This is a preview of subscription content, access via your institution.
Buy single article
Instant access to the full article PDF.
Price excludes VAT (USA)
Tax calculation will be finalised during checkout.
One should, however, that there are alternative framings of technical IT security and problems with the general label of “cyber”, which will be briefly taken up below.
In contrast to informal working arrangements for security and intelligence agencies
At the time of writing, the legislative proposal had gained political agreement from all EU institutions, but was not formally concluded yet. See: https://ec.europa.eu/digital-single-market/en/news/network-and-information-security-directive-co-legislators-agree-first-eu-wide-legislation
Information and computer scientist tend to prefer other more technical and precise concepts, such as information security, which is composed of definable attributes of integrity, availability and confidentiality. Security scholars, in contrast, have highlighted the dangers of “securitizing” the digital communications or simply just ‘cyber’ and merging distinct issues of cybercrime, cyber-assisted crime with more state-centred notion of security, which can legitimate “offensive” methods and the involvement of the military.
Again, we cannot go into the question whether cyberspace is a suitably precise analytical concept. For a widely cited official definition, see http://www.dhs.gov/sites/default/files/publications/Cyberspace_Policy_Review_final_0.pdf
For instance, http://www.ix-f.net/ixp-models.html. See also Farrand and Carrapico in this issue for a more detailed discussion on the historical development from public to private management of critical infrastructures.
An especially controversial response to this challenge has been to create separate market incentives through programs such as ‘bug bounties.’
Such as “hate” speech, weapons instructions, child sexual abuse material, etc.
These functionally differentiated tasks or processes have been inductively derived by the authors from the diverse social science literature on cybersecurity referred above. For reasons of space this differentiation cannot be systematically related to wider theories of public (economic) regulation and security governance here, but this may prove a worthwhile research agenda for the future. On the one hand, one could test whether the proposed tasks are truly exhaustive and comprehensive in the area of cybersecurity. On the other hand, more elaborate formal reasoning on collective action dynamics, such as with regard to the public good qualities of information or reliable access, could be explored beyond the cursory remarks made below.
If one applies a broad or multi-level understanding of cybersecurity, this can range from questions of rights management, privacy and data protection to secure communication protocol standards or product safety and security.
This point can be unlined by the fact that PPPs for a more secure internet provision at the infrastructural level have not yet been funded in Europe, as illustrated by the failed idea of a “Schengen-net” for secure data transfers in Europe.
The typological fields are referred to in the respective subheadings of the different sections
ENISA has organised several annual major ICT incident exercises for EU member states that were triggered official EU conclusions in the aftermath of the 2009 Estonian cyber-attacks. Assessments of these exercises are limited to official document, where the large number of participants (500+) and positive resonance had highlighted
See also Art. 3 of the EU regulation establishing ENISA (revised 526/2013)
https://www.enisa.europa.eu/activities/cert/support/information-sharing/european-fi-isac-a-public-private-partnership. This has been modelled on a corresponding US Forum with global reach. http://www.fsisac.com/
ENISA, 2012a. European Public + Private Partnership for Resilience. Activity Report 2012. Available at:
Compare also for an incomplete survey of information-sharing platforms across EU member states https://resilience.enisa.europa.eu/nis-platform/shared-documents/wg2-documents/wg2-outcome-draft/at_download/file.
