Abstract
The protection of cyberspace has become one of the highest security priorities of governments worldwide. The EU is not an exception in this context, given its rapidly developing cyber security policy. Since the 1990s, we could observe the creation of three broad areas of policy interest: cyber-crime, critical information infrastructures and cyber-defence. One of the main trends transversal to these areas is the importance that the private sector has come to assume within them. In critical information infrastructure protection, the private sector is perceived as a key stakeholder, given that it currently operates most infrastructures in this area. Because of this operative capacity, the private sector has come to be understood as the expert in network and information systems security, whose knowledge is crucial for the regulation of the field. Adopting a Regulatory Capitalism framework, complemented by insights from Network Governance, we can identify the shifting role of the private sector in this field from one of a victim in need of protection in the first phase, to a commercial actor bearing responsibility for ensuring network resilience in the second, to an active policy shaper in the third, participating in the regulation of NIS by providing technical expertise. By drawing insights from the above-mentioned frameworks, we can better understand how private actors are involved in shaping regulatory responses, as well as why they have been incorporated into these regulatory networks.
The authors of this chapter would like to sincerely thank Oldrich Bures, as well as all the participants in the BISA 2015 workshop on ‘Security Privatization beyond PMSCs’, for their useful comments, advice and support.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We use process tracing here in an interpretive sense; not as a means of identifying causal mechanisms that explain outcomes (Bennett and Checkel 2014; George and Bennett 2005), but as a means of tracing the development of keys ideas and themes by analysing the meanings that actors ascribe to their actions and policies (Hall 2013: 24). In the way that Schimmelfennig has used process tracing methods to analyse the way that the conceptualisation and internalisation of liberal democracy impacted upon the way in which enlargement decisions were taken by the former communist Member States (Schimmelfennig 2003), this chapter seeks to understand how conceptualisations of how best to regulate and internalised understandings of the expertise held by private sector actors then influences NIS-focused regulatory decisions taken by the Commission.
- 2.
The basis for this obligation can be found in the Communication on Electronic Communications Regulation (2007a), in which the Commission states that NIS is gaining in importance, and greater efforts to counter security threats were needed “given the significant social and economic impact of illicit activities in this area” (2007a: 18). In order to achieve the goal of improving the resilience of computer systems, the Commission concluded that “close cooperation between enforcement authorities, network operators and ISPs at national level is also needed” (European Commission n.d.: 71), which would be tackled through amendment of the existing telecommunications regulations. The original Directive 2002/21/EC made no mention of network or information security, and neither did the Commission Communication upon which the Directive was based (2000). The decision by the Commission to impose such obligations upon ISPs appears instead to have its origins in the above-stated 2006 Communication, as mentioned explicitly in the Proposal for the Telecoms Package, which states that the NIS-related amendments to Directive 2002/21/EC are “designed to strengthen the resilience of current electronic communications networks and systems” (2007b: 3).
References
Bennett, A., & Checkel, J. T. (2014). Process tracing: From philosophical roots to best practices. In A. Bennett & J. T. Checkel (Eds.), Process tracing: From metaphor to analytic tool (pp. 3–37). Cambridge: Cambridge University Press.
Bevir, M., & Rhodes, R. A. (2003). Interpreting British Governance. London: Routledge.
Börzel, T. A. (1998). Organizing Babylon – On the different conceptions of policy networks. Public Administration, 76(2), 253–273.
Bourdieu, P. (1998). The essence of neoliberalism. Le Monde diplomatique.
Braithwaite, J. B. (2005). Neoliberalism or regulatory capitalism. Accessed February 22, 2016, from http://papers.ssrn.com/abstract=875789
Braithwaite, J. (2008). Regulatory capitalism: How it works, ideas for making it work better. Cheltenham: Edward Elgar.
Cahill, D. (2015). The end of Laissez-Faire?: On the durability of embedded neoliberalism. Cheltenham: Edward Elgar.
Calliess, G.-P., & Zumbansen, P. C. (2010). Rough consensus and running code: A theory of transnational private law. Oxford: Hart Publishing.
Castells, M. (1996). The rise of the network society: Economy, society, and culture. Oxford: Blackwell.
Chomsky, N. (1998). Profits over people: Neoliberalism and the global order. New York: Seven Stories Press, U.S.
Clough, J. (2012). The council of Europe convention on cybercrime: Defining ‘crime’ in a digital world. Criminal Law Forum, 23(4), 363–391.
Cohen, E. (2011). Assessing the impact of the global financial crisis on transnational financial law and regulation. Finnish Yearbook of International Law, 22, 51–84.
Coudert, F., & Werkers, E. (2010). In the aftermath of the promusicae case: How to strike the balance? International Journal of Law and Information Technology, 18(1), 50–71.
Council of Europe. (2001). Convention on cybercrime, CETS No.185, Budapest 23 November 2001.
Council of the European Union. (2009). Council resolution of 18 December 2009 on a collaborative European approach to Network and Information Security, Brussels.
