieved from https://www.nordea.com/en/press-and-
news/news-and-press-releases/press-releases/2017/04-10-08h00-nordic-banks-collaborate-on-fighting-cybercrime.
html
BOEKE
|
15
Osula, A.-M. (2015). National Cyber Security Organisation: Estonia. Tallinn, Estonia: NATO CCD COE.
Pearson, C. M., & Clair, J. A. (2008). Reframing crisis management. In A. Boin (Ed.), Crisis management
(pp. 124). Los Angeles, CA: SAGE.
President Toomas Hendrik Ilvess opening speech at CyCon in Tallinn on June 1. (2016). Retrieved from https://
president.ee/en/official-duties/speeches/12281-president-toomas-hendrik-ilvess-opening-speech-at-cycon-in-tallinn-
on-june-1-2016/index.html
Provan, K. G., & Kenis, P. (2008). Modes of network governance: Structure, management, and effectiveness.
Journal of Public Administration Research and Theory,18, 229252.
Roux-Dufort, C. (2007). A passion for imperfections: Revisiting crisis management. In C. M. Pearson, C.
Roux-Dufort, & J. A. Clair (Eds.), International handbook of organizational crisis management (pp. 221252).
Thousand Oaks, CA: SAGE.
Skopik, F., Settanni, G., & Fiedler, R. (2016). A problem shared is a problem halved: A survey on the dimensions
of collective cyber defense through security information sharing. Computers & Security,60, 154176.
Stone, B., & Riley, M. (2013). Mandiant, the go-to security firm for cyber-espionage attacks. Retrieved from http://
www.Bloomberg.com.
t Hart, P., Rosenthal, U., & Kouzmin, A. (1993). Crisis decision making: The centralization thesis revisited.
Administration & Society,25,1245.
Threat Assessment CFCS: The Cyber Threat against Denmark. (2016). Retrieved from https://fe-ddis.dk/cfcs/
CFCSDocuments/Threat%20Assessment%20-%20The%20cyber%20threat%20against%20Denmark.pdf
Woollaston, V. (2017, May 15). The NHS trusts and hospitals affected by the Wannacry cyberattack. WIRED.
Retrieved from http://www.wired.co.uk/article/nhs-trusts-affected-by-cyber-attack
Wyman, J. S. (2011). Emergency management in Denmark: Lessons learned at home and abroad. In D. McEntire
(Ed.), Comparative emergency management: Understanding disaster policies, organizations, and initiatives
from around the world. Retrieved from https://www.training.fema.gov/hiedu/aemrc/booksdownload/
compemmgmtbookproject/
Zetter, K. (2016, March 3). Inside the cunning, unprecedented hack of Ukraines power grid. WIRED. Retrieved
from https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
How to cite this article: Boeke S. National cyber crisis management: Different European
approaches. Governance. 2017;00:116. https://doi.org/10.1111/gove.12309
16
|
BOEKE
... Enormous cyber-attacks pose a real threat to national security, particularly when cyber incidents spread rapidly and significantly disrupt the functioning of essential public services [4]. In recent decades, several countries have experienced significant and notable cyber attacks, including the SolarWinds supply chain attack in the U.S., cyberwar attacks in Estonia [5], the Dark Seoul incident in South Korea [6], Stuxnet in Iran [7], the NotPetya ransomware attack in Ukraine, and the DDoS attack in Russia [8]. ...
... Cyber crisis management encompasses strategic methodologies for addressing incidents or attacks that aim to destroy or paralyze information systems, disrupt economic or social activities, or endanger human lives [9]. It includes capabilities in incident response, crisis management, and cyber defense, particularly at the national level [4]. Effective cyber crisis management necessitates not only technical solutions but also an understanding of the interplay between human and organizational factors. ...
... According to the Netherlands, a cyber crisis involves an IT-related issue affecting critical infrastructure that cannot be managed by standard crisis management organizations. Similarly, in Czechoslovakia, a "cyber crisis" can be declared if the security of information systems jeopardizes national interests [4]. ...