This would hitherto be limited to some cases that are covered by the 2009 EU telecommunications regulation (Directive 2009/140/EC). See https://resilience.enisa.europa.eu/article-13
Public authorities from 18 member state are taking part, while the rest is constituted by academic institutions or experts See full list of members http://ec.europa.eu/transparency/regexpert/index.cfm?do=groupDetail.groupDetail&groupID=2920&NewSearch=1&NewSearch=1
See https://resilience.enisa.europa.eu/nis-platform. Especially the second working group provide the most detailed recommendations on how to differentiate, improve and link up the variety of information-sharing initiatives for CIIP, see https://resilience.enisa.europa.eu/nis-platform/shared-documents/5th-plenary-meeting/chapter-3-wg2_final-for-discussion-may-27-2015/at_download/file
Or computer security incident response teams in alternative European parlance (CSIRT), see https://www.enisa.europa.eu/activities/cert/support/guide2/introduction/what-is-csirt
For instance, one could point to frameworks for data sharing or best practice collection, see http://www.enisa.europa.eu/activities/cert/support/data-sharing
Barclays, ING Group, Citibank, the European Banking Federation, and the association for ATM Security (EAST). See https://www.europol.europa.eu/category/news-category/agreements?page=1 and https://www.european-atm-security.eu/tag/ec3/ and http://www.finextra.com/news/fullstory.aspx?newsitemid=27536
See on the joint EUROPOL INTERPOL MoU http://www.threatmetrix.com/interpol-has-new-nerve-centerand-more-muscle/
http://www.2uzhan.com/police-security-firms-team-up-and-take-down-shylock-malware/ This particular action even seems to have involved the British signals intelligence service GCHQ
Austria, France, Germany, Italy, Spain, the Netherlands and the UK
EU DOC 6785/16, p. 35
Eriksson, J., & Giacomello, G. (2009). Who controls the internet? Beyond the obstinacy or obsolescence of the State. International Studies Review, 11(1), 205–230.
Radu, Roxana, Jean-Marie Chenou, and Rolf H Weber. 2014. The evolution of global internet governance: principles and policies in the making. Vol. 56: Springer Science & Business Media.
Mueller, M., Schmidt, A., & Kuerbis, B. (2013). Internet security and networked governance in international relations. International Studies Review, 15(1), 86–104.
Von Solms Rossouw, and Johan Van Niekerk. 2013. "From information security to cyber security." Computers & Security 38:97–102.
Tropina, Tatiana. 2015. "Public–Private Collaboration: Cybercrime, Cybersecurity and National Security." In Self-and Co-regulation in Cybercrime, Cybersecurity and National Security, 1–41. Springer.
Min, K.-S., Chai, S.-W., & Han, M. (2015). An International Comparative Study on Cyber Security Strategy. International Journal of Security and Its Applications, 9(2), 13–20.
Carr, M. (2016). Public–private partnerships in national cyber-security strategies. International Affairs, 92(1), 43–62.
Dunn-Cavelty, M., & Suter, M. (2009). Public–Private Partnerships are no silver bullet: An expanded governance model for Critical Infrastructure Protection. International Journal of Critical Infrastructure Protection, 2(4), 179–187.
van Dijck, J. (2014). Datafication, dataism and dataveillance: Big Data between scientific paradigm and ideology. Surveillance & Society, 12(2), 197–208.
Bevir, M. (2014). The Rise of Security Governance. In M. Bevir, O. Daddow, & I. Hall (Eds.), Interpreting Global Security, (pp. 17–34). London: Routledge.
Hameiri, Shahar, and Lee Jones. 2015. Governing Borderless Threats: Non-traditional Security and the Politics of State Transformation: Cambridge University Press.
Nance, M., & Cottrell, P. (2014). A turn toward experimentalism? Rethinking security and governance in the twenty-first century. Review of International Studies, 40(02), 277–301. doi:10.1017/S026021051300017X.
Crawford, A. (2006). Networked governance and the post-regulatory state? Steering, rowing and anchoring the provision of policing and security. Theoretical Criminology, 10(4), 449–479.
Ehrhart, H.-G., Hegemann, H., & Kahl, M. (2014). Putting security governance to the test: conceptual, empirical, and normative challenges. European Security, 23(2), 119–125.
Kennedy, David. 2016. A World of Struggle: How Power, Law, and Expertise Shape Global Political Economy: Princeton University Press.
Christou, G., & Simpson, S. (2006). The Internet and public–private governance in the European Union. Journal of Public Policy, 26(01), 43–61.
Procedda, M. (2014). Public-Private Partnerships: A soft approach to cybersecurity? Views from the European Union. In G. Giacomello (Ed.), Security in Cyberspace: Targeting Nations, Infrastructures, Individual. New York, London: Bloomsbury Academic.