Council of the European Union. (2016). Proposal for a directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union – Political agreement.
Culpepper, P. D. (2011). Quiet politics and business power: Corporate control in Europe and Japan. Cambridge: Cambridge University Press.
Dehousse, R. (1997). Regulation by networks in the European community: The role of European agencies. Journal of European Public Policy, 4(2), 246–261.
ENISA. (2012). Shortlisting network and information security standards and good practices. Heraklion, Crete.
ENISA. (2013). 1st Meeting of ENISA’s electronic communications reference group in Rome. Accessed June 11, 2015, from http://www.enisa.europa.eu/media/news-items/1st-meeting-of-enisa2019s-electronic-communications-reference-group-in-rome
ENISA. (2014). Technical guideline on security measures for Article 4 and Article 13a. Heraklion, Crete.
ENISA. (2015a). Information sharing in focus at ENISA’s 3rd Electronic Communications Reference Group Meeting. Accessed June 11, 2015, from http://www.enisa.europa.eu/media/news-items/information-sharing-in-focus-at-enisa2019s-3rd-electronic-communications-reference-group-meeting
ENISA. (2015b). Work Programme 2016.
European Commission. (1990). Protection of individuals in relation to the processing of personal data in the Community and information security.
European Commission. (1995). Green Paper: Copyright and related rights in the information society. Brussels: European Commission.
European Commission. (2000). Proposal for a directive of the European Parliament and of the Council on a common regulatory framework for electronic communications networks and services. Brussels.
European Commission. (2001). Network and information security: Proposal for a European policy approach. Brussels.
European Commission. (2006). A strategy for a secure information society: “Dialogue, partnership and empowerment,” Brussels.
European Commission. (2007a). European electronic communications regulation and markets (12th Report). Brussels.
European Commission. (2007b). Proposal for a directive amending Directives 2002/21/EC on a common regulatory framework for electronic communications networks and services, 2002/19/EC on access to, and interconnection of, electronic communications networks and services, and 2002/20/EC on the authorisation of electronic communications networks and services. Brussels.
European Commission. (2009). Critical information infrastructure protection: “Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience.”
European Commission. (2010a). A digital agenda for Europe, Brussels.
European Commission. (2010b). Europe 2020: A strategy for smart, sustainable and inclusive growth. Brussels.
European Commission. (2013a). Action 28: Reinforced network and information security policy. Digital Agenda for Europe. Accessed June 12, 2015, from ec.europa.eu/digital-agenda/en/pillar-iii-trust-security/action-28-reinforced-network-and-information-security-policy
European Commission. (2013b). Commission staff working document: Impact assessment accompanying the document: Proposal for a Directive of the European Parliament and of the Council Concerning measures to ensure a high level of network and information security across the Union, Brussels.
European Commission. (2013c). Proposed Directive on Network and Information Security – frequently asked questions. Brussels. Accessed June 12, 2015, from http://europa.eu/rapid/press-release_MEMO-13-71_en.htm
European Commission. (2015). EU Cybersecurity Strategy – 2nd High Level Conference. Digital Agenda for Europe. Accessed June 12, 2015, from ec.europa.eu/digital-agenda/en/news/eu-cybersecurity-strategy-2nd-high-level-conference
European Commission. (2017a). Commission launches a public consultation for the review of the European Union Agency for Network and Information Security (ENISA). Digital Single Market. Accessed April 8, 2017, from https://ec.europa.eu/digital-single-market/en/news/commission-launches-public-consultation-review-european-union-agency-network-and-information
European Commission. (2017b). Questionnaire on the evaluation and review of the European Union Agency for Network and Information Security. EUSurvey. Accessed April 8, 2017, from https://ec.europa.eu/eusurvey/runner/ENISA_review
European Commission. Commission staff working document annex to the European electronic communications regulation and markets (12th Report), Brussels.
European Commission & High Representative of the European Union for Foreign Affairs and Security Policy. (2013). Cybersecurity strategy of the European Union: An open, safe and secure cyberspace. Brussels.
European Parliament. (2015). MEPs close deal with Council on first ever EU rules on cybersecurity. European Parliament News. Accessed February 22, 2016, from http://www.europarl.europa.eu/news/en/news-room/20151207IPR06449/MEPs-close-deal-with-Council-on-first-ever-EU-rules-on-cybersecurity
Eurostat. (2013). Enterprises with fixed broadband access. Brussels.
Eurostat. (2014). Percentage of households who have internet access at home. Brussels.
Farrand, B. (2014). The digital agenda for Europe, the economy and its impact upon the development of EU copyright policy. In I. A. Stamatoudi & P. Torremans (Eds.), Copyright Law in the European Union. Cheltenham: Edward Elgar.
Farrand, B. (2016). The future of copyright enforcement online: Intermediaries caught between formal and informal governance in the EU. In I. A. Stamatoudi (Ed.), New Developments in EU and International Copyright Law. Alphen aan den Rijn: Kluwer Law International.