... A particularly crucial domain is the management of cyber incidents and crises. This area has become increasingly significant due to the rising number and sophistication of cyber-attacks, the growing reliance on digital systems, and the challenges posed by cyber warfare (Boeke 2018). The intricate and multifaceted nature of cyber crisis management renders the development of effective policies and governance structures a complex task for both national and supranational authorities. ...
... Furthermore, the characteristics of cyber crises pose significant challenges to the traditional institutional frameworks of democratic states, often hindering prompt and effective responses (Boeke 2018). Effective governance of cyber crises thus necessitates the involvement of a broad spectrum of actors (Boin, Busuioc, and Groenleer 2014). ...
Article
Full-text available
Effective cyber incident response and crisis management increasingly relies on the coordination of relevant actors at supranational levels. A polycentric governance structure is one of the institutional arrangements that can promote active participation of involved actors, an aspect decisive for the rapid and effective response to cyber incidents and crises. This research aims to dissect whether, and to what extent, a polycentric structure is manifested within the cyber crisis management framework of the European Union (EU) and assesses the extent to which these policies signal a balance between centralization and decentralization. By employing Institutional Grammar 2.0, we examine the roles and interactions among actors delineated within four key policies to identify the structural characteristics, institutional essentials, and prerequisites indicative of a polycentric governance system. Additionally, we apply network analysis to evaluate dyadic relationships of actors, further assessing the balance between centralization and decentralization in the EU's cyber crisis management framework. Our analysis reveals that the EU has adopted a polycentric governance model for cyber crisis management, characterized by a nuanced distribution of responsibilities and authorities. The findings highlight a tendency toward centralization, especially in the roles of Member States and the European Union Agency for Cybersecurity (ENISA), while maintaining a polycentric structure that blends centralization and decentralization. This balance can ensure structural integrity and coherence of the system, while theoretically providing the flexibility and resilience needed to adapt to the dynamic cyber threat landscape. The study contributes methodologically, offering a framework that can be applied to other domains, and provides insights into the effective coordination of cyber incident response and crisis management at supranational levels.
... signal detection; probing and prevention; damage containment; recovery; and learning) and indirectly influence the effect of big data analytics on predictive policing. In other words, to control the consequences of security situation in the country during crises such as pandemic, or political crises, the police need crises management to improve forecasting tools and predict crimes before happening in a large scale violation to the safety of the country (Boeke, 2018). It appears justified to associate the national security system with crisis management as a function of multifaceted national security management the support the anticipation of future crimes and threats on the national security (Bsoul-Kopowska, 2018).It has been demonstrated that it is required for the establishment of an integral sector of national security, as well as strengthening strategic planning, analysis, and crisis management; developing the resilience potential of national security; the adoption of these strategic crisis management by law enforcement agencies will ensure the country's long-term development in the security of the nation (Bondarenko et al., 2021). ...
Article
Full-text available
Crisis’s have long been a scourge for humanity. With the advances in technology (in terms of computing, communications, and the ability to process, and analyze big data), our ability to respond to crisis is at an inflection point. There is great optimism that big data tools can be leveraged to process large amounts of crisis-related data to provide an insight into the fast-changing situation and help drive an effective disaster response and predictive policing. Predictive analytics and artificial intelligence are applied widely across law enforcement agencies and the criminal justice system. Understanding how the “big data analytics” discourse is operationalized as a series of technical fixes that rely on the production of indeterminacies allows for a more nuanced critique of predictive policing. This paper introduces the effect of big data analytics on predictive policing through crisis management.
... Huang and Madnick (2020) added that there are some external bodies that normally provide advisory and technical supports when major cyber crisis occurs in an organisation. Scholars, such as Boeke (2018) and Ali and Al-Aali (2016) argued that cyber crisis management strategy does more than an incident response. It is a continuous process even when cyber threat has not taken place. ...