Fahey, Elaine. 2014. "EU's Cybercrime and Cyber-Security Rulemaking: Mapping the Internal and External Dimensions of EU Security, The." Eur. J. Risk Reg.:46.
EU. 2013. "Joint Communication on the Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace " JOIN(2013) 1 final http://eeas.europa.eu/policies/eu-cyber-security/cybsec_comm_en.pdf.
European Commission (2015). The European Agenda on Security. COM, 2015, 185 .http://eur-lex.europa.eu/legal-content/en/HIS/?uri=celex%3A52015DC0185
Grimsey, Darrin, and Mervyn Lewis. 2007. Public private partnerships: The worldwide revolution in infrastructure provision and project finance: Edward Elgar Publishing.
Schneider, A. L. (1999). Public-private partnerships in the US prison system. American Behavioral Scientist, 43(1), 192–208.
Bovaird, T. (2004). Public–Private Partnerships: from Contested Concepts to Prevalent Practice. International Review of Administrative Sciences, 70(2), 199–215. doi:10.1177/0020852304044250.
Hodge, G. A., & Greve, C. (2007). Public–private partnerships: an international performance review. Public Administration Review, 67(3), 545–558.
Reynaers, A.-M., & De Graaf, G. (2014). Public Values in Public–Private Partnerships. International Journal of Public Administration, 37(2), 120–128.
Forrer, J., Kee, J. E., Newcomer, K. E., & Boyer, E. (2010). Public–private partnerships and the public accountability question. Public Administration Review, 70(3), 475–484.
Willems, T., & Van Dooren, W. (2011). Lost in diffusion? How collaborative arrangements lead to an accountability paradox. International Review of Administrative Sciences, 77(3), 505–530.
Hodge, Graeme A, and Carsten Greve. 2005. The challenge of public-private partnerships: Learning from international experience: Edward Elgar Publishing.
European Commission. 2004. "Green paper on public-private partnerships and community law on public contracts and concessions." COM (2004) 327 final.
United Nations Economic Commission for Europe. 2008. "Guidebook on promoting good governance in public private partnerships." ECE/CECI/4.
Van, d. H., Martijn, L. B., Lember, V., Petersen, O. H., & Witz, P. (2015). National varieties of Public–Private Partnerships (PPPs): A comparative analysis of PPP-supporting units in 19 European countries (pp. 1–20). Research and Practice: Journal of Comparative Policy Analysis.
Roumboutsos, Athena. 2015. Public Private Partnerships in Transport: Trends and Theory: Routledge.
Linder, S. H. (1999). Coming to terms with the public-private partnership a grammar of multiple meanings. American Behavioral Scientist, 43(1), 35–51.
Bovis, C. H. (2015). Risk in Public-Private Partnerships and Critical Infrastructure. European Journal of Risk Regulation, 6(2).
Hans, V. D., Sarmento, J. M., & Renneboog, L. (2016). Anatomy of public-private partnerships: their creation, financing and renegotiations. International Journal of Managing Projects in Business, 9(1), 94–122.
Van, D. H., Martijn, & Verhoest, K. (2016). The challenge of using standard contracts in public–private partnerships. Public Management Review, 18(2), 278–299.
Brinkerhoff, D. W., & Brinkerhoff, J. M. (2011). Public–private partnerships: perspectives on purposes, publicness, and good governance. Public Administration and Development, 31(1), 2–14.
Bovis, Christopher. 2013. Public-private Partnerships in the European Union: Routledge.
Gómez-Barroso, J. L., & Feijóo, C. (2010). A conceptual framework for public-private interplay in the telecommunications sector. Telecommunications Policy, 34(9), 487–495.
Braman, S. (2011). The Framing Years: Policy Fundamentals in the Internet Design Process, 1969–1979. The Information Society, 27, 295–310.
Townes, M. (2012). The spread of TCP/IP: How the Internet became the Internet. Millennium-Journal of International Studies, 41(1), 43–64.
LaRose, R., Bauer, J. M., DeMaagd, K., Chew, H. E., Ma, W., & Jung, Y. (2014). Public broadband investment priorities in the United States: an analysis of the broadband technology opportunities program. Government Information Quarterly, 31(1), 53–64. doi:10.1016/j.giq.2012.11.004.