Farrand, B., & Carrapico, H. (2013). Networked governance and the regulation of expression on the internet: The blurring of the role of public and private actors as content regulators. Journal of Information Technology & Politics, 10(4), 357–368.
Farrell, S. (2016). TalkTalk counts costs of cyber-attack. The Guardian. Accessed February 29, 2016, from http://www.theguardian.com/business/2016/feb/02/talktalk-cyberattack-costs-customers-leave
Fourcade-Gourinchas, M., & Babb, S. L. (2002). The rebirth of the liberal creed: Paths to neoliberalism in four countries. American Journal of Sociology, 108(3), 533–579.
George, A. L., & Bennett, A. (2005). Case studies and theory development in the social sciences. Cambridge, MA: MIT Press.
Gibbs, S. (2015). TalkTalk criticised for poor security and handling of hack attack. The Guardian. Accessed February 29, 2016, from http://www.theguardian.com/technology/2015/oct/23/talktalk-criticised-for-poor-security-and-handling-of-hack-attack
Gilardi, F. (2008). Delegation in the regulatory state: Independent regulatory agencies in Western Europe. Cheltenham, UK; Northampton, MA: Edward Elgar.
Haas, E. B. (1968). The Uniting of Europe: Political, social and economic forces, 1950–57, 2nd Revised ed. Stanford University Press.
Hall, P. A. (2013). Tracing the progress of process tracing. European Political Science, 12(1), 20–30.
Harvey, D. (2007). A brief history of neoliberalism, New ed. Oxford; New York: OUP Oxford.
Horten, M. (2011). The copyright enforcement enigma: Internet politics and the “Telecoms Package.” New York: Palgrave Macmillan.
JISC. (2015). DDoS attack disrupting Janet network. JISC News. Accessed February 29, 2016, from https://www.jisc.ac.uk/news/ddos-attack-disrupting-janet-network-08-dec-2015
Jordana, J., & Levi-Faur, D. (2004). The politics of regulation in the age of governance. In J. Jordana & D. Levi-Faur (Eds.), The politics of regulation: Institutions and regulatory reforms for the age of governance. Cheltenham: Edward Elgar.
Knowles, W., et al. (2015). A survey of cyber security management in industrial control systems. International Journal of Critical Infrastructure Protection, 9, 52–80.
Lægreid, P., & Verhoest, K. (2010). Introduction: Reforming public sector organizations. In P. Lægreid & K. Verhoest (Eds.), Governance of public sector organization: Proliferation, autonomy and performance. Hampshire: AIAA.
Lazer, D. (2005). Regulatory capitalism as a networked order: The international system as an informational network. The Annals of the American Academy of Political and Social Science, 598(1), 52–66.
Levi-Faur, D. (2005). The rise of regulatory capitalism: The global diffusion of a new order. The Annals of the American Academy of Political and Social Science, 598(1), 12–32.
Levi-Faur, D., & Jordana, J. (2005). Globalizing regulatory capitalism. The Annals of the American Academy of Political and Social Science, 598(1), 6–9.
Majone, G. (Ed.). (1996). Regulating Europe. London: Routledge.
Moe, T. M. (1990). Political institutions: The neglected side of the story. Journal of Law, Economics, & Organization, 6, 213–253.
Picciotto, S. (2006). Regulatory networks and global governance. Institute of Advanced Legal Studies: University of London.
Ponte, S., Gibbon, P., & Vestergaard, J. (Eds.). (2011). Governing through standards: Origins, drivers and limitations, 2011 ed. Houndmills, Basingstoke, Hampshire; New York: AIAA.
Porcedda, M. G. (2011). Translantic approaches to cybersecurity and cybercrime. In P. Pawlak (Ed.), The EU-US security and justice agenda in action. Chaillot Papers.
Reestman, J.-H., & Eijsbouts, W. T. (2009). Internet policy and the European political and legal orders. European Constitutional Law Review, 5(2), 169–172.
Risse, T., & Börzel, T. A. (2005). Public-private partnerships: Effective and legitimate tools of international governance. In E. Grande & L. W. Pauly (Eds.), Complex sovereignty: Reconstituting political authority in the twenty-first century. Toronto: University of Toronto Press.
Rittberger, B., & Wonka, A. (Eds.). (2012). Agency governance in the EU. Routledge.
Schimmelfennig, F. (2003). The EU, NATO and the Integration of Europe: Rules and Rhetoric. Camberidge; New York: Cambridge University Press.
Vogel, S. K. (1996). Freer markets, more rules: Regulatory reform in advanced industrial countries. Ithaca: Cornell University Press.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this chapter
Cite this chapter
Farrand, B., Carrapico, H. (2018). Blurring Public and Private: Cybersecurity in the Age of Regulatory Capitalism. In: Bures, O., Carrapico, H. (eds) Security Privatization. Springer, Cham. https://doi.org/10.1007/978-3-319-63010-6_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-63010-6_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-63009-0
Online ISBN: 978-3-319-63010-6
eBook Packages: Political Science and International StudiesPolitical Science and International Studies (R0)