Chapter
Full-text available
In the era of the Fourth Industrial Revolution (4IR), data have been described as the new ‗oil‘ because of its importance in driving sustainable development in countries and organisations that efficiently utilized them. As a result of their significance, hackers (cyber-attackers) have been targeting and stealing these data for different motives. When data are stolen or breached, the affected countries or organisations are denied benefits of such data and this may have severe implications for their efficiency. Cyberspace makes exchanges and transfer of data easier.
... signal detection; probing and prevention; damage containment; recovery; and learning) and indirectly influence the effect of big data analytics on predictive policing. In other words, to control the consequences of security situation in the country during crises such as pandemic, or political crises, the police need crises management to improve forecasting tools and predict crimes before happen in a large scale violation to the safety of the country (Boeke, 2018). It appears justified to associate the national security system with crisis management as a function of multifaceted national security management the support the anticipation of future crimes and threats on the national security (Bsoul-Kopowska, 2018).It has been demonstrated that it is required for the establishment of an integral sector of national security, as well as strengthening strategic planning, analysis, and crisis management; ...
Article
Full-text available
Objective: The objective of this study is to evaluate the impact of big data analytics (BDA) on predictive policing, particularly examining the mediating role of crisis management in this relationship. Theoretical Framework: The research is anchored in the domain of big data analytics, focusing on its application within law enforcement for enhancing predictive policing capabilities. The study explores how crisis management serves as a linkage between data analytics and predictive policing practices. Method: The study gathered data from 450 individuals working across various police departments in Dubai, utilizing a questionnaire to collect responses. The analytical approach was based on Structural Equation Modeling, conducted using AMOS software. Results and Discussion: Findings from the research indicate that big data analytics significantly boosts predictive policing and crisis management. Importantly, crisis management was identified as a mediating factor between big data analytics and its efficacy in predictive policing. These results suggest that big data analytics not only directly enhances predictive policing but also improves it indirectly through effective crisis management. Research Implications: This study underscores the importance of integrating big data analytics into police operations to advance predictive policing capabilities. It highlights the dual benefits of big data analytics in both direct application and enhancement through crisis management processes. Originality/Value: This research contributes to the limited but growing body of literature on the application of big data analytics in predictive policing. It offers practical guidelines for police forces, especially within the UAE, to better harness big data for improving their operational effectiveness and crisis management strategies. The study also discusses broader implications for both practice and ongoing research in this evolving field.
... Vanden Oordet et al. [36] constructed and simulated an evolutionary model of a community public crisis governance network based on COVID-19 outbreak prevention and control in Belgium. Boeke [2] used Provan and Kenis' model of network governance to analyze the potential role of multi-agent behavioral emergence in emergency response networks in four countries -the Netherlands, Denmark, Estonia and the Czech Republic -on the overall network. Yang et al. [41] found through entity-relationship network (E-R) analysis that neighbor-avoidance conflict agents can only adapt to environmental changes through continuous adaptive learning. ...
Article
Full-text available
In order to explore the phenomenon of diffusion of group decision making formed by the emergence of decision-making behaviors of governance agents in public crisis governance systems, this research uses a complex network evolutionary game approach, considers BA scale-free networks as network vectors of public crisis governance systems, and develops a diffusion model of collaborative governance decision making behaviors. Simulation experiments are also conducted to show the macro-level impact of micro-subjects' decision-making behavior on group “Emergence-Diffusion”. The results of this study show that the cost of collaborative governance has the most significant effect on the depth and breadth of the spread of collaborative behavior in governance networks. The size of the network determines the speed of network diffusion. The smaller the network size, the more sensitive it is to the spillover benefits of collaborative governance, and the larger the network size, the more sensitive it is to the penalties of non-compliance. The findings of the study have implications for the collaborative behavior of multiple agents in public crisis governance. The main findings are that (1) in order to ensure the stability of the collaborative governance system, decision making options should be selected according to the size of the network. (2) A reasonable penalty mechanism for breach of contract should be set up to avoid the phenomenon of "free-riding" in collaborative governance. (3) Reasonable allocation of collaboration benefits and maintenance of cooperative relationships between nodes in the neighborhood. (4) External regulators should ensure that information in the network is disseminated without barriers and reduce the phenomenon of information asymmetry.