Narayanan, A., Jain, A., & Bowonder, B. (2005). Providing rural connectivity infrastructure: ICT diffusion through private sector participation. International Journal of Services, Technology and Management, 6(3–5), 416–436.
ENISA. 2011a. "Cooperative Models for Effective Public Private Partnerships." http://www.enisa.europa.eu/activities/Resilience-and-CIIP/public-private-partnership/national-public-private-partnerships-ppps/copy_of_desktop-reserach-on-public-private-partnerships/at_download/fullReport
Héritier, A. (2001). Market integration and social cohesion: the politics of public services in European regulation. Journal of European Public Policy, 8(5), 825–852. doi:10.1080/13501760110083536.
Graz, Jean-Christophe, and Andreas Nölke. 2007. Transnational private governance and its limits: Routledge.
Harcourt, A. (2013). Participatory Gains and Policy Effectiveness: The Open Method of Co-ordination Information Society. JCMS: Journal of Common Market Studies, 51(4), 667–683. doi:10.1111/jcms.12022.
Börzel, T. (2010). European governance: negotiation and competition in the shadow of hierarchy. JCMS: Journal of Common Market Studies, 48(2), 191–219.
Wagner, B. (2014). The politics of internet filtering: The United Kingdom and Germany in a comparative perspective. Politics, 34(1), 58–71.
Wiater, P. (2015). On the notion of" Partnership" in Critical Infrastructure Protection. European Journal of Risk Regulation, 6(2), 255–262.
Bauer, J. M. (2010). Changing roles of the state in telecommunications. International Telecommunications Policy Review, 17(1).
European Commission. 2013. "Proposal for a directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union." COM(2013) 48 final http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=1666.
Marsden, Christopher T. 2011. Internet co-regulation: European law, regulatory governance and legitimacy in cyberspace: Cambridge University Press.
Tropina, T., & Callanan, C. (2015). Self-and Co-regulation in Cybercrime, Cybersecurity and National Security. Heidelberg: Springer.
Bendiek, A., & Porter, A. L. (2013). European Cyber Security Policy within a Global Multistakeholder Structure. European Foreign Affairs Review, 18(2), 155–180.
Carr, M. (2015). Power Plays in Global Internet Governance. Millennium - Journal of International Studies, 43(2), 640–659. doi:10.1177/0305829814562655.
Chenou, J.-M. (2014). From Cyber-Libertarianism to Neoliberalism: Internet Exceptionalism, Multi-stakeholderism, and the Institutionalisation of Internet Governance in the 1990s. Globalizations, 11(2), 205–223.
Cavelty, D., & Myriam (2013). From Cyber-Bombs to Political Fallout: Threat Representations with an Impact in the Cyber-Security Discourse. International Studies Review, 15(1), 105–122.
Hansen, L., & Nissenbaum, H. (2009). Digital disaster, cyber security, and the Copenhagen School. International Studies Quarterly, 53(4), 1155–1175.
Wagner, Ben. forthcoming. "Constructed "Cyber" Realities & International Relations Theory. ." In Technology and International Relations Theory, edited by R Marlin-Bennett and J. P. Singh. Cambridge: CUP.
Schmidt, A. (2014). Open Security. Contributions of Networked Approaches to the Challenge of Democratic Internet Security Governance. In R. Radu, J.-M. Chenou, & R. H. Weber (Eds.), The Evolution of Global Internet Governance (pp. 169–187). Berlin Heidelberg: Springer.
Choucri, N., & Clark, D. D. (2012). Integrating Cyberspace and International Relations: The Co-Evolution Dilemma. In Explorations in Cyber-International Relations: Who Controls Cyberspace? Cambridge, MA: MIT.
DeNardis, L. (2012). Hidden levers of Internet control: An infrastructure-based theory of Internet governance. Information, Communication & Society, 15(5), 720–738.
Mathew, Ashwin Jacob. 2014. Where in the World is the Internet? Locating Political Power in Internet Infrastructure. http://gradworks.proquest.com/3685949.pdf: University of California, Berkeley.
DeNardis, Laura. 2014. The global war for internet governance: Yale University Press.
Ruiz, Jeanette B, and George A Barnett. 2014. "Who owns the international Internet networks?" Journal of International Communication 21 (1):38–57.
Anderson, R., & Moore, T. (2006). The economics of information security. Science, 314(5799), 610–613.
August, T., & Tunca, T. I. (2011). Who should be responsible for software security? A comparative analysis of liability policies in network environments. Management Science, 57(5), 934–959.
Brown, Ian, and Christopher T Marsden. 2013. Regulating code: Good governance and better regulation in the Information Age: MIT Press.
Edwards, Benjamin, Michael Locasto, and Jeremy Epstein. 2014. "Panel Summary: The Future of Software Regulation." Proceedings of the 2014 workshop on New Security Paradigms Workshop, http://dl.acm.org/citation.cfm?id=2683478.
Kleinschmidt, Broder. 2010. "An International Comparison of ISP's Liabilities for Unlawful Third Party Content." International Journal of Law and Information Technology:eaq009.
Rowe, Brent, and Dallas Wood. 2013. "Are Home Internet Users Willing to Pay ISPs for Improvements in Cyber Security?" In Economics of Information Security and Privacy III, 193–212. Springer.
Usman, S. H. (2013). A review of responsibilities of internet service providers towards their customer network security. Journal of Theoretical and Applied Information Technology, 49(1), 70–78.
Van Eijk Nico. 2013. "Duties of care on the Internet." In The Secure Information Society, 57–81. Springer.
Clark, David, Thomas Berson, and Herbert S Lin. 2014. At the Nexus of Cybersecurity and Public Policy:: Some Basic Concepts and Issues: National Academies Press.
Cohen-Almagor, R. (2015). Internet architecture, freedom of expression and social responsibility: critical realism and proposals for a better future. Innovation: The European Journal of Social Science Research, 28(2), 147–166.
Horten, Monica. 2015. "The Policy Challenge of Content Restrictions: How Private Actors Engage the Duties of States." Media@LSE Working Paper 34 (http://www.lse.ac.uk/media@lse/research/mediaWorkingPapers/pdf/WP34-FINAL.pdf).
Parti, K., & Marin, L. (2013). Ensuring freedoms and protecting rights in the governance of the Internet: a comparative analysis of blocking measures of illegal Internet content and the liability of ISPs. Journal of Contemporary European Research, 9(1), 138–159.
August, T., August, R., & Shin, H. (2014). Designing user incentives for cybersecurity. Communications of the ACM, 57(11), 43–46.
Camp, L. J. (2011). Reconceptualizing the role of security user. Daedalus, 140(4), 93–107.
Hare, Forest. 2010. "The interdependent nature of national cyber security: motivating public action for a private good." PhD, George Mason University (http://digilib.gmu.edu:8080/dspace/bitstream/1920/6312/1/Hare_dissertation_2010.pdf).
Kaijankoski, Eric A. 2015. Cybersecurity Information Sharing Between Public Private Sector Agencies. http://oai.dtic.mil/oai/oai?verb=getRecord&metadataPrefix=html&identifier=ADA620766: DTIC Document.
Suter, M. (2007). Improving information security in companies: How to meet the need for threat information. In M. D. Cavelty, V. Mauer, & S. F. Krishna-Hensel (Eds.), Power and Security in the Information Age: Investigating the Role of the State in Cyberspace, Aldershot: Ashgate (pp. 129–150). Aldershot: Ashgate.
Bauer, J. M., JG, M., & Eeten, V. (2009). Cybersecurity: Stakeholder incentives, externalities, and policy options. Telecommunications Policy, 33(10), 706–719.
Dourado, E., & Castillo, A. (2015). "Information Sharing”: No panacea for American cybersecurity challenges. Mercatus Center Policy Paper: George Mason University http://mercatus.org/publication/information-sharing-no-panacea-american-cybersecurity-challenges.