Article
Full-text available
The uptick in malicious activity in cyberspace observed during the initial stage of the coronavirus pandemic highlighted once again the need for addressing cyberattacks. Health-related facilities were some of the main targets of cyber operations, several cyberattacks hitting even COVID-19 hospitals. Cyber operations grew in both intensity and numbers, both regarding cyberattacks and cybercrime. However, alleged state-sponsored cyberattacks are the main focus of this research. Malicious cyber operations set dangerous precedents during the pandemic, and it strengthens the need to adequately address these threats, but also broaden the research, especially in the field of International Relations. The discussion is centred on the most significant cyber incidents during the first year of the COVID-19 pandemic, beginning with the surge of cyberattacks and cybercrime during the first months of increased dependence on digital technologies for companies and state institutions. Therefore, this paper will start with a literature review regarding cyber operations and IR. Research on cyberspace in IR is not scarce, but it is still lagging behind new and dynamic evolutions. Further, I shall focus on the major state-sponsored cyber operations that occurred during this period, while also paying attention to the problem of attribution. All of these developments regarding cyber operations should stand as significant threats and warnings for governments, private companies, and citizens, and they must be addressed properly in order to prevent future EUROPOLITY, vol. 15, no. 1, 2021 102 Continuity and Change in European Governance considerable disruptions. Given the above, I shall summarise several general lessons and recommendations that emerged from studying the major state-sponsored cyberattacks during the COVID-19 pandemic.
Article
Full-text available
In recent years, the Swedish public sector has undergone rapid digitalization, while cybersecurity efforts have not kept even steps. This study investigates conditions for cybersecurity work at Swedish administrative authorities by examining organizational conditions at the authorities, what cybersecurity staff do to acquire the cyber situation awareness required for their role, as well as what experience cybersecurity staff have with incidents. In this study, 17 semi-structured interviews were held with respondents from Swedish administrative authorities. The results showed the diverse conditions for cybersecurity work that exist at the authorities and that a variety of roles are involved in that work. It was found that national-level support for cybersecurity was perceived as somewhat lacking. There were also challenges in getting access to information elements required for sufficient cyber situation awareness.
Research
Full-text available
Research study commissioned by the Netherlands Defence Academy (DoD). Based on literature and elite interviews it researches how the new Dutch Cyber Command of the DoD fist into the wider landscape of Dutch Cyber Security Governance structures.
Article
Full-text available
While many countries and companies have fallen victim to cyber attacks over the past few years, including American companies such as Apple, Microsoft, and Facebook, Czech websites remained relatively safe until March 2013, when they were interrupted by a series of cyber attacks. Even though the origin of the attacks remains debatable, this case study demonstrates the importance of cooperation between nations in the nascent phase of the internet development and their more powerful allies. Domestic challenges that nations face in addressing cybersecurity in an effective and comprehensive manner include ambiguous legislation, recalcitrant officials, and a lack of both fiscal and human capital. To address these challenges, nations should cooperate with their more capable allies, such as the EU and NATO, create better cyber protective measures, train and hire qualified specialists in the public sector, and intensify private-public partnership. Until an international agenda on cyberspace is set, these nations with limited resources should cooperate with developed nations lest they risk more severe attacks in the future.
Book
Applying the new economics of organization and relational theories of the firm to the problem of understanding cross‐national variation in the political economy, this volume elaborates a new understanding of the institutional differences that characterize the ‘varieties of capitalism’ found among the developed economies. Building on a distinction between ‘liberal market economies’ and ‘coordinated market economies’, it explores the impact of these variations on economic performance and many spheres of policy‐making, including macroeconomic policy, social policy, vocational training, legal decision‐making, and international economic negotiations. The volume examines the institutional complementarities across spheres of the political economy, including labour markets, markets for corporate finance, the system of skill formation, and inter‐firm collaboration on research and development that reinforce national equilibria and give rise to comparative institutional advantages, notably in the sphere of innovation where LMEs are better placed to sponsor radical innovation and CMEs to sponsor incremental innovation. By linking managerial strategy to national institutions, the volume builds a firm‐centred comparative political economy that can be used to assess the response of firms and governments to the pressures associated with globalization. Its new perspectives on the welfare state emphasize the role of business interests and of economic systems built on general or specific skills in the development of social policy. It explores the relationship between national legal systems, as well as systems of standards setting, and the political economy. The analysis has many implications for economic policy‐making, at national and international levels, in the global age.
Article
The Internet threat landscape is fundamentally changing. A major shift away from hobby hacking toward well-organized cyber crime can be observed. These attacks are typically carried out for commercial reasons in a sophisticated and targeted manner, and specifically in a way to circumvent common security measures. Additionally, networks have grown to a scale and complexity, and have reached a degree of interconnectedness, that their protection can often only be guaranteed and financed as shared efforts. Consequently, new paradigms are required for detecting contemporary attacks and mitigating their effects. Today, many attack detection tasks are performed within individual organizations, and there is little cross-organizational information sharing. However, information sharing is a crucial step to acquiring a thorough understanding of large-scale cyber-attack situations, and is therefore seen as one of the key concepts to protect future networks. Discovering covert cyber attacks and new malware, issuing early warnings, advice about how to secure networks, and selectively distribute threat intelligence data are just some of the many use cases. In this survey article we provide a structured overview about the dimensions of cyber security information sharing. First, we motivate the need in more detail and work out the requirements for an information sharing system. Second, we highlight legal aspects and efforts from standardization bodies such as ISO and the National Institute of Standards and Technology (NIST). Third, we survey implementations in terms of both organizational and technological matters. In this regard, we study the structures of Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs), and evaluate what we could learn from them in terms of applied processes, available protocols and implemented tools. We conclude with a critical review of the state of the art and highlight important considerations when building effective security information sharing platforms for the future.
Article
Despite its centrality in the national cyber security strategies of the US and the UK, the public–private partnership is a nebulous arrangement, which is especially problematic in the context of critical infrastructure protection. Privately owned and operated critical infrastructure that is regarded as a potential national security vulnerability raises questions about the allocation of responsibility and accountability in terms of cyber security. As with many aspects of cyber security, this issue is often discussed with little reference to previous scholarship that could provide conceptual scaffolding. This article draws on the extensive literature on public–private partnerships in order to assess the tensions and challenges of this arrangement in national cyber-security strategies. It finds that there is a serious disjuncture in expectations from both ‘partners’. The government regards privately owned and operated critical infrastructure as a key element of national security but is reluctant to claim a mandate to oversee network security. At the same time, the private sector is not inclined to accept responsibility or liability for national cyber security. This challenge for governments to manage national cyber security raises questions about how well equipped these states are to promote their own security in the information age. Acknowledging the flaws in the ‘partnership’ is an essential step towards addressing them.
Book
Best-managed crises can bring positive recognition and enhance an organization’s value; worst-managed crises can snuff its viability. Numerous books have been written on the topic, but many lack rigor: prescriptions are untested and quick fixes are based on elevating the readers’ fears. The International Handbook of Organizational Crisis Management reflects the latest understanding of this field from prominent scholars and practitioners around the globe. Pushing the boundaries of crisis management research and practice, this book offers new frameworks and findings that capture insights and guidance for researchers and executives. Today’s crises require no less. Novel and poorly understood technologies, globalization, changing political climates, and a shifting social landscape are just a few of the forces currently changing the ways in which organizations experience crises. The International Handbook of Organizational Crisis Management is a grounded cross-section of informed perspectives, a leading edge overview of the field of crisis management that will be useful to researchers and thoughtful practitioners.
Article
The impact of organizational crises has never been stronger. Yet previous research on crisis management lacks adequate integration. In this article we attempt to integrate and build upon current knowledge to create a multidisciplinary approach to crisis management research, using psychological, social-political, and technological-structural research perspectives. We offer definitions of organizational crisis and crisis management, as well as a framework that depicts the crisis management process and researchable propositions for the integration of these perspectives. We also suggest implications for research and practice.