Nolan, A. (2015). Cybersecurity and Information Sharing: Legal Challenges and Solutions. Congressional Research Service, 7–5700 http://a51.nl/sites/default/files/pdf/R43941.pdf.
Kesan, J. P., & Hayes, C. M. (2015). Creating a “Circle of Trust” to Further Digital Privacy and Cybersecurity Goals. Michigan State Law Review, 2014(5), 1475.
Rosenzweig, Paul. 2011. Cybersecurity and Public goods. The Public/Private “Partnership”. In Emerging Threats in National Security and Law, edited by Peter Berkowitz. Stanford: Hoover institution, Stanford University.
Prince, Daniel, and Nick King. 2013. "Small business cyber security workshop 2013: towards digitally secure business growth." http://eprints.lancs.ac.uk/65265/.
Lagazio, M., Sherif, N., & Cushman, M. (2014). A multi-level approach to understanding the impact of cyber crime on the financial sector. Computers & Security, 45, 58–74.
Brown, I., & Cowls, J. (2015). Check the web: assessing the ethics of politics of policing the internet for extremist material. Voxpol: Report http://voxpol.eu/category/publications/vox-pol-publications/.
European Union (2013). Regulation (EU) No 526/2013 of the European Parliament and of the Council of 21 May 2013 concerning the European Union Agency for Network and Information Security (ENISA) and repealing Regulation (EC) No 460/2004 Text with EEA relevance. OJ L, 165, 41–58.
ENISA. 2011b. Cooperative Models for Effective Public Private Partnerships. Desktop Research Report. http://www.enisa.europa.eu/activities/Resilience-and-CIIP/public-private-partnership/national-public-private-partnerships-ppps/copy_of_desktop-reserach-on-public-private-partnerships/at_download/fullReport ENISA.
Commission of the European Communities. 2009. Communication from the Commission..on Critical Information Infrastructure Protection. "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience". COM(2009) 149 final.
Irion, K. (2013). The Governance of Network and Information Security in the European Union: The European Public-Private Partnership for Resilience (EP3R). In J. Krüger, B. Nickolay, & S. Gaycken (Eds.), The Secure Information Society (pp. 83–116). London: Springer.
ENISA. 2015. "EP3R 2009–2013 Future of NIS Public Private Cooperation." (https://www.enisa.europa.eu/activities/Resilience-and-CIIP/public-private-partnership/european-public-private-partnership-for-resilience-ep3r/ep3r-2009-2013/at_download/fullReport).
Morgus, Robert, Isabel Skierka, Mirko Hohmann, and Tim Maurer. 2015. "National CSIRTs and Their Role in Computer Security Incident."
RAND Europe. 2012. "Feasibility Study for a European Cybercrime Centre." http://www.rand.org/pubs/technical_reports/TR1218.html .
Reitano, T., Oerting, T., & Hunter, M. (2015). Innovations in International Cooperation to Counter Cybercrime: The Joint Cybercrime Action Taskforce. The European Review of Organised Crime, 2(2), 142–154.
General Secretariat of the Council. 2015. "Friends of the Presidency Group on Cyber Issues." 15059/15.
Council of the European Union. 2015. "EU Internet Referral Unit at Europol - Concept note." 7266/15.
European Commission. 2012. "Internet Policy and Governance Europe's role in shaping the future of Internet Governance." COM/2014/072 final
Wagner, Ben, Kirsten Gollatz, and Andrea Calderaro. 2014. "Internet & Human Rights in Foreign Policy: comparing narratives in the US and EU Internet Governance agenda." Robert Schuman Centre for Advanced Studies Research Paper No. RSCAS 86.
Walker, C., & Conway, M. (2015). Online terrorism and online laws. Dynamics of Asymmetric Conflict, 8(2), 156–175. doi:10.1080/17467586.2015.1065078.
About this article
Cite this article
Bossong, R., Wagner, B. A typology of cybersecurity and public-private partnerships in the context of the EU. Crime Law Soc Change 67, 265–288 (2017). https://doi.org/10.1007/s10611-016-9653-3